A Touch of Evil

By Michael Fiorito, MDS

Imagine if a criminal walked into a bank where 143 million people were waiting on line. Picture the criminal demanding their wallets - by gunpoint - obtaining credit card cards, driver’s licenses and other identifier documents.

In effect, this is what reported by Atlanta based Equifax on Thursday, September 7th, 2017 – except, of course, the attack was executed digitally by unseen crooks.

The attack represents one of the largest risks to personally sensitive information in recent years, and is the third major cybersecurity threat for the agency since 2015

As one of the three major credit reporting agencies, companies like Equifax are a jackpot for identify thieves. 

In Thursday’s attack, the hackers were also able to retrieve a treasure trove of personal information, including names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

According to an investigation by Equifax and security consultants, the hackers gained access to files in the company’s system this past summer by exploiting a weak point in website software. The company said that it discovered the intrusion on July 29 but found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.

Note that last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner. Ms. Litan added that “Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage.

 

“If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”

Pamela Dixon

Executive Director, World Privacy Forum

With this stolen data from Equifax, identity thieves can have a field day impersonating the victims with lenders, creditors and service providers, who rely on personal identity information from Equifax to make financial decisions regarding potential customers.

Equifax has created a website to help consumers determine whether their data was at risk.

The breach demands that organizations assess further the risk of systems that store identity data. NYS Financial Services Security Compliance and Europe’s General Data Protection Regulation (GDPR) require that organizations meet acceptable standards of maintaining privacy. Nothing short of everything is ever enough. Organizations need to main vigilance, developing robust cybersecurity programs that remain current.

“Cyberwar is in large part conducted through data mining and cyberintelligence,” Ms. Litan said. “This is also a Homeland Security risk as enemy nation states build databases of Americans that they then use to get to their targets, for example a network operator at a power grid, or a defense contractor at a missile defense company.”

It doesn’t get more serious.

Pulling the plug doesn't have to be your only security solution.

Don’t become part of a rising statistic — ensure your company is armed against a security hack.