UPDATED 23:18 EDT / SEPTEMBER 07 2017

INFRA

143M consumer records stolen in massive Equifax hack: Here’s what it means

Consumer credit reporting agency Equifax Inc. has been hacked, resulting in the theft of personal information of 143 million American consumers.

Details of how the hack took place are not entirely clear at this stage. The company described the access, revealed Thursday, as happening via a “website application vulnerability.” But it’s known that the stolen data includes names, Social Security numbers, birthdates, addresses and, in some cases, driver’s license numbers. In addition, credit card numbers for 209,000 Equifax customers along with “dispute documents” with personal information pertaining to 182,000 customers were also stolen.

Equifax primarily operates in the United States, but customers in other countries may have also been affected. The company added that “unauthorized access to limited personal information for certain U.K. and Canadian residents” also occurred.

The data breach is said to have occurred in mid-May, though the hackers continued to access data from Equifax through to the discovery of the hack and the patch on July 29.

If that’s not bad enough, according to Bloomberg three company executives sold shares in the company prior to the public disclosure of the hack but after the company had become aware that it had occurred. The timing suggests that the executives, including Chief Financial Officer John Gamble, may have illegally sold shares using inside information. But the company denies the claim, saying that the sale was an unfortunate coincidence and that the executives “had no knowledge that an intrusion had occurred at the time.”

Security researchers concur that the most concerning part of this breach is the number of Americans who have had their data stolen.

“While we don’t yet know the full dimensions of the Equifax breach, where the most sensitive information of over a third of the American population could have been exposed to cybercriminals, tens of millions of us are now forced to look over our shoulders for the rest of our lives because tons of Social Security numbers, the skeleton key to our lives, are out there for cybercriminals to steal and exploit,” CyberScout LLC Chairman and Founder Adam Levin told SiliconANGLE.

Richard Henderson, global security strategist at Absolute Software Corp., jokingly told SiliconANGLE that “just when we think the days of massive breaches are behind us, another company pops up and says, ‘Here, hold my beer and watch this!'” He added that “this is likely going to be the ‘breach of the year,’ if such awards were handed out,” since some 140 million Americans potentially got their information stolen.

“We have to expect that the fallout from this will likely be unprecedented,” Henderson added. “Many people are going to lose their jobs, including Equifax executives, people will be brought before Congress to explain what happened, and consumer trust in all of the credit reporting agencies will be eroded.” Equifax’s shares fell more than 12 percent in after-hours trading.

The danger presented by one company holding such a large amount information was a running theme from security experts. “It may be time for us to reconsider exactly how we allow companies to store all of this data,” Henderson said.

Eduard Goodman, global privacy officer at CyberScout, further articulated the legal and moral issues regarding the credit data gathering system. “This incident underlies one of the key issues with the U.S. consumer credit system and centralization of credit data on Americans,” he said. “We have become overly reliant on the three credit bureaus that act as the sole data ‘brokers’ and repositories of data for creditworthiness, making an exposure like this a very dangerous event.

“With loss of not just SSNs but other secondary pieces of data like previous addresses, mother’s maiden name or the banking institutions with which consumers hold loans, to some degree we have exposed an entire consumer facing security ecosystem to failure,” he added. “Since everyone from credit loan verification to online account sign ups depend on this information to help verify us all.”

For those affected by the data breach, Ondrej Vlcek, chief technology officer at Avast Software s.r.o., warned that this is a case where there is unfortunately there’s nothing victims can do other than be vigilant. “It’s only a matter of when, not if, this data appears on the dark web market,” Vlcek notes.

Vlcek’s advice: “First, closely monitor all email, social, credit card and bank accounts closely for suspicious activities. Second, consider looking into a credit freeze that will stop hackers from using your identity to accrue debt. Also, don’t respond directly to emails and other messages notifying you that you’re a victim. They may be scams. Instead, open up a new tab and log in directly to the site in question, or call the support center number listed on their site.”

Photo: thepreiserproject/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU