The massive Equifax data breach that’s making national headlines is estimated to impact nearly half of the U.S. population — or roughly 143 million people. While most of the news centers on the consumer identity theft impact, the real story in the financial services ecosystem is what this hack will cost banks, credit unions and issuers.
Let’s start with the basics. From what’s been publicly reported, there’s been 209,000 credit card numbers and 182,000 documents with personal information breached. These cyber thieves also got away with social security numbers, and a slew of other vital personal information that’s used to open up fraudulent accounts and commit identity theft. Limited personal data was also stolen from some UK and Canada residents.
For banks and credit unions, the real threat lies in the hackers’ ability to open fraudulent accounts, new credit cards and even entire lines of credit. This creates an endless trail of credit card fraud that can exponentially impact the rate of which synthetic fraud (accounts created with a fictitious identity) can spread.
This particular breach has garnered widespread attention not just because of the size of the breach, but because of what type of data was hacked. Breaches often involve emails and personal credentials, but when social security numbers are leaked, it takes the breach to the next level. Credit card numbers create an even bigger threat.
“This is massive,” Paul Martini, CEO of Iboss, a cybersecurity firm, told Bloomberg. “This overshadows any other breach that we’ve seen to date -- not just the volume, the size, but the type of data that was in that database.”
According to Equifax’s investigation, the breach occurred between mid-May and July 2017, but said there hasn’t been any unauthorized activity on Equifax's core consumer or commercial credit reporting databases to date. The company discovered the breach on July 29 and said it stopped any immediate threats and engaged a cybersecurity firm to assist with the cleanup.
The Big Picture: The Synthetic Fraud Trail
Synthetic fraud allows hackers to set up accounts in a person’s name that appear to be authentic, but are in fact fictitious. Like the data breached in the Equifax hack, fraudsters need vital information such as social security numbers, addresses, date of birth and credit card numbers to conduct this type of fraud.
As Rippleshot Co-Founder Canh Tran detailed in a recent report on the state of card fraud, the construction of new synthetic IDs is based on combining truthful and false information to build a credit file and then open new accounts. Synthetic fraud is perpetrated at scale by opening hundreds of new accounts, making payments from newly opened accounts, accelerating cycle and ultimate aggregate loss.
What the industry has seen as a result is a $6 billion annual problem with an average fraud loss per account costing $15,000. One bank suffered a $60 million loss from synthetic fraud; one fraud ring was responsible in $200 million in losses alone. With organized groups of hackers gaining steam, synthetic fraud is quickly becoming a rapidly-growing threat across the entire financial services ecosystem.
For CNP merchants, industry experts are projecting the fallout from this breach could last years, as fraud stemming from this data set could continue to spiral into new forms — creating an endless trail for issuers to chase.
Security experts have lauded this type of fraud as the fastest-growing type of identity theft, and is increasingly accounting for a majority of ID theft cases. The reason this type of fraud is more difficult to catch is because the information appears legitimate when presented online to credit card issuers. This is creating more problems for cybersecurity firms, causing many to be concerned about managing IT infrastructure in order to fully protect from the spread of fraud, according to a recent Technology RiskFactor Report.
Even more troubling is how synthetic fraud spreads. Fraudsters have the ability to not only combine real and fake data to create what appears to be legitimate identities, but they can also combine information from multiple parties to make it even harder to follow fraud trails. Because synthetic ID theft involves breaching the information of multiple victims at onces to form an entirely new fictitious ID, this type of fraud is even harder to detect.
As for the full identity theft fraud impact that will occur as a result of this massive breach at Equifax, the full scope is yet to be determined. But like most trends in the fraud ecosystem today, things are about to get worse before they get better — and the rate at which fraud spreads will continue to rise quicker than most financial institutions can keep up with.