To­tal dam­age of hack may never be known

Iden­tity theft now doesn’t nec­es­sar­ily mean the lat­est data at­tack is to blame

The Arizona Republic - - MONEY - Adam Shell

Count­less Amer­i­cans will no doubt suf­fer fi­nan­cial harm from the Equifax data breach. But we may never know the ex­act num­ber.

In the real world, quan­ti­fy­ing the num­ber of homes dam­aged by a hur­ri­cane or how many peo­ple lost their jobs last month is a straight­for­ward ex­er­cise. But in the shad­owy on­line world, get­ting a pre­cise count of peo­ple hurt by a spe­cific data breach is far more chal­leng­ing.

Maybe even im­pos­si­ble, say cy­ber­se­cu­rity ex­perts.

There’s no dis­put­ing that many peo­ple will have their iden­ti­ties stolen or learn that credit cards were opened in their name with­out their knowl­edge af­ter the breach of the credit bureau’s com­puter sys­tems.

Thieves made off with the per­sonal data of as many as 143 mil­lion Amer­i­cans.

When asked if there’s a way to quan­tify how many peo­ple have been harmed, John Ulzheimer, a credit ex­pert and former em­ployee at Equifax and credit score firm FICO, said: “There’s no way to know, and there may never be a way to know.”

The rea­son: Most Amer­i­cans’ per­sonal data are al­ready float­ing around on the black mar­ket from prior cy­berthefts, said Brian Krebs, an in­de­pen­dent cy­ber­se­cu­rity in­ves­ti­ga­tor, jour­nal­ist and head of Kreb­sOnSe­cu­rity.com. Well-pub­li­cized data breaches in the past in­clude Ya­hoo’s, Tar­get’s and Home De­pot’s.

All those past hacks make it vir­tu­ally im­pos­si­ble to pin the blame for any in­di­vid­ual iden­tity theft claim on any one at­tack.

More than 825 mil­lion per­sonal records have been ex­posed in data breaches in the 10-year pe­riod end­ing in 2016, ac­cord­ing to the Iden­tity Theft Re­source Cen­ter. More than 6,400 breaches oc­curred in that pe­riod.

Last year saw a record 15.4 mil­lion U.S. vic­tims of iden- tity fraud, ac­cord­ing to the 2017 Iden­tity Fraud Study re­leased by Javelin Strat­egy & Re­search. Losses at­trib­uted to iden­tify theft to­taled $16 bil­lion in 2016, Javelin re­ported.

Ev­ery spe­cific cy­ber­breach has a start­ing date, or day of in­tru­sion. But if the hack­ers get their hands on data that have a long shelf life, such as a So­cial Se­cu­rity num­ber, there is no end point to when the stolen in­for- ma­tion can be used. In short, there is no way of know­ing if cur­rent vic­tims of iden­tity theft or fi­nan­cial fraud were duped by data stolen re­cently from Equifax.

“At this point, there are only anec­do­tal re­ports of peo­ple say­ing they have been the vic­tim of fraud, but even they can’t defini­tively say the Equifax breach was the cause,” Ulzheimer said. “You just don’t know.”

JUSTIN LANE, EPA-EFE

The Equifax data breach is just one in a se­ries of hack at­tacks that may have left you vul­ner­a­ble.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.