On Thursday, the consumer credit reporting agency Equifax announced a massive data breach affecting 143 million U.S. consumers, and today several actors on the dark web and Twitter are claiming to have the data for sale.
Equifax said the breach was caused by a website application vulnerability that provided malicious actors access to sensitive data from mid-May through when the intrusion was detected on July 29. That data includes the theft of consumers’ Social Security numbers, dates of birth and addresses, as well as the credit card numbers of 209,000 consumers, dispute documents with personal identifying information for another 182,000 consumers, and an unreported number of driver’s license numbers. In addition, the company said that “limited personal information for certain UK and Canadian residents” was also compromised.
Breach Causes Authentication Concerns
In addition to being one of the largest breaches of recent memory, the type of information that was stolen is a treasure trove for cybercriminals looking to carry out fraudulent activities in the future. As SurfWatch Labs chief security strategist Adam Meyer noted, the type of information that Equifax holds is often used for authentication purposes as well.
“You will see plenty of commentary regarding tax and various banking fraud scenarios, but there is one area that concerns me more, and that is the credit-based identity space,” Meyer said, referring to the types of questions that are pulled from consumers’ credit reports for knowledged-based authentication. “While full credit report information has not been disclosed as being compromised, it is possible that what has been compromised can still help with that authentication process. When you call a help desk for a transaction, what do they use to authenticate you? Name, address, Social Security numbers — all the same information that was just breached on a massive scale.”
Meyer also noted that if malicious actors could leverage this information to get even more data and answer more knowledge-based authentication questions, it could be a problem for organizations.
“Aside from the obvious impacts of PII being leveraged as it has in the past, I am worried that this particular breach has an impact to a utilized authentication stack that many organizations and federal agencies use to combat their own forms of fraud that are all integrated,” Meyer said. “These are services that support employment verification, social services verification, identity proofing as they call it. The strength in this authentication is the fact that only the user should know this information when challenged; however, with this breach approximately 60 percent of the working age U.S. population’s PII could be out there and available to use [by malicious actors] to potentially authenticate [as those users].”
Actors Claim to Have Equifax Data
SurfWatch Labs’ team of analysts has observed several actors claiming to be in possession of the breached Equifax data, although we do not have much confidence in their legitimacy at this point.
One website on the dark web is threatening to publish all of the stolen data except credit card information if they don’t receive 600 bitcoins (approximately $2.6 million) in ransom by September 15.
“Equifax executives sold 3 million dollars in shares taking advantage of their insider information after the attack,” the actors behind the site wrote in justifying their exorbitant ransom demand.
However, Bloomberg reported that the shares sold by three senior executives several days following the breach totalled $1.8 million and that the executives said they were not aware of the breach at the time of the sale.
In addition, researchers have also discovered other users claiming to have data for sale, such as this Twitter user. However, we again caution that this sale is likely not legitimate.
Scams on the Horizon
Those claiming to have the data so far may well be scams, but that should come as no surprise. As we noted last week about Hurricane Harvey scams, malicious actors will attempt to exploit any event or news story that grabs the attention of a large group of people. With 143 million people affected by the incident, scammers who gain access to the breached data will have an enormous group of engaged victims that they can exploit through emails, phone calls and other social engineering means in the coming days, weeks and months. In fact, those scammers may already have enough data to open fraudulent accounts, lines of credit, or carry out other forms of identity theft.
In addition, the data could be used to add legitimacy to a number of other scams.
For example, one could easily imagine a simple scam where malicious actors impersonate Equifax representatives enrolling victims in identity theft services and gain credibility by providing actual Social Security numbers and driver’s license numbers to “confirm” victims’ identities — before using that gained trust to pivot to other scam opportunities.
Leaked Data Could Lead to Additional Incidents
It’s also worth stressing, yet again, that there is no right to be forgotten in the cybercriminal world. As we noted in our 2016 Cyber Trends Report, once your data is exposed, it will likely forever remain in the cybercriminal domain. With this new Equifax breach, the pool of compromised information that can be leveraged by malicious actors grows deeper and the ripple effect of that breach will likely widen to impact more organizations in the future.
In addition, as Meyer noted, Equifax offers authentication services that include knowledge-based authentication, and the leaked Social Security numbers, driver’s license numbers and other sensitive information could be used a stepping stone in further breaches, he warned.
“My worry is that with this information a malicious actor could authenticate to a service like this using the already disclosed information [from the Equifax breach] and with just some public information sleuthing and maybe a good guess or two could answer the credit report follow up questions and likely pass go more often than not, especially when there is 145 million records available,” Meyer said.
Equifax has provided a website with more information about the breach, as well the ability to check to see if you are affected and to receive a future date to enroll in an identity protection service. It’s worth noting that Equifax is requiring consumers enter both their last name and the last six digits of their Social Security number to enroll, rather than the typical last four digits — reinforcing the idea that as more data gets leaked, proper authentication becomes more difficult.
As Meyer said, “With this I get the constant sense of déjà vu, maybe it is breach fatigue, or maybe it’s the fact that we all should never have to pay for credit monitoring again in our lifetime because our PII has been breached so many times.”