It’s been over a month since Equifax announced a data breach that affected millions of people. At this point, most consumers have carried on with their lives. They’ve checked Equifax and deemed themselves safe, or they’ve put a freeze on their credit and perhaps signed up for credit monitoring. After all, life goes on. Another data breach, another day, right?
Wrong. The Equifax data breach is not like other data breaches. A different kind of data was stolen — data that very few organizations have and that can be used to cause a lot more damage.
Data breaches typically involve the theft of usernames and passwords for a specific account. Criminals can use that information to access the user’s account (until the password is reset) and set up more fake accounts under the user’s name. They can also try to use those credentials to access accounts at other businesses or institutions, taking advantage of that fact that people often use the same password for multiple accounts. However, those efforts are a shot in the dark unless the cybercriminal knows exactly what those other accounts are. This brings us to the Equifax breach.
According to the New York Times, the Equifax breach involved the names, Social Security numbers, birthdates and addresses of up to 145.5 million people, credit card numbers for more than 200,000 people and a smaller number of driver’s license numbers. As stunning as those numbers are, the danger lies more in the type of data stolen rather than in the scope of the breach.
The Equifax data has the potential to bring valuable context to the massive amount of data that has been stolen in recent years. For instance, using the Equifax data, criminals can determine that John Smith has legitimate accounts with Bank of America, Wells Fargo and SunTrust Bank. When combined with the username and password data from, for example, the Yahoo breach, cybercriminals will have a powerful data set that allows them to maximize account takeover and conversion to fraud for known accounts that may contain significant amounts of money.
Meanwhile, cybercriminals are likely to use the Equifax data to exploit the more traditional path of identity theft by opening fraudulent accounts using the victims’ personal information. The breach exposed more than enough information about each user to apply for loans, credit cards and checking accounts. Cybercriminals can use these funds outright, or they can physically move money from one account to another to “cash out” at the end of the attack — that is, they can obtain the actual funds that these accounts are worth.
The ultimate goal of these attacks is account takeover, which already results in at least $6.5 billion to $7 billion in annual losses across multiple verticals.
Who is at risk, and what can you do about it? Any online asset of perceived value to the criminal is at risk. Financial institutions (and their customers) are the most obvious target, but e-commerce rewards, airline miles and hotel reward points are also at high risk.
Consumers and institutions should immediately validate current accounts. Cybercriminals are likely to have the information needed to bypass identity validation questions via IVR systems. Companies should look for innovation in the identity validation process to reduce the dependence on this static information. Cybercriminals are also likely to re-use credentials that were stolen in previous breaches. If they aren’t already, companies should be logging and monitoring for such attempts.
There is also the issue of identity validation. With over 145 million identities in the hands of cybercriminals, the entire financial services industry will need to find new ways to authenticate customers who are opening new accounts.
The Equifax breach provides the perfect conditions for a Category 5 hurricane of fraud in the coming months. In order to reduce the impact of fraudulent activity, both consumers and institutions must be vigilant about protecting their accounts.