When a data breach occurs, the full impact of the incident usually takes a few months to realize the potential impact. This has certainly been the case for the Equifax breach that was first discovered last summer. This week, the credit reporting agency announced that another 2.4 millions Americans were discovered to have been impacted by last year’s breach.
This is the second time the company has announced more affected consumers, bringing the estimated total impacted to roughly 147.9 million Americans. This is the largest data breach of personal information to date.
Since the breach was discovered, the company has been relying on a forensic examination of the incident to determine the number of Social Security Numbers, credit card credentials and names that were leaked as part of the cybersecurity breach. As part of their deeper investigation, forensics experts determined that some consumers had SSNs stolen separately from their driver’s license information. The discovery of this new information revealed that more consumers were impacted than initially discovered.
"This is not about newly discovered stolen data," said Paulino do Rego Barros, Jr., Interim Chief Executive Officer. "It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals."
Equifax announced they will notify the newly identified U.S. consumers directly, offer ID theft protection and free credit file monitoring.
"We continue to take broad measures to identify, inform, and protect consumers who may have been affected by this cyberattack," Barros said in a prepared statement. "We are committed to regaining the trust of consumers, improving transparency, and enhancing security across our network."
In the wake of this news U.S. Senator Elizabeth Warren was critical of the credit reporting agency for not going enough to protect consumers, which could in turn cause them to actually profit from the breach.
“Equifax may actually make money off this breach because it sells all these credit-protection devices, and even consumers who say, ‘Hey, I’m never doing business with Equifax again’ –well, good for you, but you go buy credit protection from someone else, they very well may be using Equifax to do the back office part,” Warren said in an interview with Marketplace. “So Equifax is still making money off their own breach.”
"I spent five months investigating the Equifax breach and found the company failed to disclose the full extent of the hack," Warren said in a statement Thursday. "Enough is enough. We have to start holding the credit reporting industry accountable."
Efforts to gather information about what happened in the Equifax breach has become a bipartisan effort, which includes efforts from Republican leader of the House Energy and Commerce Committee, U.S. Rep. Greg Walden of Oregon, who said he has requested multiple times for Equifax documents related to the investigation. He claims Equifax has only provided the committee partial responses to requests.
"We now are requesting a briefing with Mandiant, the third-party company responsible for investigating the breach," said Walden and Rep. Bob Latta (R-Ohio), leaders of a subcommittee on digital commerce and consumer protection. “The American people deserve to know what went wrong, and our investigation will continue in full force until there are answers."
The fallout of the Equifax breach will continue to have a longstanding impact on the financial services world for years. From the reissuing costs of breached cards, to tracking synthetic fraud. the true costs won't be known for some time.
Synthetic fraud allows hackers to set up accounts in a person’s name that appear to be authentic, but are in fact fictitious. The construction of new synthetic IDs is based on combining truthful and false information to build a credit file and then open new accounts, which is perpetrated at scale by opening hundreds of new accounts.
Since they don’t need as much personal information as credit card fraud, cyber criminals have shifted their attention to this type of fraud. For example, by combining a legitimate SSN with a fake name, or by using a inactive social security number with a real name, or even a fake name and SSN, an entirely new identity can be created. From there, fraudsters begin to open up lines of credit and credit cards under these synthetic identities.
How the Equifax breach impacts banks and credit unions boils down to how they are equipped to detect, manage and fight fraud — and the spread of fraudulent purchases and accounts. Detecting fraud faster matters now more than ever. This new breach will cause the rate of fraud to spread faster, and will be more difficult to manage once a customer’s account becomes compromised.
For CNP merchants, industry experts are projecting the fallout from this breach could last years, as fraud stemming from this data set could continue to spiral into new forms — creating an endless trail for issuers to chase.