No data breach is good, but some are more palatable than others. We would all rather hear that our florist got hacked than, say, our bank.
And the most painful breaches, like the Office of Personnel Management or Anthem health insurance incidents that involved stolen Social Security numbers and other hard-to-change personal data, are naturally the most valuable targets for attackers. We can now add the massive credit reporting agency Equifax to that list.
On Thursday, the company disclosed that a data breach it discovered on July 29 may have impacted as many as 143 million consumers in the United States. Equifax is one of the three main organizations in the US that calculates credit scores, so it has access to an extraordinary amount of personal and financial data for virtually every American adult. The company says that hackers accessed data between mid-May and July through a vulnerability in a web application. Attackers got their hands on names, Social Security numbers, birth dates, addresses, some driver’s license numbers, and about 209,000 credit card numbers. 182,000 “dispute documents,” essentially complaint submissions that include personal identifying data, were also compromised in the breach.
All told, as much as 44 percent of the US population will feel the impact of this breach for years to come, especially when it comes to their Social Security numbers. “When this type of stuff happens, it’s like oh, crap,” says Alex McGeorge, the head of threat intelligence at the security firm Immunity, “Your Social Security number doesn’t change, so this data is going to get resold on the black market and hold its value for a while.” Assuming data was stolen by criminals and not a nation state, experts predict that it will circulate for years.