8th Sept 2017
Australians could be caught up in an enormous hack of sensitive personal financial data that has left nearly half the American population at risk of identity fraud.
- Credit rating company Equifax says the data of 143 million US customers has been hacked
- The hack was detected in July, but customers were not notified until September
- Despite assurances, cybersecurity experts warn Australians’ data could be compromised
Equifax, which owns the credit history data and personal information of 800 million people around the world, confirmed the personal data of 143 million people has been hacked.
The company wholly owns Equifax Australia, previously known as Veda, which itself holds the credit history information of hundreds of thousands of Australian customers.
Despite Equifax tweeting its assurances that there is no evidence yet its Australian customers are affected, cybersecurity expert Mark Gregory from RMIT said Australians should urgently check their credit records.
“It’s most important at this point because of the Equifax cyberattack that people go to the Equifax website and see if any information on their credit report is unusual or not correct,” Dr Gregory said.
“With identity fraud, the major target of it is credit cards and you can find that people put things onto your credit card without you even knowing.”
Equifax Australia did not respond to the ABC’s attempts to reach it for comment, but the company posted two tweets on Friday saying its local customers’ information was safe.
“Please be assured that we have found no evidence that personal information of consumers in Australia or New Zealand has been impacted by the US cybersecurity incident,” the tweet said.
Because Veda was only fully acquired and rebranded as Equifax Australia last year after decades of operating as an independent company, Dr Gregory said Australians are at a lesser risk.
“We should probably assume at this point that the data has not been integrated between the countries, but that’s not to say that there hasn’t been some data integration,” he said.
Equifax defends long delay in notifying of cyberattack
The compromised data includes birthdates, addresses, credit scores and US social security numbers, which analysts say could be worth thousands of dollars each if sold to criminals on the dark web.
In a video posted on Equifax’s American website, chief executive Rick Smith apologised and conceded the hack suggested the company had not done enough to keep sensitive personal information safe.
He also defended the fact that the hack occurred months ago in May, and was not even detected until July or publicly confirmed until now.
“We acted immediately to stop the intrusion. We [reported] the event to law enforcement, and we continue to work with authorities,” Mr Smith said.
“This is clearly a disappointing event, and one that strikes at the heart of who we are and what we do. While we’ve made significant investments in cybersecurity, we have more to do and we will.”
Independent security analyst Troy Hunt said he is sceptical of Equifax’s claims it could not have disclosed the cyberattack earlier, and said the delay may have further compromised customer data.
“The problem with delaying that long is that once an organisation knows that their customers have been exposed, we really need to let these people know as soon as possible,” Mr Hunt said.
“Unfortunately, [the Equifax hack] is not a very positive outcome for those who actually use credit monitoring to protect themselves.”
It is still unknown whether the hack was orchestrated from outside the company or in, nor whether state actors may have been involved.