The Equifax breach stole names, addresses, birth dates, and credit card numbers for over 200,000 consumers. One might immediately assume that cyber criminals made the attack in order to sell the information to identity thieves who will run up fraudulent charges, file fake tax returns, defraud mortgages and loans, purchase goods with stolen credit cards or steal a subscription to HBO in time for next season’s Game of Thrones.
But where most see thieves, I see spies.
The cyber intrusion also stole documents used in disputes for approximately 182,000 people. This includes personal identifiable information that sophisticated attackers could use to gain entry into medical records, bank accounts, employer email accounts and networks — virtually anywhere that a person has an online presence. Most consumers are still slow to adopt secondary protection schemes like two-factor authentication and continue to use challenge questions that relate directly to their personal lives. If a spy agency in China, North Korea or Russia (the three most likely culprits in the Equifax breach) has this information, they could use it to infiltrate other accounts of targeted individuals, particularly those persons of interest in government agencies.
While recent reports say two hackers have launched an onion site to claim the Equifax breach and demand over 600 Bitcoin (roughly $2.6 million) in ransom, this could easily be scammers trying to capitalize on the potential leak, or even a calculated smokescreen by a nationstate group.
I’m especially concerned as we move toward elections in 2018 and 2020 that this breach, together with the two massive Yahoo breaches during the second half of last year, may lead to additional compromises like the ones that plagued the Democrats before the presidential election in 2016. If spies are behind this attack, we should expect to see additional releases of damaging personal information, more fake news grounded in a kernel of truth and significant disruptions that erode trust. Wikileaks is likely poised and ready to help foreign spies further damage U.S. democracy.
Cyber warfare often drives an information narrative. Cyber espionage collects information. Spy agencies typically hold that information close to the vest, using it to quietly inform decisions and tactically pressure certain international politics. Sometimes the information is used to feed the narrative most beneficial to the nation that stole it. After the DNC attack, Russia positioned the most damaging information to the Clinton campaign on Wikileaks. The influence campaign against the United States election did not stop there. Russia blended covert intelligence operations with outreach through state and private media, and paid social media trolls and official news stories to establish a narrative that the United States election system was compromised at best and at worst, corrupt.
As a corollary issue to the breach, it is one thing to wake up and realize that your Yahoo account was compromised. It’s another entirely to find out that one of the institutions that we trust to protect our most critical information failed us. I’ve long felt uncomfortable with the amount of information that the three big credit agencies collect and store about consumers. As an investigator, I understand the need for rapid credit checks that seek to determine the financial stability of a consumer, but when we give others control over our information, we open ourselves to these major attacks. Unfortunately, even after the massive attacks on the Office of Personnel Management, Yahoo and now Equifax, we’ve still only seen the tip of the spear.
Complex security together with people knowledgeable in counterintelligence is required to protect systems from the biggest flaw in any design: the people who use them. Corporations hoard big data mined from consumer information freely given under rarely-read privacy notices, vacuumed up from social media, collected from internet searches and website visits and distilled from the news and media we consume. Spies thrive by accessing this wealth of information by bypassing cybersecurity through non-technical approaches like phishing emails and social engineering hacks. A top-down approach from government and investment in corporate responsibility and individual security is necessary to protect our identities from abuse. Anything short of that lays our information out in a banquet for cyber thieves and spies.
By Eric O’Neill, National Security Strategist, Carbon Black| Enterprise Innovation