Last Thursday, Equifax made public news that it had been sitting on for nearly six weeks: at the end of July, at least 143 million individuals in the United States, United Kingdom, and Canada had their personal information compromised. Almost a week later, we still don’t yet know the full extent of the breach or what other Equifax-held data may have been exposed. Reports continue to roll in with updates about, among other things, the number of individuals impacted around the world and additional systems that may have also been compromised (most recently an Argentinian Equifax service storing dispute data in plaintext under the auspicious username/password combination of “admin/admin”).
Equifax Data on the Dark Web
Less than 12 hours after the news broke about the Equifax breach, a new Tor Hidden Service popped up claiming to have the full data set. These vendors, bold in their yet entirely unsubstantiated claims, are asking 600BTC before September 15th to stop the data set being released in full. Undoubtedly we will all be very surprised when the site, and the claims, disappear into the mist.
These vendors won’t be the last to claim possession of the Equifax data to capitalize on the attention the breach will receive in the coming years. The dark web operates on the same marketing premises as the clear web; give the people what they want, give it to them first, and give it to them better. Interested buyers and nosy newcomers will spend the next few weeks with a watchful eye on anyone claiming to have the data, looking to be the first to exploit the trove of newly exposed personal information. As with every other part of the internet, claims on the dark web cannot be blindly trusted. Vendors are looking to make money, and they will take advantage of every opportunity to do so. In the last day, another Tor Hidden Service appeared calling out the first site and claiming to have the real data on hand.
In time, though, we will inevitably see the Equifax data begin to appear. The data types exposed here - names, SSNs, addresses, credit cards - are not valuable because they came from Equifax. They’re valuable because of the myriad ways buyers can capitalize on the information. As with other data sets we’ve seen appear before, the data will be marketed and remarketed, shared and reshared, renamed, repackaged, and mixed with other data.
How Bad Is It?
The short answer? It’s bad. Unlike other breaches involving usernames and passwords, or smaller sub-sets of personal information, we are now discussing a data set that could expose as much as 67% of the UK population and more than half of the adults in the United States. This is substantial exposure; we have to consider the shelf life of most of this data not in months or years, but in decades. We continue to see updates about other potential data exposures, and Equifax itself does not seem to have a firm grasp on how many individuals have been hit or which individuals have actually had their information compromised.
Most of the data involved are not things that can be easily changed, and the potential damage here cannot be easily mitigated. Names, birth dates, Social Security numbers—this is lifetime data. Consumers are at a loss for what to do in the wake of this new exposure, as the only option available to them remains constant and ongoing vigilance and, at best, a credit freeze.
Names, birth dates, Social Security numbers—this is lifetime data.
Individuals are not the only one being impacted. As we’ve discussed previously, companies are not limited to absorbing damages originating from their own unique data losses; organizations will feel the impact of the Equifax data breach acutely over time too. The individuals exposed by this breach are also employees, customers, board members, executives of other companies. The same data that can be used to exploit people in their personal lives can easily translate to corporate damage in the right hands.
Long after the exposed credit cards are flagged and deactivated, people will continue to have to live with this data; they will still have their names and their birthdates, their addresses and their Social Security Numbers. Over time, that information will appear online and begin to circulate, adding to the mix of personal information already available. Companies now have additional risks to consider: which of my current or future employees have exposed information? Which of my customers are going to face account compromise because of a leak I had nothing to do with? Is this going to impact our operational or even our physical security?
The information security community may have a few hopeful moments of this breach being the catalyst to revitalize conversations about the use of Social Security Numbers as both irrefutable identifiers and widely circulated information, or perhaps larger legislative conversations about Equifax’s investigation and thoroughly questionable disclosure and remediation processes. At the end of the day, it’s unlikely either of these will gain the traction necessary to make real changes. The damage is done, and the fallout is just beginning.