Equifax, one of the three major consumer credit reporting agencies, disclosed on 7 Sep 2017 that hackers had successfully obtained unauthorized access to sensitive privacy and financial information of upwards of 143 million American consumers.
Compromised data includes Social Security numbers, dates of birth, driver’s license numbers, and other sensitive information, including hundreds of thousands of credit cards, stored on Equifax servers. It appears to be the third such large-scale cybersecurity event at Equifax since 2015.
The credit reporting agency, based in Atlanta, is considered by malicious actors to be particularly hack-worthy given its possession of consumer personal and financial information and the reality that these records can routinely fetch hundreds of dollars per record on dark web marketplaces from identity thieves and other fraudsters. Using the data stolen from Equifax, identity thieves can easily perpetuate fraud by impersonating victims during transactions with lenders and creditors.
Equifax discovered an apparent breach of their system in late July 2017. They believe it includes much of the sensitive personal information collected about their customers and non-customers alike, to include social security numbers, driver’s license numbers, and troves of other personal and financial information. Total number of those affected could top more than 145 million.
How did it happen?
Equifax has not yet officially disclosed how it was successfully attacked, however did indicate that it involved a vulnerability associated with a web application. If true, this would suggest that this is yet another high-profile attack that was preventable and avoidable via a simple patch that was not applied despite a published vulnerability. Some initial speculation revolved around an Apache Struts Web Framework. The final entry point detail is almost entirely irrelevant to the larger issue; highly sensitive data stolen via the most basic of security errors.
What happens to this data on the Dark Web and how will it be used?
It is possible the attackers successfully extort money from Equifax in exchange for allegedly destroying the stolen data and not releasing it publicly. Even if the extortion is not paid by Equifax, Liberty Advisor Group assesses with high confidence that the information will be made available for sale on assorted dark web marketplaces and packaged in micro-segments.
Extremely lucrative, this data will be bought by enterprising identity thieves seeking a return-on-investment by delivering bespoke and highly efficient attacks on victims. This could include personal identity theft, potential spear-phishing targeting online systems, and ransomware.
Because attackers always have the advantage, victims of this fraud might not even see such attacks until weeks, months, or even years from now. As a reference point, the attack on professional networking site LinkedIn occurred in 2012 yet passwords and other personal data stemming from that breach was not made available for sale until years later.
As is the case with most other high-profile attacks, the hackers will likely bleed out as much value as possible for this data via sales on the dark web before the entire list loses value and is inevitably made accessible to anyone with or without access to a Tor Browser.
Although the method and vulnerabilities exploited in this attack and even the volume of records are no longer unique in today’s hostile cyber environment, the impact of this breach will stand alone. Unlike logins and passwords, social security numbers, maiden names, past addresses and credit history cannot simply be reset or changed. Much like the OPM breach, this threat to consumers is truly multi-generational and will persist.
What should you do?
At the time of this report, there has been conflicting accounts regarding whether signing up for Equifax’s online system and free monitoring service will ultimately preclude a user from participating in an eventual class action lawsuit against the company. This is based on a legal clause found buried within the system’s terms of service. It has received heavy criticism and pressure on social media by the public and by the Attorney General for the State of New York.
Regardless, Liberty is recommending people assume that their information has been breached and pursue credit freezing and monitoring options from the other agencies, Transunion and Experian. Credit freezing places restrictions on who can view your credit report and can frustrate the efforts of an identity thief who is fraudulently seeking loans or credit in your name. Other monitoring solutions also provide suitable service, such as Identity Lock.
As always, Liberty Advisor Group recommending people employ basic tips for safe computing during their online activities, such as avoiding suspicious e-mails, websites, and attachments, and ensuring operating systems and legacy preventative controls are deployed and properly configured. To avoid the effects of potential ransomware and other malware, Liberty Advisor Group strongly encourages clients to ensure all information is properly backed-up and stored off-line and ensure patches are being monitored and applied on a regular basis.
Potential impacts for corporations?
Although it may not be the first wave of attacks by hackers, companies should expect an eventual uptick in social engineering and phishing scams to conduct business process fraud.
The data stolen may be personal in nature and, on the surface, seemingly unconnected to workplace cyber threats. However, Liberty urges business leaders to look at the information breached from the perspective of the attacker.
The most effective social engineering and phishing scams to date involved weaving personal, verifiable information into emails to an individual because it exponentially increases the chances of the recipient clicking a link or attachment.
With the quality and volume of Equifax data, savvy hackers will create highly tailored and professional emails to perpetrate their attacks.
Companies should redouble efforts for user training and revisit current protocol for critical system security and invoice payment processes.
Even companies with dedicated security offerings are being targeted by the same simple threats. Although not linked to this Equifax breach, Deloitte recently announced what appears to be a very similar threat-to-breach activity that has resulted in the loss of highly sensitive client information.
No doubt, these are not the first nor the last companies to be breached but the type of data lost in the Equifax hack will only make the attacks more difficult to detect and prevent.
Companies should also consider enhancing existing security programs with more external analysis of Indicators of Reconnaissance by would-be hackers. Waiting to defend an inbound attack may be too late now that hackers are armed with even richer and more sensitive data on your employees.