On September 7, Equifax, one of the three major credit agencies, publicly announced that it had suffered a major data breach. The company disclosed that unidentified hackers exploited a vulnerability in their website software to gain unauthorized access to company data and exfiltrated it from May through July of this year, impacting as many as 143 million consumers.
The details of the attack — including the identity and nature of the attackers — were not immediately available.1 If the attackers were financially motivated, they could monetize the data by fraudulently opening new accounts at financial institutions, conducting unauthorized transactions, and selling the data to other criminals. If a nation-state conducted the attack, the stolen information could be used to support espionage operations.
This data breach is the latest in a series of high-profile cybersecurity incidents, and is yet another reminder that organizations should enhance their management of cyber and privacy risks, including those related to identity management, authentication, data encryption, and vulnerability management. Further, organizations should manage cyber, privacy and fraud risks in an integrated way, mindful of how creative fraudsters and hackers might quickly leverage information exposed in one breach to perpetrate either new fraud schemes or new cyberattacks.
The motives of the attackers — either financial gain by criminals or information to support espionage operations by nation-state actors — will determine how any stolen personally identifiable information (PII) might be used.
Financially motivated attackers
If the attackers were financially motivated, they could use the stolen data to fraudulently open new accounts and gain access to existing ones. Once in possession of personally identifiable information (PII) such as social security numbers, driver’s license numbers, and full names, the attackers may attempt to order new credit cards, request new checkbooks, and open new accounts at financial institutions. They may also seek to modify existing account information and gain access to additional PII. PII presents greater risks than details gained from stolen credit card information because while credit cards can be voided, PII is intimately linked to particular individuals and can be used for a wider variety of fraudulent purposes such as those listed below:
If the attackers were nation-state cyber actors, the stolen data could be used for the following purposes:
In the immediate aftermath of a data breach, organizations should take steps to identify the population of their at-risk customers and communicate with them regarding whether they were impacted and what they should do now. Compliance departments should closely follow federal and state regulations that may require that they inform customers or regulators within a prescribed time period. Once organizations have identified potentially impacted customers, they should suggest that such customers (1) perform a “credit freeze” to restrict a lender's access to the customer’s credit report, (2) change password reset questions for online accounts to questions that do not rely on data that could be found in credit reports, and (3) stay alert regarding online scams using this data breach to solicit sensitive information, such as emails purporting to be from compromised parties that ask for sensitive data.
After a breach, organizations will often receive a significant increase in call volumes from concerned customers. To manage this increased volume, organizations should put into place multi-channel outreach communication campaigns, including creating bespoke web pages to keep clients informed of developments and provide tips and helpful resources, in the hopes of diverting some inquiries away from the call centers.
In addition to client identification and communication, organizations should consider taking the following steps (many of which are more long-term) to mitigate the risk from potentially exposed data and to reduce the probability of this type of event occurring in the future:
Managing cyber, privacy and fraud risks in an integrated way has never been more important. By establishing a clearer view of the threat landscape and a more coordinated process for investigations and reporting, organizations have an opportunity to significantly improve their risk management posture before the next major breach.