In Part 1 of our blog on the Equifax data breach, we discussed how consumers are – and will continue to be – affected by the hack and what each of us needs to do to secure our sensitive personal information.
Today we look at the organizations that will ultimately be left holding the bag – the card associations, the banks and the credit unions. These are the companies that will be on the hook for purchases made with stolen credit card numbers, for accounts opened under stolen identities, and for a myriad of financial transactions that can now be made using this consumer information.
To Recap What we Know (and the Story is Still Developing….)
Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. And there are new developments.
- The official list of victim countries may not yet be complete. According to information obtained by KrebsOnSecurity, Equifax can safely add Argentina — and potentially other Latin American nations where it does business — to the list as well.
- Bank Info Security also reported that investigators with Hold Security, a Wisconsin-based security consultancy, on Tuesday afternoon discovered an unsecure internal customer service portal for the company’s Argentinian operations. The national ID numbers for at least 14,000 Argentinians have been exposed, but the breach could potentially affect tens of thousands more people.
The website held thousands of credit-related dispute records, faxes and national identity numbers for Argentinians who had filed complaints. Hold Security discovered that the Equifax web portal, shockingly, was secured by “just about the worst username and password combination possible: admin and admin.”
To make matters worse, anyone who signed in as admin/admin could also access the usernames and passwords in plaintext for about 100 of the company’s customer service representatives. These accounts could be removed or modified (which includes changing passwords) and new employee accounts could be added. Lee Matthews, Contributor for Forbes, states:
This is a failure on so many different levels. For starters, an administrative account should never be named something like admin. It’s one of the first that an attacker would try when attempting to gain access to anything connected to the Internet. Millions of devices — like wireless routers and connected cameras, for example — ship with admin as the default “master” account.
- It now appears that the Equifax hackers stole 200K credit card accounts in one swift swoop from a “storage table” in an Equifax database. Brian Krebs reported yesterday that:
Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time — when hackers accessed the company’s systems in mid-May 2017.
“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said. “We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”
Developments such as these will put further pressure on Equifax, which has been criticized for its haphazard and slow response to the breach.
The Short and Long-Term Effects on the Associations and FI’s
While we will continue to hear updates and additional discoveries regarding the breach as the weeks unfold, one thing is clear – the breach will have severe consequences on the financial organizations charged with consumer cards, accounts and payments. American Banker provided a rundown of the aftershocks.
Fraudulent Credit Accounts. Usually when credit card account data is compromised, card issuers are notified, card numbers get retired, and the cards get reissued. Timing is everything, though – just because cards get reissued does not mean that fraudsters cannot use the stolen cards before they are retired to purchase goods. And that leaves Visa, MasterCard, American Express and Discover on the hook for any purchases made on their cards as a result of this breach.
And in the case of the Equifax breach, fraudsters have all of the information to open completely new credit accounts easily – they have names, dates of birth, addresses, social security numbers and, in some cases, driver’s license numbers.
“This is about fraudsters being able to go out and open a brand-new account in your name, and potentially selling Social Security numbers. The thing that wakes people up, at least wakes me up, is that it’s a lot of numbers and the nature of the information means the type of damage that could be done is a lot more serious than just taking over a credit card.”
This breach vastly increases the risk of fraudulent account openings at a time when banks, credit unions, and the card Associations are increasingly turning toward account automation and allowing consumers to open new accounts – often in less than 10 minutes – online and through a mobile device.
FI’s and the Associations take the fall for new fraudulent account openings and what is spent through those accounts.
Credit Card Reissuance. Other large-scale credit card data breaches like Target, with 40+ million cards compromised, make the 209,000 card numbers exposed in this breach look like small potatoes. However, it still costs $5 or more to reissue each new credit card. FI’s will pick up this cost – unless they decide to sue Equifax to recoup these costs. And lawsuits for plaintiff always incur their costs in the form of preparation and legal fees.
Higher Scrutiny of Third-Party Vendors. Under New York’s new cybersecurity rules for banks, by March 2019, state-regulated banks will have to have in place a series of safeguards for third-party vendors that have access to their networks or to whom they provide data. The Equifax data breach calls into question what kind of information banks are providing to these agencies.
“For financial institutions, this sort of breach raises a vexing question, because many of them provide nonpublic information to credit reporting agencies, and it underscores the fact that when you provide network access or sensitive information to a vendor, the diligence process has to be tightened as these sorts of attacks become more frequent.
Curtailment of Authentication from Consumer Data. This incident may call into question the industry’s dependence on consumer data for authentication. Penny Crosman, Editor at Large at American Banker, states:
“Financial institutions and other similar businesses can no longer rely strictly on personally identifiable information (PII) any longer as a means of verifying identity. In a way, this breach ties in nicely with the New York State Department of Financial Services’ cybersecurity rules for banks, which require them to use multifactor authentication — the use of something besides a user name and password to grant people access to applications, be it a one-time passcode, a biometric, knowledge-based authentication or something else — or even stronger controls.”
Within 24 hours of Equifax’s announcement, it was slapped with a class-action lawsuit from two Oregon residents. A Seattle law firm has also filed a national class action lawsuit.
“So the lawsuits have already started,” said Craig Newman, partner at Patterson Belknap Webb and Tyler LLP. “The legal implications could be significant, because you not only have a class action lawsuit filed and likely additional litigation, but then you have the specter of regulatory investigations.
Along with additional lawsuits and regulatory inquiries, the real question is whether a breach of this magnitude forces a change in behavior and whether organizations view significant breaches as teachable moments and learn from the very tough lessons they are being dealt. At the end of the day, consumers will suffer, so will the banks and the Associations, and so will Equifax. The only ones smiling will be the hackers.