Cybersecurity experts Friday pilloried the credit reporting giant Equifax for a data breach that could potentially affect 143 million U.S. consumers, a nightmare hack that sharply underscores a new era of information insecurity.
“These millions of victims will be at increased risk of fraud for the rest of their lives,” John Gunn of VASCO Data Security, an Oakbrook Terrace, Illinois firm, said in a statement.
The repercussions of one of the largest cyberattacks to hit the United States continued to ripple. Equifax shares plunged more than 13 percent in value on the New York Stock Exchange, and an underground site offered what it claimed was pilfered information from the Equifax hack.
Consumers who never sought a credit check with Atlanta-based Equifax may not be safe either, experts said.
“Even if you are not a customer, Equifax likely has a lot of data about you,” said Kenneth Geers, senior research scientist at Comodo, a Clifton, New Jersey, company that authenticates websites and content on the internet.
Equifax said Thursday that hackers were in their networks from around mid-May until July 29, and that once detected the breach was halted. The company did not say why it waited six weeks to inform the public of the massive hack. Stolen personal data can be used to commit identity fraud, create counterfeit credit cards, and make fraudulent online purchases or insurance claims, among other crimes.
“This is clearly a disappointing event and one that strikes at the heart of who we are and what we do. I deeply regret the incident, and I apologize to every affected consumer,” Equifax chief executive Rick Smith said in a video the company posted.
In addition to the 143 million U.S. consumer records – equivalent to 44 percent of the U.S. population – the company said an unknown number of Canadian and British consumer records were stolen. Data taken included names, Social Security numbers, dates of birth, addresses and, in some cases, driver license numbers. Credit card information on roughly 209,000 U.S. consumers was also stolen.
Outsiders said the company, one of three giants in the credit reporting industry, will struggle to get back on its feet – even as consumers face greater fraud threats from the hack.
“The types of data potentially exposed in this breach could ruin lives, businesses, and might I say, credit scores,” said Hank Thomas, chief operating officer at Strategic Cyber Ventures, a Washington incubator of cybersecurity companies.
Referring to Equifax, Thomas added: “Their brand may never recover.”
Some cybersecurity experts lambasted Equifax for not monitoring sensitive files in their networks even if their perimeter network defenses were strong.
“It's like if someone walked into a bank dressed like a teller, pretended to work there, and it took the management two months to notice that a stranger was walking out with cash every night,” said Brian Vecci of Varonis Systems, a firm that provides cybersecurity perimeters.
Not all cybersecurity experts delivered such a harsh assessment. Mark Nunnikhoven, vice president of cloud research for Trend Micro, wrote in a blog post that Equifax’s detailed acknowledgement of the hack was “exemplary.”
Another executive said the penetration signaled the perils now buffeting the digital realm.
“If a company like Equifax can make significant investments, have every incentive to keep the most sensitive kind of information secure, but still experience a breach … it stands to reason that our playbook needs a revision,” Josh Mayfield, a platform specialist at Firemon Immediate Insight, of Overland Park, Kansas, said in a statement.
Equifax took a pounding not only in the stock market but also on social media.
A threat intelligence analyst at a Midwestern cybersecurity company, who asked not to be identified to avoid becoming a target himself, said hackers involved in political causes, known as hacktivists, may target Equifax for what they consider inadequate security that may impact millions of people.
“You could get hacktivists who go after Equifax with (denial of service) campaigns or website defacement in retaliation,” he said.
A Romanian cybersecurity researcher, Catalin Cimpanu, tweeted that he had found a site on the dark web, an area of the internet frequented by cybercriminals, that sought a ransom of 600 bitcoin (roughly $2.7 million) in order not to dump the stolen Equifax database into the public realm.
Later, Cimpanu tweeted: “I’m 99% sure this is a scam.”
Whether that is so or not, Trend Micro’s Nunnikhoven said the trove of stolen data from Equifax could be “worth $27 million or more in the digital underground.”