Equifax disclosed on Thursday that hackers had breached their systems and stolen personal information of about 143 million U.S. consumers. The credit reporting company said that hackers gained access to consumers’ names, social security numbers, birth dates, addresses and driver’s license numbers. The cybercriminals also obtained 182,000 dispute documents with personal identifying information and credit card numbers for an estimated 209,000 consumers. The Equifax breach raises an important question. With the number and frequency of massive data breaches over the last few years, is identity theft protection no longer a good-to-have?
In the statement released by Equifax, the cybercriminals breached a U.S. website and accessed the data from the middle of May this year. And the company only discovered the hack on 29 July. This is worrisome as sensitive information of affected consumers may have been exposed to fraud for more than ten weeks prior to discovery, and another six weeks before they are informed. Equifax earned some well-deserved criticisms for taking their time before informing the victims and the ill-equipped handling of concerned consumers.
Need for identity theft protection
To get more insights into the Equifax breach and how consumers can better protect themselves from identity theft, we spoke with Paige Schaffer, President & COO at the Identity and Digital Protection Services Global Unit of Generali Global Assistance.
We hear about hacks all the time. How is the Equifax breach significant in terms of the extent of damage to those affected?
In the last couple of years, we’ve definitely seen large-scale breaches, but the Equifax breach is a bit different for a couple reasons. First, the sheer number of people that are affected is significant: records of approximately 143 million U.S. consumers were leaked (that’s roughly 44% of the population). The information hacked included names, Social Security numbers, birth dates, addresses, and even driver’s license numbers. On top of that, another almost 400,000 people had their credit card numbers or dispute documents containing sensitive personally identifiable information (PII) accessed. The risk posed for those impacted is significantly greater in this breach because of how sensitive this type of data is; it’s not as simple as just changing your passwords to some online accounts or getting a new credit card. In this case, the potential ramifications are endless – victims may potentially see account takeovers, loan – fraud, tax fraud, employment fraud, and the list goes on.
This is the third time in recent times that Equifax companies have been hacked. In your opinion, why are some companies targeted again and again? And what should these companies be doing different to avoid being targeted again and again?
By nature of the business, a credit reporting agency is going to be a very data-rich environment. The treasure trove of personal data that they store is always going to be highly attractive to hackers. Unfortunately, there’s not much they can do as far as being targeted again. Obviously, it’s important for all companies that operate in this type of environment to strengthen their security procedures and always be at the forefront of implementing new data security technologies. Other businesses – specifically those that have the choice of collecting some PII – can definitely learn from this. Companies that store consumers’ Social Security numbers, addresses, dates of birth, driver’s license numbers, or any combination of this type of sensitive data, are going to be more of a target to hackers. A good rule of thumb is: if you don’t absolutely need specific pieces of PII, don’t collect it. In the end, the more data you have, the more attractive you will be to attackers.