Equifax: Australians' sensitive financial information at risk in data breach of US company

Posted Fri at 7:37pm

PHOTO: Equifax Australia holds the credit history information of hundreds of thousands of Australians. (Facebook: Scott Swan)

Australians could be caught up in an enormous hack of sensitive personal financial data that has left nearly half the American population at risk of identity fraud.

Equifax, which owns the credit history data and personal information of 800 million people around the world, confirmed the personal data of 143 million people has been hacked.

The company wholly owns Equifax Australia, previously known as Veda, which itself holds the credit history information of hundreds of thousands of Australian customers.

Despite Equifax tweeting its assurances that there is no evidence yet its Australian customers are affected, cybersecurity expert Mark Gregory from RMIT said Australians should urgently check their credit records.

"It's most important at this point because of the Equifax cyberattack that people go to the Equifax website and see if any information on their credit report is unusual or not correct," Dr Gregory said.

"With identity fraud, the major target of it is credit cards and you can find that people put things onto your credit card without you even knowing."

Equifax Australia did not respond to the ABC's attempts to reach it for comment, but the company posted two tweets on Friday saying its local customers' information was safe.

"Please be assured that we have found no evidence that personal information of consumers in Australia or New Zealand has been impacted by the US cybersecurity incident," the tweet said.

Because Veda was only fully acquired and rebranded as Equifax Australia last year after decades of operating as an independent company, Dr Gregory said Australians are at a lesser risk.

"We should probably assume at this point that the data has not been integrated between the countries, but that's not to say that there hasn't been some data integration," he said.

Equifax defends long delay in notifying of cyberattack

The compromised data includes birthdates, addresses, credit scores and US social security numbers, which analysts say could be worth thousands of dollars each if sold to criminals on the dark web.

In a video posted on Equifax's American website, chief executive Rick Smith apologised and conceded the hack suggested the company had not done enough to keep sensitive personal information safe.

What is the dark net?

For all that is written about the dark net, most people struggle to understand it. Here's a simple, user-friendly explainer of what it is, how it is used, and the questions it raises as we drift deeper into the digital age.

He also defended the fact that the hack occurred months ago in May, and was not even detected until July or publicly confirmed until now.

"We acted immediately to stop the intrusion. We [reported] the event to law enforcement, and we continue to work with authorities," Mr Smith said.

"This is clearly a disappointing event, and one that strikes at the heart of who we are and what we do. While we've made significant investments in cybersecurity, we have more to do and we will."

Independent security analyst Troy Hunt said he is sceptical of Equifax's claims it could not have disclosed the cyberattack earlier, and said the delay may have further compromised customer data.

"The problem with delaying that long is that once an organisation knows that their customers have been exposed, we really need to let these people know as soon as possible," Mr Hunt said.

"Unfortunately, [the Equifax hack] is not a very positive outcome for those who actually use credit monitoring to protect themselves."

It is still unknown whether the hack was orchestrated from outside the company or in, nor whether state actors may have been involved.