Even to grizzled cybersecurity experts, the scale of Equifax’s massive data leak is dumfounding.
With a treasure trove of information compromised — including social security numbers, addresses, birthdays and driver licenses — Equifax’s failure to secure data has put 143 million Americans at risk of fraud. The Equifax case is potentially far more devastating than recent high-profile hacks of Sony, Yahoo, and Netflix, experts say.
“We sometimes hear about Yahoo and these other guys getting hacked. What I then do is go and change my password, maybe I get a new credit card,” Aviram Jenik, CEO of cybersecurity firm Beyond Security, told TheWrap. “What should I do now, get a new social security number? I’m stuck. I’m sitting at home, and there’s a guy out there with all my information which I cannot change.”
It’s a sobering assessment, coming from someone who helps companies protect their data for a living. But this isn’t any ordinary data hack.
Equifax’s hack was the product of a “known vulnerability” that is “something pretty easily detected,” according to Jenik. Companies hire security firms to weed out the known vulnerabilities in their system. Once spotted, a “patch” can be applied. Think of the leak like robbers trying to crack a safe: Hackers will consistently pepper companies like Equifax, looking to find an opening, similar to how a thief would continue to tilt a safe until he’s able to hear the correct combo to unlock it.
Now that Equifax’s safe has been cracked, Christmas has come early for cybercriminals.
“[Hacking] is very much a business,” said Mark Nunnikhoven, vice president of Trend Micro, a global leader in cybersecurity, in an interview with TheWrap. “There are strata of criminals within this world, where to commit cybercrime you do not need a massive amount of technical knowledge. You just need the right contacts and a little bit of startup capital.”
That’s bad news for the millions of people hit by Equifax’s breach. Hackers sell stolen individual identities on the black market for $5 to $30, according to Nunnikhoven. The fresher and more complete a profile — with social security numbers being the prized possession — the better. Once an identity is sold, there’s little to stop crooks from exploiting it.
“These identity documents can be used in real-world identity theft,” said Nunnikhoven. “So if you print up a fake social security card and walk into a bank that the originator of that social security number has never done business with, you can easily open an account in their name and be them for all intents and purposes.”
Compounding the issue is the evergreen nature of the threat. Criminals can use the information at any time, and it could take years for signs of fraud to surface. As Jenik put it, “from now until I die, my information is out there.” With 143 million accounts to choose from, hackers can afford to play the long game.
Perhaps the least inspiring aspect of Equifax’s leak is the lack of options to curb its damage. Both Jenik and Nunnikhoven said the remedies are few, but pointed to a credit freeze as one of the few must-do moves for consumers. A credit freeze involves calling the big four firms — Equifax, Experian, Orbitz, and TransUnion — and putting a security lock on your credit checking, which will prevent anyone from taking out more credit against your identity. (Of course, the downside to this is it hampers your ability to take out credit as well.)
Unsettlingly, the Equifax hack may be a harbinger of identity theft becoming increasingly commonplace.
“The reality of cybersecurity today is — no matter how well prepared you are, no matter how much technology, how well you’ve trained your teams — at some point, a hack is going to be successful,” said Nunnikhoven. “We see hundreds of thousands of attempts per day. One of them is going to get through at some point. The real question is how well can you detect it and recover from it.”
With its stock tanking and customers enraged by its struggling support team, Equifax’s recovery is about as secure as its data.