Today, Equifax, which is in the business of supplying credit information on consumers from many countries, disclosed a cyber breach that took place from mid May through July 2017. Their assessment reports that names, social security numbers, dates of birth, addresses of virtually all adult americans (143 million of them) has been accessed by cyber criminals. In some cases, Driver License numbers and credit card numbers were also obtained.
Can it get any worse than this? Maybe, but hardly. The last breach of this kind was the Office of Personnel Management breach that leaked private information of 21 million americans working for the US government. This kind of information represents the crown jewels of a consumer based economy like in the United States. Gaining access to this information means you can open bank accounts, obtain credit lines, file fraudulent tax returns and claim refunds, etc. all on someone else’s name, without ever suffering the consequences of delinquent repayments.
In the process, credit histories for some victims will be ruined. They won’t be able to get loans to purchase homes or cars. They won’t be able to obtain a new wireless phone line without using a prepaid service. They can’t rent a place to live in. They can’t get a new credit card. So many services nowadays resort to checking one’s credit history before approval.
The cyber criminals behind the breach will probably seek to sell that information on the underground. I am convinced they will not have to bargain with the many parties who will be interested in this data, be it other criminal gangs or even nation states. Indeed, usurping someone else’s identity will be so much easier when armed with all this private information.
Equifax blames a web application vulnerability for the breach. It is still unknown what kind of security measures were in place at the time of the breach. Why did a web application accessible to hackers have access to such sensitive information? Were there enough proxies along the way to shield the sensitive databases from direct access? Why wasn’t the sensitive data encrypted? Why do systems that only need to query for a credit score have access to more information?
I hope that a congressional inquiry makes an example of this incident and pushes us to attempt to better answer the identity question. One thing I certainly do not want to hear anymore: “the company is offering one year credit monitoring for the victims”. What about the year after that? and the one after? We are talking about information that’s valid for the lifetime of the victims.
I also hope this serves as a wake up call to al businesses who manipulate similarly sensitive customer information. Please take information security seriously! Don’t just buy insurance and commission a risk management report once a year. There is more hanging on the balance than the reputation or the viability of your company. In this particular case, even if Equifax ceases to exist, the employees will find new jobs and life moves on. Where does that leave our society, which has just been shaken to the core?