Equifax announced yesterday that it encountered a security breach lasting between mid-May and late July, exposing up to 144 million social security numbers with names, addresses, dates of birth, and state ID card numbers correlated with the owners – nearly the firm’s entire file. In the announcement, the firm stated that the breach occurred through a faulty software module on its website.
I am not privy to the details of the breach, and I am not in a position to analyze it. But because it lasted nearly 60 days, my guess is that Equifax likely discovered the breach from an outside source, perhaps someone was nabbed trying to hawk the stolen data or there may have already been victims and law enforcement tacked down the source.
The sheer size of this breach might be difficult to fully appreciate, considering that the population of the US is some 350M who are not all adults who utilize credit. So why don’t we just say the breach potentially impacted nearly everyone in the US with a credit file which is completely incomprehensible. But think about the implications to the value of the social security number in tracking credit history, or any other type of financial history going forward as a result. Anyone, and I mean anyone, can now present valid data claiming to be someone else with none the wiser. And the absolutely inadequate offer by Equifax of fraud monitoring for 90 days is simply not going to fix this because a social security number is for forever.
This needs to change. State governments should stand up PKI systems and attach an encrypted certificate to every ID card issued as a way to verify identity. If they don’t have the money to do it, they need to find it – pronto!