No data breach is good, but some are more palatable than others. We would all rather hear that our florist got hacked than, say, our bank. And the most painful breaches, like the Office of Personnel Management or Anthem health insurance incidents that involved stolen Social Security numbers and other hard-to-change personal data, are naturally the most valuable targets for attackers. We can now add the massive credit reporting agency Equifax to that list.
On Thursday, the company disclosed that a data breach it discovered on July 29 may have impacted as many as 143 million consumers in the United States. Equifax is one of the three main organizations in the US that calculates credit scores, so it has access to an extraordinary amount of personal and financial data for virtually every American adult. The company says that hackers accessed data between mid-May and July through a vulnerability in a web application. Attackers got their hands on names, Social Security numbers, birth dates, addresses, some driver's license numbers, and about 209,000 credit card numbers. 182,000 “dispute documents,” essentially complaint submissions that include personal identifying data, were also compromised in the breach.
All told, as much as 44 percent of the US population will feel the impact of this breach for years to come, especially when it comes to their Social Security numbers. “When this type of stuff happens, it’s like oh, crap,” says Alex McGeorge, the head of threat intelligence at the security firm Immunity, “Your Social Security number doesn’t change, so this data is going to get resold on the black market and hold its value for a while." Assuming data was stolen by criminals and not a nation state, experts predict that it will circulate for years.
There are some things you can do to protect yourself. Equifax is offering a website—www.equifaxsecurity2017.com—where you can check whether you are one of the 143 million people whose data may have been compromised. (A small number of citizens in the United Kingdom and Canada may also be affected.) Currently, the website doesn’t give you a simple answer about whether or not your data may have been affected, but it seems to tell you if it wasn’t. Equifax is also offering a year of free credit monitoring and identity theft insurance that you can (and should) sign up for on that site if you're a US resident. If your information could have been compromised in the breach, you might also want to consider paying for additional years of credit monitoring after Equifax’s free year expires. Attackers may have better luck abusing the leaked data in earnest after that first year is over and many potential victims lose free monitoring.
You should also keep a close eye on your finances. "Consumers should remain calm and be cognizant of their personal credit report and activity," says Mark Testoni, the president of SAP National Security Services. "Check for notifications to see if new credit applications have been filed on your behalf, and monitor your accounts for adverse action. If your details are circulated on the black market, the big risks are fraudulent credit applications on your behalf and bad actors trying to find ways to take advantage of your personal [data].”
Equifax hasn’t indicated who was behind the breach and says a law enforcement probe is ongoing. It's also unclear whether attackers compromised a third party that contracts with Equifax or a main Equifax web application. The “dispute document” data that was part of the breach is relatively specific and could indicate that the vulnerable web app was related to a customer submission service or a server that hosted databases including customer feedback logs.
The company maintains, though, that its core credit reporting databases were unaffected—cold comfort given the scale of the breach that did occur. “It begs the question, if 143 million people could be affected and this does not touch your core, where were you keeping this data?” McGeorge says. “Where does this data live that’s not your core?”
Equifax is an obvious target for hackers since it processes so much valuable, individualized data, but there is also some irony given the personal security and identity theft defense products the company sells. "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax chairman and CEO Richard Smith said in a statement. "We pride ourselves on being a leader in managing and protecting data."
There will be more questions in the days ahead about how this happened, and who at Equifax knew what, when. But it's probably time for Smith to revise his marketing pitch.