In the wake of the massive breach of credit reporting firm Equifax which may affect as many as 143 million consumers in the United States, a majority of Americans need to brace for the likelihood their personal information will be sold online.
The stolen information—which includes the credit card numbers of at least 209,000 consumers, personally identifying information of more than 182,000 and may include social security numbers, driver’s license numbers, addresses and names of as many as 143 million—unquestionably has value on the dark web, where stolen data is regularly traded.
While the data doesn’t appear to have surfaced yet despite the considerable amount of publicity generated by the announcement of the breach, most experts believe the sale of the information is inevitable one way or another.
Patrick Tiquet, the director of security and architecture at Keeper Security, told International Business Times the wealth of information represents a major payday for whoever is in possession of it—and could be a lasting source of income for the hackers who stole it.
“I would expect that the stolen credit card numbers would be the most likely to be quickly used or sold on the Dark Web by the attackers, as this information is most likely to become stale as consumers and credit card companies cancel the compromised card numbers,” Tiquet said.
As for other personally identifiable information such as driver’s license numbers and Social Security numbers, Tiquet said there is much less of a rush to move that information as it has a much longer shelf life.
“The other information...is likely to be valid for years or decades. This information could be slowly sold on the Dark Web for years to come,” he said.
Emily Wilson, the director of analysis at data intelligence firm Terbium Labs, told IBT those data points are valuable because of what they are, not what breach they came from. While Equifax may be in the headlines now, that information will have the same value on dark web marketplaces long after the fallout of the hack.
“The Equifax breach is uniquely damaging because we're not dealing with usernames and passwords,” Wilson said. “These are not things that can be easily changed or damages that can be easily mitigated. Names, birth dates, Social Security numbers—this is lifetime data.”
Because of the scope of the breach and the inherent value of the information to the buyers and sellers operating on the dark web, it is essentially given this data will be sold and shared online. “We absolutely expect to see this information appear on the dark web in the future,” Wilson said.
Unfortunately, that means a majority of Americans now how to go on the defensive in order to secure their information—a task that may be easier said than done.
“This is one of those cases where there is unfortunately really nothing consumers can do except be vigilant,” Ondrej Vlcek, the chief technology officer and general manager of consumer business at security firm Avast, told IBT.
He advised consumers to closely monitor the activity on all of their accounts, including email, social media, credit cards and banking. Suspicious activity can show up at any time and—given the depth of this hack and the wealth of information already available online from previous hacks—may occur in ways that people don’t expect or are designed to avoid detection.
Chris Doman, threat engineer at AlienVault, offered a similar sense of inevitability in his analysis. “Unfortunately, in this case, there isn't much customers can do. Now that the data is out there, it’s out there,” he said.
Consumers can take Equifax up on an offer of one year of free credit monitoring and additional protections that promise to alert them if their information appears online but the offer has drawn skepticism.
First, the website set up by Equifax to allow consumers to check if they are at risk asks consumers to provide the last six digits of their Social Security number—a data point they are likely less than thrilled to share with a company that just exposed hundreds of thousands if not millions of that very piece of information.
Also raising suspicions among users is the fact the Equifax site seems to tell visitors their information was affected by the breach no matter what they enter into the tool. Entering “Test” as a name and “123456” as a Social Security number produces a warning that the user is affected by the breach, for example.
There’s good reason for Equifax to want to get as many people to opt into its first year of credit monitoring as possible; after the free year of protection of the company’s TrustedID Premier service, victims of the breach may have their membership automatically renewed—which they will then have to pay for.
Doman called it ironic that Equifax was offering free credit monitoring as it’s “a growing service of theirs in response to other cyber security breaches,” and said “frankly, I wouldn't take them up on the offer as they aren't capable of protecting the additional data you would need to give them.”
Likewise, Heidi Shay—a senior analyst at market research firm Forrester —advised against using Equifax’s service. “If you want monitoring (including for children), either pay for it from another provider or explore other avenues where you can obtain it for free: employer benefits, alumni organizations, credit card companies, etc.,” she said.
Shay also suggested users contemplate a credit freeze if they know they are definitely affected by the Equifax breach. Credit freezes restrict access to a person’s credit report, which makes it more difficult for identity thieves and other malicious actors to open new accounts in the victim’s name.
To place a freeze on an account, consumers will have to contact nationwide credit reporting companies including Equifax, Experian and TransUnion. They will have to provide the firms with their name, address, date of birth, Social Security number and other personal information, plus pay a small fee in order to enact the freeze.
Consumers are also advised to examine carefully any sites, services and messages offering help in response to the data breach. An attack of this size is sure to spark fakes attempting to gather additional information from potential victims, including login credentials to other accounts.
“Don't respond directly to emails and other messages notifying you that you're a victim. They may be scams,” Vlcek of Avast said. “Instead, open up a new tab and login directly to the site in question, or call the support center number listed on their site."
Most important for consumers is to simply stay engaged and on top of their accounts, especially those with valuable personal and financial information. The Equifax breach is sure to lead to a number of other scams and attacks. Those aftershocks can come long after the initial attack and be much more devastating to individuals.
Adam Meyer the chief security strategist at threat intelligence firm SurfWatch Labs, told IBT there will surely be a number of tax and banking fraud scenarios as a result of the Equifax breach. He also said he was concerned about how the hack will affect authentication in the near and long term.
“This particular breach will impact a utilized authentication stack that many organizations and federal agencies use to combat their own forms of fraud,” Meyer said. “These are services that support employment verification, social services verification—identity ‘proofing’ as they call it.”
Meyer explained the strength of such authentication systems is the fact that only the user should know the information, but now that data may be floating around for malicious actors to make use of.
This breach and the attacks that will follow may cause a case of “breach fatigue” for victims and consumers, but it is essential that people not take the attacks lightly. It is their information that has been exposed and their financial well being that has now been put at risk.
Matt Schulz, a senior industry analyst at CreditCards.com, said users should start checking their financial accounts like they do their social media accounts—or at least peek at their bank and credit card statements at least once a week.
“It's easy to do, doesn't take long and can help you spot problems before they get out of control," he said.
"Remember that no one cares as much about your money as you do, and you are ultimately your last line of defense against fraud. Check your credit card statements and bank statements, examine your credit reports from all the bureaus, and as the saying goes, if you see something, say something,” Schulz said. “You'll be glad you did."
Additionally, going forward, consumers can help protect against having their data exposed in a breach by being more cautious about who they hand their information over to.
Shay at Forrester said consumers should start demanding companies provide a choice for consent when they share their information and clarity about how their information will be collected and used. “Those who do not or will not [provide that information], do not deserve your business,” she said.