It could be the worst-ever data breach for American consumers, exposing some of the most sensitive data for a vast number of US households.
The hack disclosed at Equifax, one of the three major credit bureaus which collect consumer financial data, potentially affects 143 million US customers, or more than half the adult population.
While not the largest breach — Yahoo attacks leaked data on as many as one billion accounts — the Equifax incident could be the most damaging because of the nature of data collected: Bank and social security numbers and personal information of value to hackers and others.
“This is the data that every hacker wants to steal your identity and compromise your accounts,” said Darren Hayes, a Pace University professor specialising in digital forensics and cyber security.
“It’s not like the Yahoo breach where you could reset your password. Your information is gone. There’s nothing to reset.”
Some reports suggested Equifax data was being sold on ‘dark web’ marketplaces, but analysts said it was too soon to know who was behind the attack and the motivation.
“This could be a mercenary group or it could be a nation-state compiling it with other data” for espionage purposes, said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a Washington think-tank.
“This is the kind of information I would go after if I were a nation-state, to set up psychographic targeting for information and political warfare.”
Peter Levin, Chief Executive at the data security firm Amida Technology Solutions and a former federal cyber security official, said he is concerned over the national security impact of the breach, which follows a leak of data on millions of US government employees disclosed in 2015.
“The implications with regard to national security are very large,” he said.
Because most federal employees also have credit reports, “those people have now been hacked twice,” Levin said, offering potential adversaries fresh data to be used against them.
“We’ve just given the bad guys a lot more information,” he said. ‘‘Even if they didn’t perpetrate the attack, they can buy the data.”
An FBI statement said the US law enforcement agency “is aware of the reporting and tracking the situation as appropriate.”
The breach raised numerous questions among experts, such as why the company waited more than a month to notify consumers after learning of the attacks July 29.
Some analysts expressed concern that a company with a mission to safeguard sensitive data allowed a breach of this scope to take place.
“Equifax knew it was a prime target for cyber attacks,” said Annie Anton, who chairs the Georgia Tech School of Interactive Computing and specializes in computer security research.
“It’s amazing that one flaw could lead to a breach involving 140 million people. They should have safeguards in place. Even if a breach happens, it shouldn’t grow to that scale.” Even more surprising, Anton said, is that Equifax still used social security numbers for verification despite the known risks from storing these key identifiers.
Anton noted that she testified before Congress in 2007 recommending that credit bureaus be required to use alternatives to social security numbers “and it still hasn’t been fixed.”
Some details of the attack remain unclear, including whether the data stolen was encrypted — which would make it harder for the hackers to monetise.
At least two class-action lawsuits on behalf of consumers were filed following the disclosure claiming Equifax failed to adequately protect important data.
Equifax “should have been better prepared for any attempt to penetrate its systems,” said attorney John Yanchunis, who filed one of the lawsuits.
Separate lawsuits announced meanwhile said Equifax may have violated securities laws by allowing three high-ranking Equifax executives to sell shares worth almost $1.8 million in the days after the hack was discovered.
An Equifax spokesperson said the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”— AFP