Equifax breach: Sensitive info, SSNs of 44% of U.S. consumers accessed by attackers

Equifax, one of the three largest American credit agencies, has announced that it has suffered a “cybersecurity incident” affecting some 143 million U.S. consumers.

Equifax breach

What kind of information was compromised?

The attackers gained access to:

  • Names, Social Security numbers (SSNs), birth dates, addresses and, in some instances, driver’s license numbers for the aforementioned 143 million U.S. individuals.
  • Credit card numbers for approximately 209,000 U.S. consumers
  • Certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers
  • Limited personal information for certain UK and Canadian residents.

About the breach

“Criminals exploited a U.S. website application vulnerability to gain access to certain files,” the company curtly explained.

The breach was detected on July 29 of this year, and the company called in a “leading, independent cybersecurity firm” (reportedly Madiant) to handle forensic investigation and help with incident response.

The investigation revealed that the unauthorized access occurred from mid-May through July 2017.

Equifax has set up a dedicated website to help consumers determine if their information has been impacted and to sign up for credit file monitoring and identity theft protection with TrustedID Premier, a credit monitoring service that is also operated by Equifax.

Even those consumers who haven’t been impacted can sign up. Brian Krebs went through the process, so you can check out his report to see what you can expect.

Equifax says that they “have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

Equifax breach impact

“The amount of personal identifiable information that has been compromised in this breach is substantial, to put it in perspective, the US population was around 324 million at the beginning of the year, which means that with 143 million consumers at risk, this breach affects a large portion of the United States,” noted Vishal Gupta, CEO of Seclore.

“There is no doubt that the information obtained by cybercriminals will be used in one way or another. With access to data of millions of users used for credit reporting, credit scores and more, Equifax should have taken steps to assure information was secure regardless of where it is stored or if it leaves the network or not. Until organizations responsible for safeguarding large amounts of user information shift to a data-centric security model, they remain highly-valuable targets for hackers, who will continue to come up with inventive ways to infiltrate systems.”

Eduard Goodman, Global Privacy Officer, CyberScout, says that this incident underlies one of the key issues with the U.S. consumer credit system and centralization of credit data on Americans.

“We have become overly reliant on the three credit bureaus who act as the sole data ‘brokers’ and repositories of data for creditworthiness, making an exposure like this a very dangerous event. With loss of not just SSNs but other secondary pieces of data like previous addresses, mother’s maiden name or the banking institutions with which consumers hold loans, to some degree we have exposed an entire consumer facing security ecosystem to failure since everyone from credit loan verification to online account sign ups depend on this information to help verify us all. The impact of this breach, depending upon who actually has obtained the information and how it is misused could last for a decade.”

Viewpost’s Chief Security Officer, Chris Pierson pointed out that it is noteworthy that the Equifax CEO appeared in a taped video statement to announce the breach.

“This is important from a governance and accountability perspective. But, it was less heartening that the credit monitoring sign-up process appears to be convoluted. You can check to see if you are affected, but the system does not give you a reply other than to check back in 4 days. This is a miss from an operational and reputational perspective where consumers should be able to access the free credit monitoring being offered at the point in time the notice is provided,” he pointed out.

“It is interesting to note, that another credit monitoring agency (Experian) was also breached in 2015 not for payment information, but for key data on consumers that might make its way into credit reports. Once more information on what was exfiltrated is known we will be able to discern a more accurate motive, but the hackers could be interested in key PII they can sell, additional authentication information useful in ‘identity verification’ controls, or just normal payment information,” he concluded.

Consumers whose information was accessed in the breach would do well to consider whether the should put a freeze on their credit, and they should definitely be more vigilant from now on about monitoring their credit reports and scored, and frequently checking their credit card and bank accounts.

The revelation of the breach has had an immediate impact on the company shares. According to CNBC, they fell more than 12 percent in after-hours trading yesterday.