The hack reported last week by Equifax will go down as one of the worst data breaches in history, and could prove to be the most damaging ever for American consumers, many security experts contend.
Anonymous criminals committed the crime, but cybersecurity experts told Scotsman Guide News that the blame for exposing sensitive information belonging to roughly half of the U.S. population lies with Equifax, which has a history of data breaches.
“I firmly believe they could have prevented this,” said Tim Crosby, a senior security consultant with Austin, Texas-based Spohn Consulting.
Equifax reported last Thursday that it discovered on July 29 that cybercriminals exploited “a U.S. website application vulnerability” to gain access. Equifax determined that as many as 143 million people were compromised.
The information included Social Security numbers, birth dates, addresses and, in some cases, drivers-license information. Also, the credit card numbers of 209,000 U.S. consumers were exposed. Information on consumers residing in the United Kingdom and Canada also was breached.
Equifax believes the attack occurred in mid-May and continued until it was discovered nearly two months later.
“This is a pretty scary thing,” Crosby said. “It is going to affect the other credit reporting agencies, who are going to have to be on their toes. We know somebody has the information. We don’t know how widely it has been distributed, or who got it yet.”
Equifax has been breached or admitted to mishandling sensitive consumer information five times since 2005, according to the website privacyrights.org. Most recently it was reported in May 2016 that hackers breached its W-2 Express Website, exposing tax and salary information on 431,000 Kroger employees.
In October 2010, Equifax agreed to pay a $1.6 million fine to settle a complaint with the Federal Trade Commission, after admitting to selling information on people who had been late in paying their mortgages. This affected 17,000 consumers. The company had two other smaller incidents in 2010 and 2006.
“In my opinion, this is the super jackpot of cybersecurity compromise,” said Jeffrey Bernstein, the managing director of Critical Defence. Bernstein doubted that the hackers will ever be caught. They may have already sold the information on a shadowy “dark web,” a number of small private networks that can’t be accessed through traditional search engines. Equifax could face severe penalties, Bernstein said.
“This type of breach should never happen,” Bernstein added. “A company like Equifax has a very high-profile, high-threat environment that they operate in. They have a treasure trove of data, of our private data, and they need to protect it.”
Equifax officials were not immediately available for comment.
As of Monday, Equifax had provided no additional information on how cybercriminals accessed its database. Web applications can be any program accessed over a network connection. Typically, a person logs in with a user name and password. Facebook and LinkedIn are two well-known examples of web applications.
Hackers often develop attack tools to exploit vulnerabilities in these programs, engaging in a cat-and-mouse game. Companies, in turn, must constantly test their web applications for vulnerabilities and provide fixes.