If you are one of the 140 million average Americans whose personal financial information was compromised in the recent Equifax data breach, the chance that you will be harmed by financial fraud is actually not very much worse than before, and the most important things you can do to protect yourself are to turn on dual factor authentication wherever possible and file your federal and state income taxes as early as you can.
You may also wish to freeze your credit reports if you are in one of the states where you can do this without paying an additional fee, but this may be of limited usefulness as for at least one credit rating agency the stolen data contains the information needed to unfreeze your account. Consumer Reports also recommends several other tactics that may help with less direct forms like driver’s license and healthcare fraud that could result from this breach.
The limiting factor in financial fraud is not the availability of personal data. Sets of full personal information, or “fullz”, are readable available on the black market at prices of $20 or less each. There are far more fullz available from various breaches of medical, payroll, and other databases than can be used by criminals. The limiting factor is monetization. The main forms of monetization for stolen financial data are credit card fraud, tax return fraud, and fake loan or credit card applications. Since the Equifax data does not contain CVV codes, it can’t be used for credit card fraud. That leaves tax return fraud and loan applications as the most likely candidates for fraud.
There are risks in both of these, as someone needs to receive the money. You can’t keep using the same person without attracting suspicion, so large scale fraud needs a large supply of money mules. The barriers for entry in tax return fraud are somewhat lower than applying for loans under an assumed identity. By filing your taxes as early as possible you can prevent anyone else filing a false claim in your name. I know this is the infosec equivalent of asking you to floss your teeth. It’s no fun at the time, but you will feel better once you have got it done.
There are some accounts for which access or password recovery relies on information which only the user might know, often drawn from a credit report. This is not very secure, and perhaps this data breach will help to put an end to this practice. The stolen data could be used to facilitate further account compromise for accounts using this form of validation. To help protect against this, turn on two factor authentication wherever you can, and remember to lie on those account recovery questions. The name of the street you grew up on is just a backup password, so treat it as such.
It’s not clear yet who stole the Equifax data, or why they did it. It’s possible that rather than being motivated by financial gain that this was a nation state actor collecting personal data for espionage purposes. In that case they would have no interest in the vast majority of the data, but would be trying to further compromise a particular set of individuals: politicians, activists, whistle blowers etc.
If the breach data does end up being sold off piecemeal on the black market, there is another set of individuals who should be particularly concerned. There is a premium on personal data about public figures. Politicians, show business personalities, athletes, models, and top businesspeople are all targets for the curiosity of the press and the public. These people may be targeted for further account compromise. Since partial credit card numbers are sometimes used as a form of identity validation, high value targets should report their credit cards as stolen and get a new ones if their credit card numbers were compromised by Equifax. Given the level of law enforcement interest in this case, though, anyone attempting to sell off the data will have to make sure they have bulletproof opsec.
So, for most people the risks are not that much greater than they were before the breach. However, depending on who was responsible for the breach, persons of political or public interest who were compromised should take extreme care to secure all their other accounts.