Equifax, one of three main US credit monitoring companies, has admitted that the perpetrators snagged info for a handful of the victims of the doxxing campaign via annualcreditreport.com, a shared website also used by TransUnion Corp and Experian PLC to provide consumers with a free copy of their credit report every year.
Equifax said that in its initial investigation, it found that the attack seemed two-pronged; the hackers had personal information on compromised individuals in the first place that allowed them to authenticate into the site.
"The fraudsters would have had to have a lot of information ... this is pretty detailed stuff," company spokesman Timothy Klein told Reuters. “Those responsible for the breach would have had to know about mortgages, car loans or other credit accounts to get the reports.”
Meanwhile Experian said that while it hadn’t been hacked, it nonetheless froze the credit files of those "victimized by this malicious attack,” just in case.
"Criminals accessed personal credential information through various outside sources, which provided them with sufficient information to illegally access a limited number of individual reports from some US credit reporting agencies,” it said in a statement to Reuters.
TransUnion also said its systems had not been compromised.
The whole affair, and the potential for something as commonly used as the annual credit report tool to lead to a compromise has security analysts considering how better to protect digital privacy.
The first step is to accept the reality of the situation. The internet has changed our everyday behavior and now, even the most personal and sacred information is available online – from banking and emails through to social networks. Internet-connected devices mean all of that information is available at our fingertips in an instant. This convenience drives people to use the internet to store more and more information online – and opens up a repository of embarrassment, inconvenience or downright damaging information leakage opportunities.
“It’s fascinating how available information is now and also how sensitive that information is,” said Kevin Mahaffey, co-founder and CTO of mobile security specialist Lookout Security, in an emailed interview with Infosecurity. “We lock up our houses and use vaulted safe deposit boxes, but very few of us protect our mobile devices in anyway – we keep ourselves wide open to cyber-attacks.”
He added that human nature does dictate that wherever there is important information, there is an attraction for bad people to access it. “This is no different from bank robbers years ago – the format has changed but the principle is the same,” he said. “You have something valuable, and they want it. The internet is evolving at a rapid pace and giving people new tools and methods of storing information, but also giving the bad guys new ideas too.”
The FBI and the LAPD are just two law-enforcement agencies investigating this week’s attacks, looking for the identity of the hackers as well as the motivation: is it a prank, espionage, financially motivated or just looking for simple acknowledgement from their peers in the hacking community? Unfortunately, it’s difficult to track down the perpetrators in such crimes.
“Hackers sometimes have an online persona which they use and promote, but keep their own personal details well hidden,” according to Mahaffey. “On the same note, they don’t want to over-popularize their techniques because then other people will copy them, increasing the chances of the loopholes getting closed and them getting caught. In this case, it’s unclear what the motives are. We’ve seen more of these types attack of late and the velocity is increasing substantially. Often what seems to be a sophisticated result, comes from an unsophisticated attack.”
In addition, there can often be geographic and jurisdictional limits to what authorities can do. “Hackers and hacker groups often have teams spread out all over the world and try to cover their tracks,” Mahaffey said. “Technology is evolving so rapidly, it’s hard for regulation and authorities to keep up with the pace. Ultimately, it’s up to people to try and stay one step ahead of the bad guys and take steps to protect themselves.”