Bz Skits
Published in

Bz Skits

Equifax: Damage that Should Worry Everyone

This week’s admission by Equifax that 143 million American citizens’ data was lost between May to July, should worry everyone. While it has ramifications for victims’ digital identity and credit data, saving digital identities after such a breach is not easy.

Yesterday morning, the UK awoke to the news that Equifax, one of the world’s biggest credit reporting agencies, had lost the data of 143 million citizens in one of the most high profile data losses and certainly one of the most valuable. They include names, addresses and social security numbers. Whilst this is bad enough for the victims, who include 143 million American citizens, it has greater ramifications for the competition.

What Are Credit Reference Agencies?

Credit Reference Agencies (CRAs) are companies authorised to centrally hold information about retail or business customers who apply for, or take out credit agreements. This same information is used in a host of other place, not least assessing jobseeker trustworthiness and in the UK, this includes anyone working in FCA regulated environments.

Whilst the immediate concern of credit risk is obvious, what is perhaps less obvious is the implications this has on digital identity across the entire sector.

Whilst Credit Reference Agency data is used across a host of industries, the information contained in that data is common to all companies in the Credit Reference industry. For example, failure to pay a mortgage payment is recorded in CRA data which in turn, helps other loan providers assess what your credit worthiness is.

More recently, CRAs use the same information to offer a Digital Identity verification service. Ensuring that the person applying for a loan is entitled to online and bricks and mortar companies. This means the identity of anyone applying for a loan or some other sensitive services, can be verified in seconds allowing them to proceed to apply for loans in that identity’s name. Equifax’s offers multiple products in this space, including Identity Verifier, a service available in the UK, as well as their Identity Watch service, which allows you to monitor and be alerted to the use of your ID in the case of fraud.

Whilst the irony of securing and alerting against the identity of individuals is not lost here, there are many other immediate problems which will affect consumers and citizens of the USA and beyond.

All or Nothing: Shared Credit Data means Shared Identity

The shared nature of CRA information naturally means that such a breach exposed every company’s consumer information to the outside world. This means the Equifax leak exposes Experian’s records and this exposes those companies too. This information, should it become public, not only risks the individual consumers themselves, but also risks the competitive position of the entire industry. This may result in companies like Experian taking action against Equifax.

Rarely Changing Data Leaked, Endures

One of the things that makes the Equifax breach unique, is that it allowed access to sensitive, but key, unchanging information. Addresses can be changed, but Dates of Birth and Social Security Numbers cannot. Those two are crucial, identification factors across everything from welfare, to jobs, to loan applications. There is no way for a consumer to change those pieces of information. Meaning criminals could much more easily apply using a stolen identity for:

  • Loans
  • Jobs
  • Funding
  • Bank accounts
  • Businesses
  • Large purchases with hire purchase elements (mortgages and vehicles for example)
  • Mobile phones

Identities are the main fuel of online fraud. Without the ability modify that identity, many victims will find that their details have been used to successfully apply for loans in their name, approved and paid by the company and never repaid. Leaving the real person footing the bill and facing charges for a loan they never took out. That money can then be used further on in the chain, by organised criminals or even terrorists.

To compound matters, that data is held on file at all CRAs is held for a defined period of time. For financial and credit information int he UK, this includes FCA regulations and data protection limits. In essence, allowing them to hold that information on file for 6 years. A credit application that is rejected on the grounds of a previous loan applied for through a stolen identity is recorded on file until that is sorted out. Denying credit to millions of potentially innocent victims.

If that data is found to be fraudulent, you have no way of truly proving that it isn’t you [without interrogation]. After all, the true data, looks like your data and so does the stolen data. So if your stolen data has been barred, so has your real data and arguably, so have you.

Reconciling Other Sources

What most people focus on, is the immediate leak. Of course, this is bad enough. However, another strength of these sort of data acquisitions is their ability to provide missing pieces in other identity puzzles harvested elsewhere. Once they have closed the loop, they can combine various data sources, including some of the remaining protections (mothers maiden name, schools, pets whatever else) to build a new you, but for themselves to take, and crucially, modify.

The ramifications of this are frightening, as the digital world’s identity can start to diverge quite significantly from the real world you. It is like someone gaining access to your Facebook or Medium accounts, changing the passwords and locking you out, then using the account for other purposes.

Only time will tell what happens here. However, the breach has the potential to put pay to the digital identity verification industry as a whole as well as create identities for nefarious purposes. Want to check that twitter bot is a real person? Looks real. How about the new job applicant? Their CV and presentation look great! What does their digital identity say? Here’s hoping Equifax can somehow put this right. However, it is not at all clear how and seemingly US prosecutors agree. Equifax have a lot of questions to answer.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ethar Alali

Ethar Alali

EA, Stats, Math & Code into a fizz of a biz or two. Founder: Automedi & Axelisys. Proud Manc. Citizen of the World. I’ve been busy