Total damage of hack may never be known
Identity theft now doesn’t necessarily mean the latest data attack is to blame
Countless Americans will no doubt suffer financial harm from the Equifax data breach. But we may never know the exact number.
In the real world, quantifying the number of homes damaged by a hurricane or how many people lost their jobs last month is a straightforward exercise. But in the shadowy online world, getting a precise count of people hurt by a specific data breach is far more challenging.
Maybe even impossible, say cybersecurity experts.
There’s no disputing that many people will have their identities stolen or learn that credit cards were opened in their name without their knowledge after the breach of the credit bureau’s computer systems.
Thieves made off with the personal data of as many as 143 million Americans.
When asked if there’s a way to quantify how many people have been harmed, John Ulzheimer, a credit expert and former employee at Equifax and credit score firm FICO, said: “There’s no way to know, and there may never be a way to know.”
The reason: Most Americans’ personal data are already floating around on the black market from prior cyberthefts, said Brian Krebs, an independent cybersecurity investigator, journalist and head of KrebsOnSecurity.com. Well-publicized data breaches in the past include Yahoo’s, Target’s and Home Depot’s.
All those past hacks make it virtually impossible to pin the blame for any individual identity theft claim on any one attack.
More than 825 million personal records have been exposed in data breaches in the 10-year period ending in 2016, according to the Identity Theft Resource Center. More than 6,400 breaches occurred in that period.
Last year saw a record 15.4 million U.S. victims of iden- tity fraud, according to the 2017 Identity Fraud Study released by Javelin Strategy & Research. Losses attributed to identify theft totaled $16 billion in 2016, Javelin reported.
Every specific cyberbreach has a starting date, or day of intrusion. But if the hackers get their hands on data that have a long shelf life, such as a Social Security number, there is no end point to when the stolen infor- mation can be used. In short, there is no way of knowing if current victims of identity theft or financial fraud were duped by data stolen recently from Equifax.
“At this point, there are only anecdotal reports of people saying they have been the victim of fraud, but even they can’t definitively say the Equifax breach was the cause,” Ulzheimer said. “You just don’t know.”
The Equifax data breach is just one in a series of hack attacks that may have left you vulnerable.