When Target Corp. and The Home Depot, Inc. were both hacked in 2014, more than 120 million records were stolen.
That’s nothing compared to the Equifax, Inc. hack.
In terms of how much risk Americans are in right now, there’s absolutely no comparison to previous hacks where credit card numbers were stolen, according to Craig Shue, associate professor in the Computer Science department and the Cyber Security program at WPI.
“Most attacks, like the one on Target, are mostly about stolen credit card data,” says Shue. “You identify any fraudulent charges on your account and they’re refunded. You get a new card. For the card holder, it’s not that big an issue. But the Equifax breach is a completely different ballpark.
“The severity of the Equifax hack is due to the type of information they’re holding,” he added. “They are holding all the information someone needs to steal your identity. … This is the crown jewels of breaches.”
On Sept. 7, Equifax, one of the major credit reporting agencies in the United States, reported that the personal data of 143 million Americans—that’s 44 percent of the country—was potentially compromised in a cybersecurity attack that happened from mid-May through July this year.
The data that now sits in the hackers’ hands includes names, Social Security numbers, addresses, birthdates, and even driver’s license numbers in some cases.
It’s the perfect brew of information for attackers to use to steal someone’s identity and clean out their bank accounts, take out loans in their names, get copies of their birth certificates and passports, and take out credit cards and buy anything from sneakers to furniture and boats.
The hackers could use this information over the next several months, or even years, to slowly attack U.S. consumers, or they could release the information en masse and cause nationwide panic, notes Shue. They also could sell the highly valuable information to governments or other criminal groups.
“What’s particularly frightening is this is all the information anybody needs to verify who you are,” says Shue, who has worked as a cybersecurity research scientist at the Oak Ridge National Laboratory. “How do you prove who you are? The information you need to do that is now out there. An adversary with this information could convince the government to give them a certified copy of your birth certificate, a reissued social security card, and even a replacement driver’s license. They could reconstruct your entire identity.”
Equifax has not released any specifics on the hack other than saying criminals exploited a website application vulnerability.
"This is the crown jewels of breaches." -Craig Shue
Any company could be targeted by hackers, but when that company holds such critical information on so many millions of people, they need to have better cybersecurity than an average company, Shue contends.
“There are certain entities in the world that exist to be trusted,” says Shue. “Equifax is one of them. They are a juicy target because of the information they have. Every financial institution, or credit reporting bureau, knows they’re going to be targeted given the information they have.”
Shue says he was surprised the hackers made off with so much information before any security administrators at Equifax took notice. With that much data—highly sensitive data—moving out the cyber door, alarms should have been going off.
“It’s like seeing a lot of money coming out of a bank vault. You’d notice that, right?” he says. “In this instance, someone took an entire copy of everything in the vault before anyone noticed. That speaks volumes about their security.”
Any company, at the least should be keeping its software up to date and monitoring network communications within its systems and with the outside world.
The attack on Equifax also points out the need to figure out a better way to identify people.
“We’ve been using Social Security numbers like they’re some sort of super secret identification,” says Shue. “The problem is you can never get a new one if it gets compromised. If we insist that we use a government identification number, you should be able to get a new one if it’s been compromised. But society is simply not there yet.”
- By Sharon Gaudin