NewsBite

Advertisement

This was published 7 years ago

Equifax's historic hack may have exposed almost half of US

By Brian Womack
Updated

Equifax, one of America's three biggest credit-reporting companies, was struck by a cyberattack that left almost half the US population at risk, placing it among the most intrusive security breaches in history.

Hackers exploited a website application to access names, addresses, social security numbers and some driver's licence numbers of potentially 143 million consumers, Equifax said on Thursday in a statement.

The incident is a stark reminder of the risk of consumers' personal data being exposed online, security experts said.

It's particularly worrisome for the millions of people who trust credit-reporting agencies like Equifax to handle and protect their financial information. That kind of data is critical and could be used in multiple ways to harm consumers.

The incident is a stark reminder of the risk of consumers' personal data being exposed online, security experts said.

The incident is a stark reminder of the risk of consumers' personal data being exposed online, security experts said.

"This is massive," said Paul Martini, chief executive of Iboss, a cybersecurity firm.

"This overshadows any other breach that we've seen to date - not just the volume, the size, but the type of data that was in that database."

Consumer information

The company set up a website, www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It's also offering free credit-file monitoring and identify-theft protection.

Advertisement

Criminals took advantage of a "US website application vulnerability to gain access to certain files" from mid-May through July of this year, Atlanta-based Equifax said.

Equifax and the other large credit-data brokers - UK-based Experian and Chicago-based TransUnion - have fought a public-relations and regulatory battle for years to present themselves as responsible stewards of the personal information for hundreds of millions of Americans.

Equifax and the other large credit-data brokers - UK-based Experian and Chicago-based TransUnion - have fought a public-relations and regulatory battle for years to present themselves as responsible stewards of the personal information for hundreds of millions of Americans.Credit: AP

The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.

"It's a huge deal," said Tim Crosby, senior consultant with security-assessment firm Spohn.

"You would expect these guys to have compartmentalised this data far enough away from a web server - that there would not be any way to directly access it."

Equifax and the other large credit-data brokers - UK-based Experian and Chicago-based TransUnion - have fought a public-relations and regulatory battle for years to present themselves as responsible stewards of the personal information for hundreds of millions of Americans.

This overshadows any other breach that we've seen to date - not just the volume, the size, but the type of data that was in that database.

Critics including US senator Elizabeth Warren have taken aim at errors that affect people's ability to secure home loans, credit cards and reasonable interest rates.

Previous attacks

Concerns about their digital security have periodically come into focus, in high-profile breaches including an incident in 2013 in which all three companies said they uncovered cases where hackers used personal information on famous people from Michelle Obama to Paris Hilton to access their credit reports and post the documents online.

That year, cybersecurity reporter and blogger Brian Krebs published an account of how an identity thief in Vietnam ran a service that helped others access millions of Americans' credit reports from Experian, via a subsidiary company.

When breaches have occurred, they often aren't widely known.

Some of the credit companies have disclosed security breaches in the quietest way possible - by alerting affected consumers directly, by mail - as required under state breach-disclosure laws, but not issuing wider public statements to consumers or investors.

Bloomberg News reported in 2012 that Experian was breached 86 times via accounts at clients such as banks or auto dealers, with hackers downloading in some cases hundreds of credit reports while the businesses were closed.

The attack reported on Thursday is the most high-profile cybersecurity breach since online portal Yahoo announced two separate incidents.

Last year, Yahoo, whose web assets were acquired by Verizon Communications earlier this year, disclosed a 2014 breach that affected at least 500 million customer accounts.

A few months later, the company said a 2013 hack siphoned email addresses, scrambled account passwords and dates of birth of as many as 1 billion users.

Financial industry impact

Equifax's breach will test measures the financial industry has rolled out to prevent thieves from abusing troves of stolen credit-card numbers.

A few years ago, banks in the US began embedding computer chips on cards to prevent criminals from forging their own with much simpler magnetic stripes.

The underlying technology - called EMV for founders Europay, MasterCard and Visa - generates new codes for each transaction. The codes on stripes are static, making them susceptible to duplication. Still, stolen card numbers can be useful at cash registers that don't accept chips or for shopping online.

The Equifax breach also may open the way for another type of fraud called synthetic identity theft.

Typically, fraudsters mix stolen social security numbers, and potentially other information from the owners, with a borrowed mailing address and apply for new credit cards that they control.

Some patient con artists even use the new personas to seek additional credit cards or loans, then max them all out at once, potentially making off with tens of thousands of dollars.

Banks typically pick up the cost when thieves abuse stolen card numbers, assuming it's caught promptly. The expenses can add up fast.

Rising costs of hacks

Over the past four years, financial firms spent an average of $US222 per affected customer after suffering breaches, according to a study published by the Ponemon Institute this year for IBM. The tally includes a variety of expenses, covering everything from forensic investigations to customer support hotlines.

The number has been climbing. When releasing the report in June, the authors projected it would reach $US245 per customer this year.

Some UK and Canadian residents were also affected in the incident reported on Thursday.

Equifax said it was working with regulators in both countries. It uncovered the breach on July 29. While the company's investigation was substantially complete, it remained open and was expected to be completed in coming weeks, Equifax said.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes," chief executive Richard Smith said.

The Federal Bureau of Investigation didn't immediately respond to emails and a phone message requesting comment about its possible involvement in an investigation.

Bloomberg

Most Viewed in Business

Loading

Original URL: https://www.theage.com.au/link/follow-20170101-gyddfg