Equifax Attack: Only a Matter of Time

On September 7, 2017, the news became mainstream that one of the three main credit reporting firms, Equifax, had been compromised in a successful cyber-attack. The breach was discovered by the team at Equifax in late July, but it is not 100% known how long the attackers had privileged access to Equifax.

The estimated size of the breach - which contained social security numbers, birth dates, driver’s license numbers, credit card numbers and address information - could include 40% of the population of the United States (USA). In pure numbers, this translates to 143 million of the 324 million residents in the USA.

To read more on the situation, DZone's Cate Lawrence provided a summary that was published shortly after the news broke:

With 40% of the US Population Potentially Affected by the Equifax Data Breach, Here's What You Need to Do

Why We Should Not Be Surprised

Trying to put myself into the mindset of those behind this attack, I realize it should come as no surprise that one of the three main credit reporting firms was the victim of a cyber-attack. It is an implication of Sutton's Law.

Legend has it that Willie Sutton (famed bank robber from the early 20th-century) once told someone he robs banks because "that's where the money is." While Willie later admitted that a reporter coined that term for him (Snopes validation), the idea behind his motive became known as Sutton's Law. This perspective definitely applies to the Equifax attack.

The end-goal for this type of attack is to gain as much personal information as possible about individuals, for exploitation purposes. With this in mind, there is no better place to attack than the place where all the desired information is contained in one location. In the USA, this leads to a short list of three credit reporting firms: Equifax, Experian, and TransUnion.

This time, Equifax was the target for attack. Most likely, these three firms have been the target for attack for quite some time - considering the pot at the end of their rainbow is certainly filled at capacity with gold. Unfortunately, a vulnerability was found and exploited - at the expense of approximately 150 million individuals.

Fallout From the Attack

As a result of the attack, Equifax has setup a website where you can check to see if your name is among the 40% that are impacted. In doing so, impacted individuals will receive a free year of credit monitoring service. However, before opting-in to the free service, understand that your right to further litigation or recovery may be waived.

It is also important to understand what the free credit monitoring will accomplish, to make sure your expectations are set. As an example, the free service may provide insight into someone trying to gain a mortgage using your information, but it most likely will not catch someone using only a portion of your information - like your social security number with a different name and address. Credit card numbers taken from the attack to make purchases will also likely fall out of the view of the credit monitoring service - as it does not cover monitoring existing credit cards in your name.

As noted above, make sure to read the fine print before opting-in to the free service - especially when those behind the attacks may be inclined to wait a year before using the information gained without Equifax's consent.

Conclusion

I am an avid fan of Dateline NBC. In fact, one of my first DZone articles was titled, "How Watching Dateline Real-Life Mysteries Helped My IT Career." From my avid viewing of the Dateline program, there is always a motive behind someone's criminal actions. In this case, those behind the Equifax attack wanted to peek into the personal information of as many individuals as possible, gaining as much information out those individuals as possible. The goal was to attack one of the three main credit reporting agencies in America and it was successful.

To me, it seems like it was only a matter of time before someone finally breached a vulnerability - leading to a gold mine of personal information. Sutton's Law at work.