Weaponizing Equifax Data

[UPDATE]: Equifax recently turned over new documents to US Senate Banking Committee indicating that the data breach was more substantial than the company had first disclosed last year. It now appears that the breach also included taxpayer identification numbers, phone numbers, email addresses, and credit card expiration dates belonging to some Equifax customers. In essence, the Equifax hackers have everything they need to pull off identity theft; and yet Equifax continues to do everything they can to avoid taking responsibility for the breach that will lead to an unquantifiable amount of financial fraud in the next few years.

One of the most notable parts of Senator Elizabeth Warren’s February 2018 Equifax report is the following:

“Equifax Ignored Numerous Warnings of Risks to Sensitive Data:  The Equifax data breach did not come out of the blue. The company had ample warning of potential risks to its systems and potential weaknesses. Equifax was subject to several smaller breaches in the years prior to the massive 2017 breach and received a specific warning from the Department of Homeland Security about the Apache Struts vulnerability that was used by the hackers to breach the company’s systems. But Equifax failed to heed – or was unable to effectively heed – these warnings.”

Below is a blog story I originally published on October 10, 2017.  As the Equifax fall-out continues, it’ll be interesting to track the congressional response.  I’ll keep our readers informed of the what happens next with this evolving news story.

---

Forget how it happened, how fast the class-action suit was filed, and whether the CISO has a degree in cyber-something or not — all interesting, but for another time. The information warfare potential in the Equifax dataset is something I think needs some discussion.

One ex-Intel, still-cleared resource was consulted on this opinion, but mainly I've just been thinking through the logic of what can be done with the Equifax data, who might be responsible, and how we might think about preparing for a disruption event. To date, most of the prognostication has been concerned with how individuals can prepare for potential bad outcomes.

Whodunit?  That’s the $6M Question.
Data includes everything necessary for financial fraud — credit cards, mortgages, boats — anything that can be bought with credit and laundered, such as buying and selling vehicles. There is also a finite possibility of direct theft of funds. The data can be monetized by organized crime, absolutely.

It's apparently for sale for $6M, which is a lot of cash. Any entity buying that would have to have planned to monetize the data, and the length of time for a return on that investment. That would have to be balanced by the realities of scale and detectability. In other words, they would have to go big to make money quickly, but would be reluctant to do it.

Massive command and control, and then significant money laundering operations would be necessary, at a time of increased scrutiny and prosecutorial success by the FBI and US Attorneys. An operation of that size would be easy to detect and ultimately track by the FBI. They're good at it. It's possible there could be a low/slow application of the data to monetize, but ROI would take a long time, so again, not likely if profit is the key motivator.

So whodunit? It has been reported that China may be implicated, but with so much diversion and false-flaggery, I think these are early reports and the jury is still out. Regardless, just plain logic suggests a state-level actor in possession of, if not directly responsible for the theft of the Equifax data.

It’s Not about the Money
That means it would be weaponized as targeted (bonus: likely using AI to optimize the target distribution) hit and run jobs to primarily create disruption - perhaps with a light patina of theft for false-flag realism. It’s already been suggested that this is a state actor (with no more specificity than that), and the desire to create financial impact can be separated from an actual profit motive. Selected entities and individuals, which may be a significant fraction of the population – could have a near-simultaneous financial nightmare, with no expectation on the part of the actors that the operation will be monetized. Just financial chaos. Businesses are already uneasy about how the Equifax fallout could affect the broader economy.

If the data gets chopped up and sold in pieces, that would bring another set of problems. But today, signs point toward financial disruption as an application of OUR Equifax data, and the federal government might want to think in advance about how that would be handled.

Response & Recovery Might Be Unlike Anything Seen Before
Heads up on this. Response and recovery would require an extremely functional and prepared federal government. The fallout from a scenario like this would be a perturbation of commerce, with ripple effects modeled by the target selection. Something like that is plausible, and looking increasingly likely. Note that there would likely be a call for a military-esque response, which would hopefully be well-researched, advised, and exercised by appropriate authorities.

Michael K Hamilton

Michael K Hamilton CISSP

The CISO