On September 7th 2017, Equifax – a consumer credit reporting agency – announced it had been hacked. 143 million American citizens had their data exposed, and 400,000 people in the UK were at risk of a similar fate.
Public data
Following the cyber-attack, Equifax revealed a file containing UK consumer information may have been breached. The file included personal information such as names, dates of birth, email addresses and telephone numbers. Equifax’s UK system had not been affected by the cyber-attack, but information on British consumers had been accessible through its US systems between 2011 and 2016 due to a processing failure.
Raised threat levels
Financial institutions, landlords and a number of businesses draw on data from credit monitoring companies like Equifax to verify consumer identities and ensure suitability for loans and leases. The leaked information could be enough for fraudsters to steal a victim’s identity and carry out fraudulent transactions in their name. The breach could also undermine the information stockpiled by two other major credit bureaus, Experian and TransUnion, as they too hold nearly all the data Equifax does.
New vulnerabilities
Fraudsters are profiting from the breach by exploiting consumers’ concern around their identities being stolen. On September 14th, the Federal Trade Commission warned of fake calls requesting to verify Equifax account information. Variations on phishing scams related to identity theft or the Equifax breach are also being distributed over text or e-mail, promising to help protect personal data.
These ploys have a high success rate:
- They are timely: customers want answers and expect useful information in their inbox
- There are legitimate messages: genuine help and advice is being offered simultaneously to fraudulent messages
- They appear trustworthy: phishing scammers are aware of and capable of emulating the resources victims usually turn to during a security breach
Equifax itself has become vulnerable to phishing attempts. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, where they could enrol in identity theft protection services and receive updates. By creating a long URL that did not appear official the website was left vulnerable for emulation. Fake versions of the site could be used to phish Equifax customers and steal their personal information.
To illustrate the vulnerability, a developer created a fake website named: securityequifax2017.com. The website’s appearance was altered slightly but remained realistic. Demonstrating the point, Equifax mistakenly directed users to the fake URL, showing how easy it would have been for a true scammer to exploit customers.
Editorial credit: dennizn / Shutterstock.com