Equifax data breach could create lifelong identity theft threat

27 November 2017 Bachir El Nakib (CAMS)

When a credit card gets stolen, it's easy for the victim of the crime to shut down the card, get a new account number and avoid monetary loss. But financial peril rises and can persist for years when personal data likely to stay the same forever -- like Social Security numbers, names and dates of birth -- get stolen like it did in the cyber attack on credit-reporting service Equifax.

Once hackers gain access to these key pieces of personal data -- which is akin to the DNA of a person's online digital self -- it is at the cyber thieves' disposal forever to cause harm.

"It's very problematic for hackers to have all that important information all in one place," says John Ulzheimer, a credit expert who once worked for Equifax and credit-score firm FICO. "This information is perpetually valuable. You are not going to change your name or date of birth or Social Security number. In five years they will be the same, unlike a credit card that takes five minutes to cancel over the phone."

An estimated 143 million Americans, or nearly half of the U.S. population, had their personal data stolen in the Equifax cyber heist, according to the company.

The bad news is "this data will be used for years," says Avivah Litan, a security analyst at Gartner. "So, as a consumer, you need to be hyper-vigilant."

Instead of looking at your bank and investment statements monthly, for example, review them weekly, Litan advises. And if you see any fraudulent activity, report it immediately. 

An estimated 143 million U.S. consumers could be affected by a cybersecurity attack carried out by suspected criminal hackers, national credit-reporting company Equifax said Thursday.

The unauthorized access to information for nearly 44% of the U.S. population occurred from mid-May through July 2017 and primarily involved names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers, the company said in a detailed announcement of the attack.

Additionally, the hackers gained access to credit card numbers for roughly 209,000 consumers, plus certain dispute documents with personal identifying information for approximately 182,000 consumers.

Equifax also identified unauthorized access to limited personal information for certain United Kingdom, and Canadian residents.

However, there was no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases, the company said.

Financial regulatory filings show that three of the company's top executives sold shares of Equifax stock after July 29, the date the firm said the cyber breach was detected.

On Aug. 1, Chief Financial Officer John Gamble sold shares with a market value of nearly $946,400, while Joseph Loughran, president of Equifax's U.S. Information Solutions, exercised options to sell nearly $584,100. Rodolfo Ploder, president of business unit Workforce Solutions, sold shares valued at nearly $250,500 on Aug. 2, the filings show. The three executives continued to hold tens of thousands of Equifax shares after the transactions.

Equifax said the officials "had no knowledge that an intrusion had occurred" at the time they sold their shares.


News of the cyberattack comes less than three months after the global Petya ransomware attack spread through computers across North America and Europe, affecting 65 countries. Similarly, the massive attack of the 'WannaCry' ransomware virus infected computers around the world in May. 

Computer systems for the IRS, Target, and other government agencies and private companies have also been struck by cyberattacks in recent years. And Yahoo last year disclosed that information from an estimated 500 million of the internet giant's accounts was stolen in 2014.

Atlanta-based Equifax is one of the nation's largest credit-reporting companies, along with Experian and TransUnion. Equifax says it organizes and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide, and the company's databases hold employee data submitted by more than 7,100 employers.

After discovering the electronic intrusion, Equifax said it hired an independent cybersecurity firm that has since been conducting a forensic investigation aimed at determining the scope of the electronic intrusion and the specific data accessed.

Equifax also reported the attack to law enforcement agencies and is continuing to work with them, the company said.

Not only can hackers potentially gain access to your financial accounts, such as checking and savings accounts and 401(k)s, and withdraw money, "they can use this information to create a new 'you,' " warns Reck.

Creating a new you

Armed with your digital history, hackers can file tax returns using your name and social security number to claim a refund. Or file fraudulent medical expense claims. Or attempt to open credit cards, rent an apartment, apply for electric service or get a loan and buy a house in your name without you knowing. 

"These types of things can bleed over into your life," says Ulzheimer. That's why he advises people to check their credit reports on a "monthly basis," just like balancing a checkbook.

Names, Social Security numbers and addresses of millions of people were exposed during the Equifax breach. Video provided by Newsy Newslook

And while worries about a damaged credit score, hijacked credit cards or thieves opening fraudulent accounts are among the first things cyber-crime victims think of after a data breach becomes public, there are other damaging uses of personal data they might not be aware of and is "far more challenging for consumers to detect and more costly and difficult to repair," warns Steven Bearak, CEO of IdentityForce, a Framingham, Mass., firm that offers identity, privacy and credit protection to consumers, businesses and government agencies.

Some examples of non-credit related illegal uses of victims' personal data, Bearak says, include:

*Medical ID theft. With the cost of health care rising, a new trend is for identity thieves to go into hospital emergency rooms with IDs created from stolen data to pay for surgeries and other procedures. This creates all sorts of problems for the identity theft victim, who can get stuck with the balance of the bill, see their insurance deductible used up as well as be stuck with flawed medical records.


*Tax fraud. Fraudsters armed with names, addresses and Social Security numbers are increasingly filing fraudulent tax returns in an effort to profit illegally from refunds. This creates a major headache for the victimized taxpayer, who must resolve the theft with the IRS, wait for a delayed tax return they might desperately need and often pay an accountant to help resolve the issue.

*Synthetic ID theft. In this scam, the fraudster takes different pieces of personal data from numerous victims and blends them all together to "create a new ID," says Bearak. For example, the hacker may use one victim's name, another's Social Security number, another's address, and another's birth date to create a fake identity.

"That one is really hard to detect," says Bearak. "And the new ID impacts many people."

Another risk is bad guys stealing your data and identity could get arrested, putting unsavory arrests, such as armed robbery or sexual assault, on your personal record. 

Getting your identity back and putting your financial life back in order is frustrating and can take up a lot of time.

"It is very, very time consuming," says Chris Burchett, vice president of client security software at Dell. 

Trying to convince financial institutions that you have been a victim of identity fraud and aren't the one that ran up a fraudulent hospital bill or withdrew every penny from your bank account isn't an easy task, adds Ulzheimer.

"To some extent, you are guilty until you can prove yourself innocent," he says.


Download File