As the New York Times *(and numerous other sources) have written about the Equifax data breach, the state-sponsored affiliation of hackers screams risks associated with individuals who work for the CIA, military, or other key government positions. The belief is this: the more private data that rivals foreign powers have about US individuals in key positions of power, the more leverage these ‘unfriendlies’ have to potentially use against them. While certainly true, we cannot avoid the fact that even breaches stemming from unfriendly soil (also including Anthem, OPM, Yahoo! and more) continue to increase risk of identity theft or fraud against every US citizen. As an expert witness for most large US breaches, I’ve spent hundreds of hours proving that this is true.
Breaches of Social Security numbers, driver’s license data, payment card numbers, and contact data don’t lose their power to fuel fraudulent new or existing financial crimes simply because that data can also be used for espionage or other government-interest compromise. Think about it: if the key to your house or car were to fall into the hands of someone working on behalf of a foreign nation, the origin of their payroll check wouldn’t somehow decrease the fact that your personal possession is now at greater risk of being stolen. The belief that a cadre of even military proportions would be enough to contain hackers who thrive on overcoming obstacles is simply magical thinking. After all, the very nature of hacking is about committing untoward actions against others.
As Breach Clarity’s 1,188 element details, identity credentials are inherently charged with the power to authenticate individuals. In other words, if I possess enough information about you and also bring a deep working knowledge of digital commerce systems used by financial institutions or tax authorities, I can effectively become you while conducting a transaction in your name. All other things being equal, Social Security numbers, logins and passwords, and other personal identifying data don’t somehow care who are using them.
While some data experiences decreased value over time–and in particular those associated with payment ‘cards’ that expire or can be readily reissued–others such as Social Security numbers endure for the life of the identity holder. And even contact information such as physical address or phone numbers takes on extended authentication power when it becomes your prior information. State sponsored breaches may even prove to have a delayed impact on future fraud, whereby the discernible levels of new or existing fraud do not appear until until some unexpected period of time has elapsed–and thus counfounding the expectations of traditional fraud analytics systems widely used by financial institutions.
Breached identity credentials have enduring ability to raise risk of economic identity crimes in the hands of even foreign nationals, and the fact that the primary purpose may be related to compromise doesn’t change the fact that the exposure of identity credentials increases risk of crimes such as new credit and deposit account establishment, existing payment account fraud, account takeover, tax refund fraud, and much more. Clearly, when hackers are believed to be state-sponsored there may be a significant change in when and how such crimes manifest themselves. You can bet that the Breach Clarity team is monitoring this trend very closely, in order to factor it directly into the algorithm that powers everything we do to empower consumers and professionals to reduce the impact of fraud stemming from data breaches of every type.