The criminals who targeted Equifax Inc. and pulled off one of the biggest hacks in history probably had a less aggressive goal than accessing consumers' personal data: stealing their credit card numbers.
According to a person familiar with the breach investigation, Equifax appears to have been targeted initially because the company keeps on file millions of active cards, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud. The hack, which the company says took place in late July, put as many as 143 million consumers — or half the U.S. population — at risk.
The person, who requested anonymity to discuss the ongoing investigation, said the web application the attackers used to breach Equifax's corporate network granted access to both the credit card files and back-end systems storing the exhaustive data profiles on consumers. Those profiles include Social Security numbers, driver's license numbers and other sensitive information, Equifax said Thursday in a statement.
Active credit card numbers can fetch higher prices on the dark web than even those other types of more revealing personal data, because they are usable immediately and without much additional work.
But investigators have not yet determined whether financial fraud was the attackers' only goal, another person familiar with the investigation said. Some of the hackers' behavior on Equifax's network suggested that once they were inside, they sought financial and personal information on particular individuals, which is more commonly associated with higher-level forms of identity theft and espionage. Both people said it's possible there may have been multiple motivations and possibly phases of the attack.
Equifax is one of the three biggest credit-reporting companies, a super-powerful entity that generated $3.1 billion in revenue last year operating behind the scenes helping banks, insurers and employers assess people's creditworthiness for loans, jobs and credit cards. The hack tanked the company's shares, along with those of its main rival. Equifax fell 15% to $121.90 at 10:58 a.m. in New York, while TransUnion slid 4.3% to $47.25.
It's a stark reminder of the mounting risks that consumers' personal data will be exposed to online, security experts said, and particularly worrisome for the millions of people who trust credit-reporting agencies like Equifax to handle and protect their financial information. On Thursday evening, a proposed class-action lawsuit was filed in Portland, Ore., federal court, alleging Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.
"This is massive," said Paul Martini, chief executive officer of Iboss, a cybersecurity firm. "This overshadows any other breach that we've seen to date — not just the volume, the size, but the type of data that was in that database."
The company set up a website, www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It's also offering free credit-file monitoring and identity-theft protection. But customers balked after being asked to enter the kind of information they're often warned not to reveal online, in this case a combination of their last names and the last six digits of their Social Security numbers.
Criminals took advantage of a "U.S. website application vulnerability to gain access to certain files" from mid-May through July of this year, Atlanta-based Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.
Equifax's Global Consumer Solutions division, which stores consumers' credit card numbers for the recurring identity-theft protection charges, is the smallest of the company's business lines, accounting for $402.6 million in revenue last year, just 13% of Equifax's total. More than a third of the company's revenue comes from its U.S. Information Solutions group, which generated $1.24 billion last year selling consumer and credit data.
"You would expect these guys to have compartmentalized this data far enough away from a web server — that there would not be any way to directly access it," said Tim Crosby, senior consultant with security-assessment firm Spohn.
The Federal Bureau of Investigation said in a statement that it was aware of the hacking incident and was "tracking the situation as appropriate."
Equifax and the other large credit-data brokers — U.K.-based Experian Plc and Chicago-based TransUnion — have fought a public-relations and regulatory battle for years to present themselves as responsible stewards of the personal information of hundreds of millions of Americans. Critics including U.S. Senator Elizabeth Warren, a Massachusetts Democrat, have taken aim at errors that affect people's ability to secure home loans, credit cards and reasonable interest rates.
U.S. Senator Mark Warner, a Virginia Democrat, said the attack should spur renewed interest in stronger data-breach notification standards as well as policies to improve the protection of consumers' data.
"It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans," Warner said in a statement.
Concerns about their digital security have periodically come into focus, in high-profile breaches including an incident in 2013 in which all three companies said they uncovered cases where hackers used personal information on famous people from Michelle Obama to Paris Hilton to access their credit reports and post the documents online. That year, cybersecurity reporter and blogger Brian Krebs published an account of how an identity thief in Vietnam ran a service that helped others access millions of Americans' credit reports from Experian, via a subsidiary company.
When breaches have occurred, they often aren't widely known. Some of the credit companies have disclosed security breaches in the quietest way possible — by alerting affected consumers directly, by mail — as required under state breach-disclosure laws, but not issuing wider public statements to consumers or investors. Bloomberg News reported in 2012 that Experian was breached 86 times via accounts at clients such as banks or auto dealers, with hackers downloading in some cases hundreds of credit reports while the businesses were closed.
The attack reported Thursday is the most high-profile cybersecurity breach since online portal Yahoo announced two separate incidents. Last year, Yahoo, whose web assets were acquired by Verizon Communications Inc. earlier this year, disclosed a 2014 breach that affected at least 500 million customer accounts. A few months later, the company said a 2013 hack siphoned email addresses, scrambled account passwords and dates of birth of as many as 1 billion users.
Financial Industry Impact
Equifax's breach will test measures the financial industry has rolled out to prevent thieves from abusing troves of stolen credit-card numbers. A few years ago, banks in the U.S. began embedding computer chips on cards to prevent criminals from forging their own with much simpler magnetic stripes.
The underlying technology — called EMV for founders Europay, MasterCard and Visa — generates new codes for each transaction. The codes on stripes are static, making them susceptible to duplication. Still, stolen card numbers can be useful at cash registers that don't accept chips or for shopping online.
The Equifax breach also may open the way for another type of fraud called synthetic identity theft. Typically, fraudsters mix stolen Social Security numbers, and potentially other information from the owners, with a borrowed mailing address and apply for new credit cards that they control. Some patient con artists even use the new personas to seek additional credit cards or loans, then max them all out at once, potentially making off with tens of thousands of dollars.
Banks typically pick up the cost when thieves abuse stolen card numbers, assuming it's caught promptly. The expenses can add up fast.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax CEO Richard Smith said.