A light blue lock is surrounded by blue numbers and letters overlaying each other on a black background.

Equifax hack is a whole new level of bad, says WPI professor

Attackers have their hands on everything they need to steal identity from nearly half of Americans
September 13, 2017

When Target Corp. and The Home Depot, Inc. were both hacked in 2014, more than 120 million records were stolen.

That’s nothing compared to the Equifax, Inc. hack.

In terms of how much risk Americans are in right now, there’s absolutely no comparison to previous hacks where credit card numbers were stolen, according to Craig Shue, associate professor in the Computer Science department and the Cyber Security program at WPI.

Craig Shue, PhD
Craig Shue

“Most attacks, like the one on Target, are mostly about stolen credit card data,” says Shue. “You identify any fraudulent charges on your account and they’re refunded. You get a new card. For the card holder, it’s not that big an issue. But the Equifax breach is a completely different ballpark.

“The severity of the Equifax hack is due to the type of information they’re holding,” he added. “They are holding all the information someone needs to steal your identity. … This is the crown jewels of breaches.”

On Sept. 7, Equifax, one of the major credit reporting agencies in the United States, reported that the personal data of 143 million Americans—that’s 44 percent of the country—was potentially compromised in a cybersecurity attack that happened from mid-May through July this year.

The data that now sits in the hackers’ hands includes names, Social Security numbers, addresses, birthdates, and even driver’s license numbers in some cases. 

It’s the perfect brew of information for attackers to use to steal someone’s identity and clean out their bank accounts, take out loans in their names, get copies of their birth certificates and passports, and take out credit cards and buy anything from sneakers to furniture and boats.

The hackers could use this information over the next several months, or even years, to slowly attack U.S. consumers, or they could release the information en masse and cause nationwide panic, notes Shue. They also could sell the highly valuable information to governments or other criminal groups.

“What’s particularly frightening is this is all the information anybody needs to verify who you are,” says Shue, who has worked as a cybersecurity research scientist at the Oak Ridge National Laboratory. “How do you prove who you are? The information you need to do that is now out there. An adversary with this information could convince the government to give them a certified copy of your birth certificate, a reissued social security card, and even a replacement driver’s license. They could reconstruct your entire identity.”

Equifax has not released any specifics on the hack other than saying criminals exploited a website application vulnerability.

"This is the crown jewels of breaches." -Craig Shue

Any company could be targeted by hackers, but when that company holds such critical information on so many millions of people, they need to have better cybersecurity than an average company, Shue contends.

“There are certain entities in the world that exist to be trusted,” says Shue. “Equifax is one of them. They are a juicy target because of the information they have. Every financial institution, or credit reporting bureau, knows they’re going to be targeted given the information they have.”

Shue says he was surprised the hackers made off with so much information before any security administrators at Equifax took notice. With that much data—highly sensitive data—moving out the cyber door, alarms should have been going off.

“It’s like seeing a lot of money coming out of a bank vault. You’d notice that, right?” he says. “In this instance, someone took an entire copy of everything in the vault before anyone noticed. That speaks volumes about their security.”

Any company, at the least should be keeping its software up to date and monitoring network communications within its systems and with the outside world.

The attack on Equifax also points out the need to figure out a better way to identify people.

“We’ve been using Social Security numbers like they’re some sort of super secret identification,” says Shue. “The problem is you can never get a new one if it gets compromised. If we insist that we use a government identification number, you should be able to get a new one if it’s been compromised. But society is simply not there yet.”

- By Sharon Gaudin

PROFILE(S)

What to do and what to avoid to help protect yourself from identity theft

After the Equifax hack, who should be worried about their identifying information being in the hands of bad guys?

 

The answer is, "almost everyone," according to Craig Shue.

 

“Here’s the easiest way to think about it,” he says. “If you have applied for any kind of loan or a credit card, then you have a credit report. If you have a credit report, your information has probably been lost.”

 

What should people do to protect themselves?

The problem, according to Shue, is that there isn’t much that will help at this point.

 

Equifax itself has set up a website designed to help people find out if their information has been compromised. Shue doesn’t recommend using it.

 

“You can check if you’ve been breached but the site has been found to be returning random results,” he explains. “Put in your information and get an answer. Put in your information again and you might get a different answer. It’s not reliable. We simply cannot trust it to give you the right answer.”

 

He also notes that giving Equifax any information, when it’s unclear exactly how they were breached or if that breach was closed, is just a bad idea.

 

“This is an organization that has proven they don’t do cybersecurity right,” he says. “Why would you give them your information again?”

 

Shue recommends that people go to the top three credit agencies, which include Equifax, Experian, and TransUnion, and put a credit freeze on their accounts. He also advised adding a fourth credit agency—Innovis—to that list.

 

“A credit freeze means you’re telling the agencies that you don’t want anyone to get access to your credit reporting account,” he explains. “If a person wants to steal your identity and create a fraudulent account, they’ll go to a lender and the lender will check your credit. With a credit freeze, the lender won’t be able to access your credit score so they won’t give out a loan.”

 

Shue warns, though, that once someone creates a credit freeze, they’ll get an identification number so they can unlock their account when they need to use it.

 

If they lose that identification number, it’s going to be much harder to reopen that credit report. “Do not lose that information,” he warns.

 

People also need to be more vigilant now.

 

Check bank statements for anything unusual. Keep an eye on your credit. Take note if any of your statements or utility bills go missing from your mail.

 

“It’s the same practices everyone should be following all the time,” says Shue. “This is part of being a consumer in the United States. Everyone should have been doing that before the Equifax breach, but we all need heightened vigilance now.”