Credit monitoring company Equifax has revealed that the personal data of around 143 million Americans has been stolen.The files, which included names, social security numbers, dates of birth, addresses and driver’s license numbers, were accessed by criminals between mid-May and July of this year. Credit card numbers for about 209,000 US consumers were also accessed.
Three senior executives sold shares in the company worth almost $1.8m after discovering the breach but before making it public. Inevitably, the share price has tumbled following the announcement.
While it isn’t the biggest data breach in history, it could be the most damaging
Ines Gutzmer, head of corporate communications for Equifax, insisted that chief financial officer John Gamble, president of US information solutions Joseph Loughran and president of workforce solutions Rodolfo Ploder “had no knowledge that an intrusion had occurred at the time they sold their shares.”
The Equifax breach is the biggest-ever theft of social security numbers, eclipsing the 2015 hack at health insurer Anthem Inc that exposed personal data of 80 million people.The latest hack exposes 143 million Americans to the risk of identity theft and fraudulent transactions carried out in their name.
While it isn’t the biggest data breach in history – that honour goes to Yahoo – it could be the most damaging, because the data obtained is routinely used to verify people’s identity by banks and other institutions.
“On a scale of one to 10, this is a 10 in terms of potential identity theft,” said Gartner security analyst Avivah Litan. “Credit bureaus keep so much data about us that affects almost everything we do.”
Two of Equifax’s competitors, Experian and TransUnion, will be affected too since they hold virtually the same data held by Equifax.
Ryan Kalember, from cybersecurity company Proofpoint, told the Guardian that the breach “has really called into question the entire model of how we authenticate ourselves to financial institutions. The fact that we still use things like mother’s maiden name, social security number and date of birth is ridiculous.”
Richard Smith, Equifax’s chairman and CEO, said: “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
Senator Mark Warner, vice-chairman of the senate intelligence committee, has urged Congress to reframe data protection policies in such a way that businesses have “fewer incentives to collect large, centralised sets of highly sensitive data”.
“Focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences.” Dr Richard Ford, chief scientist, Forcepoint
Equifax also reported fraudulent and unauthorised access” to the financial files of four high-profile individuals in 2013, with Paris Hilton, Michelle Obama, former FBI director Robert Mueller and former US attorney general Eric Holder rumoured to be involved.
Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: “Now cybercriminals have a great wealth of opportunities to conduct spear phishing, fraud, identity theft, impersonation and social engineering attacks against the victims of the breach.
“We should be prepared for skyrocketing number of attacks targeting not only the victims, but their relatives, employers and partners. The breached database will likely be shared among various cyber gangs, exacerbating the damage.
“Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security.
“Most companies don’t even have an up-to-date application inventory. Without knowing your assets, you won’t be able to protect them.
“Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine-learning in their attacks when targeting and profiling the victims for example.
“Last but not least, such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims.
“Most important now is to make sure that we do not underestimate the scale of the breach, and have properly identified every victim and the integrity of data that was stolen.”
Dr Richard Ford, chief scientist of Forcepoint, said:
“The unfortunate Equifax breach is just another embodiment of the threat environment that organisations face every day – this is the new normal. The rise of large scale data collection and aggregation has placed considerable pressure on organisations to preserve privacy while leveraging data for legitimate business purposes.
“The more sensitive the data the greater the liabilities caused by a breach. The threats to this data are diverse, ranging from the apparent hack disclosed here to accidental loss by authorised users.
“Focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to augment legacy defences with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of people, data and systems can become the critical point for effective security and compliance.”
Equifax says it discovered the hack on 29 July.
The Atlanta-based company has set up a website where people can check to see if their personal information may have been stolen. Consumers can also call 866-447-7559 for more information.
Equifax is offering customers free credit monitoring using its own breached service.
