Yes, there will be some tax and banking fraud as a result of the gargantuan data breach at Equifax. The biggest impact, however, will be felt by enterprises that rely on credit reporting bureaus to verify the identity of people they are doing business with.
Think employment verification, social services verification, and other forms of identity verification that rely on credit reports. These services depend on the idea that only the individual knows all the details used to verify identity, but that assumption requires ignoring the sheer amount of personally identifiable information (PII) that has been exposed over the past few years. Among the Office of Personnel Management, Anthem, and scores of other data breaches at universities, retailers, enterprises, and healthcare organizations over the last two years, a lot of PII is available for criminals to use.
“Armed with stolen, up-to-date PII data, criminals can more easily impersonate their target victim in order to get into their account,” Gartner distinguished analyst Avivah Litan wrote on the Gartner Research blog.
As previously reported, unknown attackers exploited a vulnerability in an Equifax web application and accessed personal information for up to 143 million individuals, including Social Security numbers, personal names and addresses, and in some cases driver’s license numbers. The attackers had unauthorized access from mid-May to July of this year, Equifax said in its statement disclosing the breach. The bulk of the attention so far has focused on the potential for identity theft and criminals opening new accounts using victim information, but Litan said she does not expect to see massive fraud as a result of the data theft.
“Based on what I’ve seen in the past, I would estimate that less than 5 percent of Americans will have new loans, bank accounts, credit cards and other financial accounts taken out by a criminal in their name over their lifetime,” Litan said. What’s more likely is that stolen information will be used to take over existing accounts, such as banking, brokerage, phone service, and retirement accounts. Call centers and online systems rely on these pieces of information to verify identity when conducting high-risk transactions, such as moving money across accounts or changing the information associated with the account.
“It makes no sense to solely rely on static personally identifiable information to identify an individual a business is engaged with when there is a greater than 50 percent chance that data is in criminal hands,” Litan said.
The digital ecosystem relies on a complex web of trust, and a weakness in one of the players can impact everyone else. The United States consumer credit system is heavily reliant on the credit bureaus to act as a “backstop for digital identities,” said Patrick Harding, CTO of identity management provider Ping Identity. With the information in the wrong hands, one of the main authentication systems organizations—especially those in the financial services industry—depend on breaks down because they can no longer trust the results.
Sign up for Computerworld eNewsletters.