Many times, once the news of a major network security breach has reached the media, the information has already been available to criminals for months or even years and e-commerce merchants have already been widely victimized. The massive attack on credit bureau Equifax revealed on Thursday, however, is different, according to cybersecurity and fraud experts. The breadth of the personal data stolen from 143 million Americans in the intrusion allows for a wide variety of fraud attacks, and merchants have not seen the worst of it by any stretch, said former hacker and fraudster Brett Johnson.
Why? The data is being held for ransom, he told CardNotPresent.com.
Johnson, a former U.S. Most Wanted fugitive who spent time in federal prison for fraud and developed many of the successful techniques still being used to attack e- and m-commerce merchants, said the nature and scale of the stolen information will result in an increase for all identity- and credit-related crimes across the board including “complete ATO of all accounts.”
And, despite the fact that Equifax said the hack took place between mid-May and July, giving fraudsters a chance to reap some rewards, most of the information stolen is still waiting to be leveraged, sources in the hacker community have told Johnson.
“With this data, the damage won’t last for weeks or months, it will last for years,” predicted the hacker-turned-security-consultant. “I do not think the data has been used yet because I believe the attackers are trying to sell it back to Equifax. If they are smart, they sit on it until payment is made—then they sell it [on the open market]. I would expect that samples of this data have been given out and used by the attackers, but I really don’t think we’ve seen a mass use of it yet.”