An Australian web site promoting the data breach solutions business unit of global credit reporting giant Equifax singles out the firm’s “International breach solutions and experience”. This boast certainly rings true after revelations that over half of the United States population may have had their personal details exposed by hackers in an historic data breach.

As many as 209 million Equifax customers could be affected by the cyberattack which is presumed to have taken place from mid-May through July 2017, and cybersecurity firms are still struggling to determine the extent of the damage.

The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and credit reporting dispute records with personal identifying information for about 182,000 people.

Although the vast majority of the breached data related to US citizens, an undisclosed number of UK and Canadian residents were also affected. There has so far been no reported impact on Australia and New Zealand.

Equifax acquired Veda, the leading provider of credit information and analysis in Australia and New Zealand, for $US1.9 Billion in February 2016. Equifax operates or has investments in 24 countries in North America, Central and South America, Europe and the Asia Pacific region. The company, which last year reported revenue of $US3.145 billion. holds data on more than 820 million consumers and more than 91 million businesses worldwide. 

Equifax is blaming vulnerabilities in a “web application” for its massive breach. It failed to report the breach for 40 days and directed potential victims to a website that both requests even more personal information and promotes the company’s own credit monitoring service. 

A new report has uncovered that that an Equifax online employee tool used in Argentina could be accessed by typing "admin" as both a login and password. This gave access to records that included thousands of customers' national identity numbers.

The Equifax Data Breach Solutions web site notes that “Data is breached every day. It is not only from theft or hacking but can occur from internal errors and failure to follow information handling procedures. It is not a matter of if, but when a data breach will occur.”

“Equifax is able to help protect your customers in the event of a data breach. Our solutions can also be used as a precaution and be provided to staff to help protect your business. 

“Data breaches can result in business disruption, lost revenue and customer trust. [Australian] Mandatory breach legislation passed in February 2017 means that serious data breaches now also need to be reported. The Commissioner has a range of powers depending on the nature and seriousness of the breach which can involve compensation and civil penalties.”

US senators have called for a federal investigation and nearly 40 states have now joined a probe into the massive Equifax data breach. The US Federal Trade Commission confirmed on Thursday that it opened a probe into the debacle.

Gartner analyst Christy Pettey believes it makes no sense to solely rely on static PII to identify an individual a business is engaged with when there is a greater than 50 percent chance that data is in criminal hands.

"Organisations should reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification. Systems based on dynamic non-PII data and behavioral indicators are more able to assess the legitimacy and risk of an identity claim than ones based on static, regulated PII data.

"However, a layered identity proofing approach is always the most effective approach. Successive layers of identity assessment processes provide stronger protection and make it much harder for criminals and other unauthorised users to compromise an organisation’s assets and systems. No singular identity assessment method used on its own is sufficient to keep determined fraudsters out, or sufficient to verify the legitimacy of an individual identity claim.

"Fraud, security and business managers should use multiple layers of identity assessment processes, as each layer backstops the previous one so that if criminals circumvent one layer, the next one will further deter them. Conversely, each successive layer adds assurance that an identity claim is legitimate.

"Identity assessment is not a one-time event. It needs to be a continuous cycle that is triggered by an authentication or transaction. Organisations can pick and choose which of the layered measures to take based on risk tolerance, identity assurance requirements and cost. Situations are fluid and constant change among a user population must be expected. The most appropriate strategy for assessing identity claims should be similarly fluid and dynamic," said Pettey.