The sheer size of the recent Equifax breach—affecting nearly half of all Americans and potentially more than half of those over 18—is staggering. It is the nature of the breach, however, and the type of information taken, that gives the greatest pause.
Hackers stole from Equifax the “holy trinity” of PII: name, date of birth, and SSN. Add to that home address (which was compromised) and driver’s license number (which was compromised for some of the affected individuals) and you have a perfect storm for a massive wave of identity theft. It should not take long (if it hasn’t occurred already) for stolen PII re-sellers to vet and sort this information, and then package it into discrete data sets for sale to anyone with a Tor browser. (A Tor browser is specifically enabled to access the dark web, and is available publicly.) Indeed, big-data analytics and value-add PII processing and reselling are established and thriving businesses on the dark web.
What does this mean for your organization? If you have individual customers or employees, potentially a great deal. The type of PII that has been compromised forms the core of how many organizations verify identity. Add to that the other information, such as e-mail address and password, that can be easily purchased on the dark web and then machine-correlated with the PII taken from Equifax, and many of us are left to reconsider our identity verification procedures.
At a minimum, organizations of all shapes and sizes—especially financial institutions—are likely to be flooded with calls from customers concerned about whether their credit reporting information has been compromised. (Equifax has reported that credit reporting information was not compromised in the breach.) Also, entities with affected customers or employees should consider updating their cyber risk assessment in light of this massive PII compromise. Many organizations may already have compensating controls in place, such as multi-factor or risk-based authentication, that mitigate any effect of this new sea of PII available on the black market. At a minimum, it pays to identify that fact, and thereby justify no additional action in relation to the breach, if that’s the path the entity chooses. Others may not have compensating controls in place, and may want to consider them, again as part of crucially important, base-line risk assessment.
The lesson to take from all of this is that a cyber risk assessment is not an annual rote exercise to put in a binder until the next assessment date comes along. It is a living document that organizations need to review and potentially revise when circumstances and threats demand. Will the Equifax breach affect your organization? Your risk assessment should be able to tell you. It will either give you comfort or be the alarm bell alerting you to action. If you haven’t yet done a comprehensive cyber risk assessment, you may never know the effect that the Equifax breach, or the next breach, will have on you.