I can’t say loudly enough how bad this particular breach with Equifax actually is. No one fully understands the true impact of this breach compared to all the previous breaches. Equifax lost SSN’s, birth dates, full names and other personally identifiable information. To put it another way, all you really need for effective identity theft is the full name, SSN, and birthdate. Previous breaches consisted of credit card numbers, perhaps pins, but not SSNs or birthdates. A confirmed 143 million consumers have had their identity information stolen by an unpatched web application exploit.
In terms of breaches, this will be the defacto standard that future breaches are measured against. Most Americans have no concept of the true nature of potential damage that is looming over their heads. The fallout from identity theft can linger for years after the initial incident; at least up to 7 years. You can’t change an SSN as easily as canceling and re-issuing a credit card. You can’t change a birthday because time machines haven’t been invented yet. You’re information, that can’t be changed at all or easily changed, has been stolen from a company that has built its business on protecting that information. No one has a choice to opt-out of having their information at one of the three credit bureaus, and as such, unless Equifax goes bankrupt, our information will remain with them. The other two bureaus are TransUnion and Experian.
The internet hasn’t experienced a ripple from this, it’s more like a tsunami. The investigation is still ongoing. It is widely believed that the reported exploit in CVE-2017-5638 was leveraged in conjunction with exploit CVE-2017-9805. The details of the exploits aren’t necessarily relevant, rather, the fact that neither patch was applied made them vulnerable. It is highly likely several people will lose their jobs over this event. The true nature of damage hasn’t even started yet. That damage being the selling and utilization of the stolen consumer records. Hackers are a patient group and they’ll wait as long as they need to in order to extract maximum profit. Hackers know SSN and birth date can’t be altered, so the data never loses its value, a frightening prospect indeed.
Better start shopping around for credit protection services for some deterrence. I’ve already started shopping.