Countless Americans will no doubt suffer financial harm from the Equifax data breach. But we may never know the exact number.
In the real world, quantifying the number of homes damaged by a hurricane or how many people lost their jobs last month is a straightforward math exercise. But in the shadowy online world, getting a precise count of people hurt by a specific data breach — like the cyberheist at Equifax — is far more challenging.
Maybe even impossible, say cybersecurity experts.
There’s no disputing that many people will have their identities stolen or learn that credit cards were opened in their name without their knowledge after the breach of the credit bureau’s computer systems.
Thieves made off with the personal data of as many as 143 million Americans, including what arguably is the most important piece of identification: the nine-digit social security number.
When asked if there’s a way to quantify how many people have been harmed, John Ulzheimer, a credit expert and former employee at Equifax and credit score firm FICO, said: “There’s no way to know, and there may never be a way to know.”
The reason? Most Americans’ personal data is already floating around on the black market from prior cyberthefts, says Brian Krebs, an independent cybersecurity investigator, journalist and head of KrebsOnSecurity.com. Well-publicized data breaches in the past include Yahoo’s, Target’s and Home Depot’s.
All those past hacks make it virtually impossible to pin the blame for any individual identity theft claim on any one attack, including the massive Equifax rip-off.
The data stolen in the Equifax breach included social security numbers, names, addresses and drivers licenses. These four pieces of identification are dubbed the “crown jewels,” as a thief in possession of them all has the keys to one’s identity.
There’s been more than 825 million personal records exposed from data breaches in the 10-year period ending in 2016, according to the Identity Theft Resource Center. More than 6,400 breaches occurred in that period.
Last year there was a record 15.4 million U.S. victims of identity fraud, according to the 2017 Identity Fraud Study released by Javelin Strategy & Research. Losses attributed to identify theft totaled $16 billion in 2016, Javelin reported.
Equifax stock plunged despite the company’s CEO annoucing changes after a security breach that may have exposed the data of up to 143 million people. Fred Katayama reports. Video provided by Reuters Newslook
Every specific cyberbreach has a starting date, or the day of intrusion. But if the hackers get their hands on data that has a long shelf life, such as a social security number, there is no end point to when the stolen information can be used. In short, there is no way of knowing if current victims of identity theft or financial fraud were duped by data stolen recently from Equifax.
“At this point, there are only anecdotal reports of people saying they have been the victim of fraud, but even they can’t definitively say the Equifax breach was the cause,” Ulzheimer says. “The fraudster could have gotten the personal data off of a web site, or Facebook. Maybe the data was stolen from Target. Or a breach from many years ago. You just don’t know.”
Experts also say it can be a long time before victims feel the effects.
“It can take months and even years before the scammers act on the information,” says Fran Rosch, executive vice president at security software firm Symantec. Rosch said his firm has been “unable to quantify” the specific number of people who have reported fraud since the Equifax breach.
Adds Avivah Litan, an analyst at Gartner: “Usually the bad guys will stop using the data and won’t rush out and take out new loans when the media starts to publicize the story.”
There’s another problem: There is no one agency that quantifies, tallies or aggregates the damage done by cyberbreaches, she says.
Getting identity theft report claims from the three major credit bureaus (Equifax, Experian and TransUnion) could prove useful in estimating how many people have recently flagged fraud in their accounts. But when reached by USA TODAY and asked how many people have contacted them since the breach to “report theft or fraud” or to set up credit “freezes,” all three bureaus refused to share numbers.
Via email, an Equifax spokesperson said: “At this time, we don’t have information to share. We will be back in touch as we can.”
TransUnion, in an email statement, said: “TransUnion’s focus is on assisting consumers concerned about the Equifax incident and ensuring our systems are secure … We’re encouraged to see a rise in consumers taking greater control of their own credit information by reviewing their credit report, enrolling in monitoring, placing freezes or choosing to lock their own credit information via our free service.”
Experian said: “A performance failure by one bureau puts a big demand on the others. Consumers are asking for support and assistance in record numbers. We are working around the clock to help.”
Krebs says it might take a subpoena from Congress to get a better picture of how many people have submitted financial fraud claims or requested a credit freeze in the past week. That might still happen.
Massachusetts Senator Elizabeth Warren (D), who has launched a probe of Equifax, has asked government regulators to find out how many complaints related to the Equifax crisis were filed.
What we do know is there’s been a sharp spike in the number of Americans logging on to a government website used to report identify thefts since the Equifax data breach was announced Sept. 7.
The Federal Trade Commission, one of the regulators that oversees the credit reporting industry on data-protection and identity-theft matters, says traffic levels to IdentityTheft.gov were nine times higher than average levels on Friday, Sept. 8, and have been five times higher since Monday. The average daily volume of traffic to the site was about 6,000 and is now in the tens of thousands.
Since there are no reliable statistics on victims in the Equifax data breach, USA TODAY has come up with some ways to estimate the impact.
Based on what she’s seen after past breaches, for example, Gartner’s Litan estimates “that less than 5% of Americans will have new loans, bank accounts, credit cards and other financial accounts taken out by a criminal in their name over their lifetime.”
And 5% of the 143 million people whose data may have been compromised in the Equifax breach means an estimated 7.2 million Americans could be at risk for identity theft. Again, that is just an estimate, as there’s no real way of knowing.