WASHINGTON _ For as many as 143 million consumers whose personal data was stolen in the breach of the Equifax credit bureau, here's how criminals might take advantage:
They might try to buy a gun in your name. Or get a second mortgage on your house. They could lease a car by impersonating you, and crash it. They might steal your tax refund or Social Security check. Maybe they'll get your health records.
For victims of the breach, headaches may recur for years. U.S. consumers are stricken by a new reality: Companies that gather personal data on them often are unable to protect that data.
The breach, which Equifax announced Sept. 7, sent a ripple through the business world. A new shock came Wednesday when the Securities and Exchange Commission said that it had been hacked, too, amounting to a one-two blow of confidence to the financial system. Hearings are already scheduled on Capitol Hill, and plenty of hand-wringing is unfolding in boardrooms. Calls for regulatory reform mount. A hopeful few see a silver lining.
"There is one benefit of Equifax. It is a serious debate on identity protection that's raging across all modern economies that are driven on credit," said Greg Clark, chief executive of Symantec, a cybersecurity company. "It will lead to more protection of consumer and citizen data."
Underlying the Equifax breach and its impact on consumers are other related issues. One is the lack of a mandate for companies that are breached to reveal what they did, or didn't do, before things went wrong. Another is the reliance on Social Security numbers as a national identification system.
"I'm sure that the amount of money that Equifax was spending on cybersecurity was a big number," said Ron Gula, a former National Security Agency analyst who now heads Gula Tech Adventures of Ellicott City, Md. "But whatever it was, it wasn't enough."
For Atlanta-based Equifax, the mistake was costly. Its market capitalization fell from $17.1 billion the day it announced the breach to $12.6 billion on Friday.
Gula urged reforms so that major hacks affecting millions of people would be investigated in a way akin to federal investigations of air disasters. Such inquiries should detail whether companies took adequate steps to prevent intrusions, he said.
Companies can have "many, many reasons" for not installing security patches, he said, including concerns that a patch could affect a website's stability or customer experience.
"If you go in and patch something and it breaks an application and you have an outage _ maybe like Southwest.com or any of the outages that happen throughout the year _ those things can be career-ending events," Gula said.
In the case of Equifax, the software vulnerability exploited by hackers was in web server software known as Apache Struts, and users were notified to install a patch to fix the software March 7. Equifax has not said publicly why its technicians did not install it.
More public disclosure, perhaps through quarterly reports, Gula said, would move companies toward spending more to maintain digital security,
"I believe the requirement to disclose security issues is going to trump the need to have a stable and well-run website," he said.
Among the personal data pilfered in the Equifax hack were names, birthdates, addresses, and Social Security numbers. In some cases, credit card and driver's license information was also taken.
"The data that was stolen was far more detailed compared to other breaches," said Rohit Chopra, former assistant director of the Consumer Financial Protection Bureau, an agency created after the 2008 financial crisis to protect consumers against abusive lending.
"I'm worried some people will see their bank accounts drained," he said in an email.
The vast personal data trove gives ammunition to criminals.
"Next year, we expect to see a 10 to 15 percent increase in application fraud as a result of this," said Frank McKenna, chief strategist at PointPredictive, a San Diego company that helps auto lenders fight fraud. Auto fraud could hit $6 billion this year, the company says.
With the personal data gleaned from Equifax, fraudsters can make up fictitious names and addressed to go along with real Social Security numbers, and create new consumer profiles, he said. Another tactic is to take over existing credit card accounts.
"You can impersonate a customer and take over the accounts they have today. I'll just change your address for mine, get the new cards and start spending," McKenna said.
Chopra said, "Hackers might even be able to obtain your confidential medical records, since many health insurers identify you through your Social Security number and date of birth."
The Equifax breach affects mainly U.S. consumers, and to a lesser extent consumers in Canada and Britain. But breaches of personal data are a global problem, including in countries like India, which is moving toward a largely cashless digital economy.
"If there is lemonade in these lemons, it is the awareness and the heightened level of scrutiny that is required around these pools of data," Clark said. "Equifax is a catalyst around this data in the cyberspace dimension. It is also a catalyst around identity and how we manage it."
Social Security numbers are gold for hackers, said Avi Chesla, co-founder and chief executive of Empow, an Israeli cybersecurity firm that helps clients use artificial intelligence to make their systems more secure.
"As the Social Security number has become a de facto national identification number for taxation and other purposes it is a very attractive target for hackers," Chesla said, adding that it "is a relatively easy task" for those infiltrating networks to find, copy and extract files containing Social Security numbers.
Without a good alternative in place, Chesla said consumer trust will take a hit.
"It's a psychological issue. If people think their (Social Security number) is not safe, they will stop giving it online," Chesla said. "The power of online services will be diminished and this will take all of us 'back in time.' "
