The Equifax data breach is the worst corporate data breach to date, impacting more than 140 million people. The cybercriminals struck gold when they exploited a known vulnerability, and gained access to a treasure trove of personal information, including names, social security numbers, dates of birth, addresses, and driver’s license numbers, along with credit card numbers from more than 200,000 people and dispute documents from more than 180,000 people. There are serious implications for this information getting out. Here are a few, and what you can do to protect yourself.
Because the cybercriminals took a lot of information about an individual, they have more information “in their pocket” than ever before. And it's the same information that many financial institutions use for authentication purposes, making it easier for criminals to gain access to bank accounts. But it’s more than just financial. Grievous harm may come from this breach in other forms. Here are a few.
Standard ID Theft
All the information needed to open lines of credit is included in what was stolen, so good old fashion identity theft is a distinct possibility. Considering the number of people affected, it’s a pretty scary situation.
Medical ID Theft
Medical information is worth 3 times more than financial information because many healthcare records also include financial records. With this information, healthcare fraud for surgeries and emergency room visits may occur. This could results in corrupt – and false – medical records for the fraud victim.
We may see theft of refunds from early-filing fraudsters. This type of fraud can take months to resolve.
Synthetic ID Theft
Now cybercriminals are creating new personal IDs by mixing the data of several fraud victims together. They are typically used for direct criminal action, and may result in a criminal record for fraud victims.
Increased Phishing Attacks
It’s common for cybercriminals to take advantage of a bad situation, and play on people’s fears. In this case, consumers may see an increase in phishing attempts, including:
- Fraudulent credit protection offers,
- Fraudulent financial institution breach notifications, and
- Fraudulent class action lawsuit notifications.
It's important to remember... never click a link or open an attachment in an unsolicitated email! Learn more tips in our infographic, 12 Tips to Defend Against Cyber-Attacks.
Recent Fraud Attempt — Customer Service Pretexting
Because the information stolen is part of most authentication procedures, Customer Service Pretexting attacks may increase. Let’s look at a recent fraud attempt against one of our clients using this tactic.
- Customer’s email was compromised by an attacker.
- Social engineer used the compromised email and information about the customer to fraudulently self-enroll for online banking.
- Social engineer used info from email and online banking to authenticate a phone call to the call center.
- The social engineer made multiple calls to the call center and received additional useful information. He was able to add his cell phone number to the customer’s contact info and obtain a telephone banking PIN.
- The social engineer asked about details on how to do a domestic wire transfer. He even complained about the high fee as a distraction technique.
- The social engineer said he already had a copy of the wire form that he would fax in. (It is unclear how he obtained this form. He said he went to a branch, but this is highly unlikely).
- The social engineer requested a transfer $150,000 from a home equity line of credit to a savings account via a call center request.
Luckily, the customer service staff shared notes, and realized the caller was a fraud. They alerted wire staff before any funds were transferred out. The cell phone number of the social engineer was called and went to a British sounding voice mail. The social engineer called back in the afternoon, he had a strong accent, and mumbled a lot asking about the status of his fax. His attempt to steal money was thwarted!
Steps to Protect Yourself – Get Control-Smarter!
Here are a few controls to implement in your organization:
- Use more “out of wallet” questions that are proprietary to your organization during the authentication process, including:
- Transaction and / or visit information;
- Local-source facts from customer / patient interaction; and
- Anything the fraudsters didn’t / can't gain access to.
- Reduce the transactions thresholds that trigger additional controls. This can be a temporary or permanent change. For example, some of our clients are requiring in-person wires for over a certain amount of money.
A few controls for you personally include:
- “Right size” your tax withholdings. Accurately calculate how much should be withheld every check, and become less dependent on a refund.
- File taxes early.
- Monitor credit accounts and reports.
- Consider freezing your credit. This will prevent anyone from requesting your credit report, making it very difficult for anyone to open a new line of credit in your name. It’s offered by all of the top three credit bureaus (Experian, TransUnion, and Equifax), and can be done over the phone or on their website. You receive a PIN that is used every time you want to “thaw” your credit. We also recommend that you freeze the credit of any dependents / children under the age of 18.
Perhaps the most important lesson learned from the Equifax breach, along with the other large breaches that came before it, including Yahoo!, Target, and the Office of Personnel Management, is that you can’t solely rely on these entities to protect your most sensitive information. Taking some personal responsibility for keeping your information safe, and doing your due diligence, just makes sense.
Charting a Course for Cyber Resiliency
A resilient organization is one that is able to quickly adapt and recover from a disaster. And the first step to resiliency is developing a strategy to get you back to business-as-usual, known as a Continuity of Operations Program (COOP). Tyler can help you develop a new program or strengthen an existing one. Our professionals focus on developing response strategies, recovery and resumption plans, and document detailed procedures in order to ensure the sequential resumption of critical systems. In addition, we will design and conduct realistic and practical tests to ensure that the program functions as intended.