NORFOLK — The latest breach involving the Equifax credit bureau could be the worst one yet.
The company recently reported that 143 million American consumers’ personal data was stolen, which allowed hackers to get key information including addresses, social security, driver’s license and credit card numbers.
Larry “Chip” Filer, chair of Old Dominion University’s Department of Economics, said the most significant aspect of the breach is the amount of information Equifax has in their database. That puts the company at a higher risk than others.
“Being one of the credit aggregators, Equifax has data on all credit a consumer has taken out. That includes account numbers, balances, etc. More common breaches of singular financial firms put less information at risk,” he said.
Filer said, for now, he suggests that consumers who are concerned about their personal information check the Federal Trade Commission website. The website has helpful tips including how to check credit reports. Also, consumers can check to see if they’ve been affected by visiting www.equifaxsecurity2017.com, a website set up by Equifax.
“There you can enter your last name and the last 6 digits of your social to see if you have been impacted,” Filer said. “This is not perfectly accurate and I suspect that with 143 million potential customers at risk, nearly everyone will be told they are potentially impacted.”
Filer’s other recommendations include signing up for identity theft protection through a well-known service; canceling all of your existing cards and credit accounts and open new ones, which may be extreme, but will prevent fraudulent charges from occurring; and requesting a credit freeze. A credit freeze prevents anyone from opening new credit accounts in your name.
“The opening of new accounts in your name by others is the most dangerous aspect of this hack. Unlike fraudulent charges on your existing credit cards, this goes unnoticed by the consumer for quite some time,” Filer said. “Most consumers don’t know that fraudulent accounts have been set up in their name until the account becomes delinquent and they start receiving notices for collection.”
Hongyi “Michael” Wu, director of Old Dominion’s Center for Cybersecurity Education and Research, added that the Equifax breach could be a wormhole.
“The U.S. population is about 323 million. Doing the math, 44 percent are at risk. It means almost one out of every two people are affected. If we only consider adults, the ratio would be even higher,” he said.
“In general, we must be aware of the risk,” Wu said. While companies like Equifax are supposed to safeguard consumers’ personal information, no organization is immune from cyber-attacks.
Wu also noted that a company like Equifax should have their system examined regularly but technologies can only do so much.
“There are also human factors — a single click on a phishing email or text message may destroy the entire defense system. On the other hand, we must take care of our cyberspace by ourselves — just like taking care of our own health,” he said. “We cannot completely rely on doctors. Keep an eye on any signs of abnormality; that shows potential risks. This is helpful in discovering cyberattacks in early stages while minimizing the impact of such attacks.”
Both Filer and Wu agree that Equifax has let millions of people down by not following established protocol and tackling the problem before it got out of hand. Equifax had two security incidents happen prior to the breach which could indicate that warning signs were present.
“Credit bureaus are usually well protected. Given the type and amount of sensitive information they own, they usually keep their systems up to date, making sure software is patched. But this time, Equifax failed to install the patch for a web-application vulnerability, which was exploited by the hacker to compromise their system,” Wu said.
Filer said Equifax hasn’t done a very good job of handling the situation post-attack either.
“Make no mistake, data hacking is the new corporate terrorism. It’s what keeps CEOs up at night. In the aftermath, the company needs to be very open about the attack and explain what they know,” he said. “Equifax is in an unusual position in the sense that consumers don’t necessarily buy their services.”
Financial firms such as Equifax are the holders of massive amounts of data, but consumers don’t really sign up for that service from them. By virtue of consumers needing credit reports, consumers need Equifax.
“The company must do a better job of explaining the steps to prevent this from happening again because consumers don’t have the ability to switch companies. Equifax will still get our information and still provide credit reports in the future,” Filer said.