It would seem that data breaches have now reached their logically absurd peak. The compromise of Equifax, revealed last Thursday evening, is the kind of incident you get when attackers get bored of stealing cases of bottled water and decide to steal the entire mountain spring instead.
As reported by Bloomberg, the breach affects the majority of adults in the United States–143 million people to be exact–and the stolen data is essentially a cybercriminal prepper’s go bag: Social Security numbers, birth dates, addresses, and some driver’s license numbers, according to Equifax’s statement. Attackers had access to the company’s network for about two and a half months, thanks to a vulnerability in a web app running on Equifax’s U.S. sites, the company said in its statement. Equifax said the attackers also were able to access credit card numbers for about 209,000 consumers in the U.S.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Equifax Chairman and CEO Richard F. Smith said in the company’s statement. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
Equifax is a logical and obvious target for attackers. As one of the three major credit bureaus in the U.S., the company warehouses vast amounts of sensitive data on hundreds of millions of people. It’s the kind of information that financial companies, employers, and pretty much everyone else uses to authenticate people during transactions. It’s also the kind of information that cybercriminals prize, for those same reasons. Getting access to that data is the dream for financially motivated attackers, and hitting a mother lode like Equifax is a career-maker.
So the breach should come as no surprise, but not because Equifax made some egregious mistake that was just waiting to be exposed. We don’t know exactly what the vulnerability was yet, but history has shown us that any organization can be compromised, no matter how well-defended it is. Microsoft, Google, the NSA. They’ve all been hit in one way or another and they all have pretty large security budgets and talented teams. Logic dictates that attackers will go after the targets that have the most of what they want, and Equifax fits that description to a T, so it got hit.
In many ways, this incident is a return to the one that can be considered the patient zero of the modern data breach era: the ChoicePoint breach. ChoicePoint was a data broker that collected information on consumers and sold it to private companies as well as government agencies. In 2005 the company disclosed a data breach that affected about 160,000 people. It was one of the first few incidents that became public thanks to the breach-notification law passed in California in 2003 and it evolved into the poster child for early political and business discussions about data breaches. Ironically, ChoicePoint was originally part of Equifax and was spun off in the 1990s.
The scope of the ChoicePoint incident was alarming at the time, but it quickly was eclipsed by many much larger ones. And now we have the Equifax breach, which affects nearly 1,000 times as many people and will no doubt draw cries of outrage from politicians, class-action lawsuits, and calls for onerous new laws. But this is just the natural progression of things. Why would attackers want to pick up a few crumbs here and there when they can steal the whole cookie jar?