Thank Equifax for that fake new mortgage on your house, stolen tax refund

A corporate sign rises near the headquarters of Equifax Inc. in Atlanta. The credit bureau was hit by a massive hack earlier this year, losing personal data of up to 143 million Americans.
A corporate sign rises near the headquarters of Equifax Inc. in Atlanta. The credit bureau was hit by a massive hack earlier this year, losing personal data of up to 143 million Americans. AP

For up to 143 million U.S. citizens who lost personal data in the breach of the Equifax credit bureau, here’s how criminals might take advantage:

They might try to buy a gun in your name. Or get a second mortgage on your house. They could lease a car by impersonating you, and crash it. They might steal your tax refund or Social Security check. Maybe they’ll get your health records.

That’s just for starters. For victims of the breach, headaches may recur for years. U.S. consumers are stricken by a new reality: Companies that gather personal data on them often are unable to protect that data.

The breach, which Equifax announced Sept. 7, sent a ripple through the business world. A new shock came Wednesday when the Securities and Exchange Commission said that it had been hacked, too, amounting to a one-two blow of confidence to the financial system. Hearings are already scheduled on Capitol Hill, and plenty of hand-wringing is unfolding in boardrooms. Calls for regulatory reform mount. A hopeful few see a silver lining.

“There is one benefit of Equifax. It is a serious debate on identity protection that’s raging across all modern economies that are driven on credit,” said Greg Clark, chief executive of Symantec, a major cybersecurity company. “It will lead to more protection of consumer and citizen data.”

Underlying the Equifax breach and its impact on consumers are other related issues. One is the lack of a sweeping mandate for companies suffering breaches to lay bare what actions they took, or did not take, before things went wrong. Another is the reliance on Social Security numbers as a de facto national identification system.

“I’m sure that the amount of money that Equifax was spending on cybersecurity was a big number,” said Ron Gula, a former National Security Agency analyst who now leads Gula Tech Adventures of Ellicott City, Maryland. “But whatever it was, it wasn’t enough.”

For Atlanta-based Equifax, the mistake was costly. Its market capitalization has fallen from $17.1 billion the day it announced the breach to $12.6 billion on Friday.

Gula urged reforms so that major hacks affecting millions of citizens would be investigated in a way akin to federal probes of air disasters. Such inquiries should detail whether companies took adequate steps to prevent intrusions, he said.

Companies can have “many, many reasons” for failing to install security patches, he said, including concerns that a patch could affect a website’s stability or customer experience.

“If you go in and patch something and it breaks an application and you have an outage – maybe like or any of the outages that happen throughout the year -- those things can be career-ending events,” said Gula, a founder and former chief executive of Tenable Network Security, which he left in 2016.

In the case of Equifax, the software vulnerability exploited by hackers was in web server software known as Apache Struts, and users were notified to install a patch to fix the software on March 7. Equifax has not said publicly why its technicians did not install the patch.

Greater public disclosure, perhaps through quarterly reports, Gula said, would move companies toward spending more to maintain digital security and hewing to good practices.

“I believe the requirement to disclose security issues is going to trump the need to have a stable and well-run website,” he said.

Among the personal data pilfered in the Equifax hack were names, birthdates, addresses, and Social Security numbers. In some cases, credit card and driver’s license information was also taken.

“The data that was stolen was far more detailed compared to other breaches,” said Rohit Chopra, former assistant director of the Consumer Financial Protection Bureau, an agency created after the 2008 financial crisis to protect consumers against abusive lending.

“I’m worried some people will see their bank accounts drained,” he said in an email.

The vast personal data trove gives ammo to criminals.

“Next year, we expect to see a 10 to 15 percent increase in application fraud as a result of this,” said Frank McKenna, chief strategist at PointPredictive, a San Diego, California, firm that helps auto lenders combat fraud. Auto fraud could hit $6 billion this year, his firm says.

With the personal data gleaned from Equifax, fraudsters can make up a fictitious name and address to go along with a real Social Security number, and create a whole new consumer profile, he said. Another tactic is to take over existing credit card accounts.

“You can impersonate a customer and take over the accounts they have today. I’ll just change your address for mine, get the new cards and start spending,” McKenna said.

Added Chopra: “Hackers might even be able to obtain your confidential medical records, since many health insurers identify you through your Social Security number and date of birth.”

The Equifax breach affects mainly U.S. consumers, and to a lesser extent consumers in Canada and Britain. But breaches of personal data are a global problem, including in countries like India, which is moving toward a largely cashless digital economy.

“If there is lemonade in these lemons, it is the awareness and the heightened level of scrutiny that is required around these pools of data,” Clark said. “Equifax is a catalyst around this data in the cyberspace dimension. It is also a catalyst around identity and how we manage it.”

Social Security numbers are gold for hackers, said Avi Chesla, cofounder and chief executive of empow, an Israeli cybersecurity firm that helps clients use artificial intelligence to make their systems more secure.

“As the Social Security number has become a de facto national identification number for taxation and other purposes it is a very attractive target for hackers,” Chesla said, adding that it “is a relatively easy task” for those infiltrating networks to find, copy and extract files containing Social Security numbers.

Without a good alternative in place, Chesla said consumer trust will take a hit.

“It’s a psychological issue. If people think their (Social Security number) is not safe, they will stop giving it online,” Chesla said. “The power of online services will be diminished and this will take all of us ‘back in time.’”

Tim Johnson: 202-383-6028, @timjohnson4