WASHINGTON (AFP) - It could be the worst-ever data breach for American consumers, exposing some of the most sensitive data for a vast number of US households.
The hack disclosed this week at Equifax, one of the three major credit bureaus which collect consumer financial data, potentially affects 143 million US customers, or more than half the adult population.
While not the largest breach - Yahoo attacks leaked data on as many as one billion accounts - the Equifax incident could be the most damaging because of the nature of data collected: bank and social security numbers and other personal information of value to hackers and others.
"This is the data that every hacker wants to steal your identity and compromise your accounts," said Darren Hayes, a Pace University professor specialising in digital forensics and cybersecurity.
"It's not like the Yahoo breach where you could reset your password. Your information is gone. There's nothing to reset."
Some reports suggested Equifax data was being sold on "dark web" marketplaces, but analysts said it was too soon to know who was behind the attack and the motivation.
"This could be a mercenary group or it could be a nation-state compiling it with other data" for espionage purposes, said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a Washington think-tank.
"This is the kind of information I would go after if I were a nation-state, to set up psychographic targeting for information and political warfare."
NATIONAL SECURITY RISKS
Peter Levin, chief executive at the data security firm Amida Technology Solutions and a former federal cybersecurity official, said he is concerned over the national security impact of the breach, which follows a leak of data on millions of US government employees disclosed in 2015.
"The implications with regard to national security are very large," he said.
Because most federal employees also have credit reports, "those people have now been hacked twice," Levin said, offering potential adversaries fresh data to be used against them.
"We've just given the bad guys a lot more information," he said. "Even if they didn't perpetrate the attack, they can buy the data."
The breach raised numerous questions among experts, such as why the company waited more than a month to notify consumers after learning of the attacks July 29.
"The delay is really alarming," Hayes said. "It only takes a few days" to steal information which can damage a consumer's financial situation.
Equifax collects information about some 800 million people and businesses around the world and provides credit ratings used for decisions regarding loans and other financial matters, and also touts a service protecting against identity theft.
At least two class-action lawsuits on behalf of consumers were filed following the disclosure claiming Equifax failed to adequately protect important data.
"Equifax contains one of the largest databases of consumer information and they should have been better prepared for any attempt to penetrate its systems," said attorney John Yanchunis, who filed one of the lawsuits.
Some details of the attack remain unclear, including whether the data stolen was encrypted - which would make it harder for the hackers to monetize.
A handful of investor lawsuits announced Friday, meanwhile, said Equifax may have violated securities laws, by allowing three high-ranking Equifax executives to sell shares worth almost US$1.8 million (S$2.4 million) in the days after the hack was discovered.
An Equifax spokesperson told AFP the executives "had no knowledge that an intrusion had occurred at the time they sold their shares." Equifax stock fell 12.7 per cent in New York trades on Friday following the disclosure.
HOW TO RESPOND
The potential impact of the Equifax breach prompted some experts to suggest the government reissue social security numbers, which have always been issued for life.
"The government should consider changing social security numbers since there have been so many breaches," Hayes said.
Levin added that he "would be in favour of issuing new social security," even though "it's a fraught political discussion."
Others said the US could follow a European rule set to take effect in 2018 requiring companies to notify consumers within 72 hours of a data breach.
"Companies will put more into cybersecurity if there are tough penalties associated with data breaches," Hayes said.