When Hongyi “Michael” Wu found out last week that his personal information — including his Social Security number and birthday — had been hacked, he wasn’t all that surprised.
“It’s not too hard — with 143 million, it’s not too hard to be one of them,” the Virginia Beach resident said.
Wu and his wife are two of about 143 million Americans whose information was exposed when the credit monitoring company Equifax was hacked sometime this year. The company says it happened between mid-May and July, and that they found out about the breach July 29. They announced it publicly Sept. 7. One week after that announcement, it’s still not clear who hacked the company, when it happened or what happens now.
“I don’t think Equifax can recover this,” Wu said. “They can’t take the data back from the hacker because the information has been out there.”
For Wu, it’s not just a personal issue — he happens to be the director of Old Dominion University’s Center for Cybersecurity Education and Research. He teaches courses on cybersecurity, general techniques of encryption and decryption and how to protect computers and networks. This year, ODU is offering a cybersecurity class to incoming freshmen that includes field trips to the Naval Command Center and ODU’s data centers to learn about how they protect information. He’ll be teaching his students about the Equifax data breach this semester, using himself as an example.
Of the 143 million consumers affected by the breach, about 4 million are in Virginia, according to an estimate from the office of Attorney General Mark Herring.
In Virginia, identity theft that results in up to $200 in financial loss is a misdemeanor punishable by confinement of less than a year, and/or up to $2,500 in fines. Thefts that result in financial loss greater than $200 are felonies, eligible for a sentence of up to five years, according to state code.
But that’s just Virginia. Cybersecurity laws aren’t uniform from state to state, and these cases aren’t prosecuted federally, said Janine Hiller, a professor of business law at Virginia Tech’s Pamplin College of Business.
“The question is, and it depends on the state, some states would say the only penalty is by the state agency and that doesn’t give any individual right of action for the breach,” she said.
Besides a hit in its stock prices, scheduled congressional hearings and state and federal investigations — including one from the Federal Trade Commission — Equifax is facing a number of class-action lawsuits filed across the country, including Tennessee and Oregon. As of Friday, no lawsuits had been filed against Equifax in Virginia pertaining to the data breach.
“It may be some time before the extent of the damage is known, and we will be sure to keep Virginians updated during a rapidly developing situation,” Herring said in a statement following the breach.
As Equifax reels from the data breach, experts are also wondering what the legal and ethical fallout will be.
“Was it their negligence in failing to protect that caused the harm or was it criminals who were responsible?” Hiller said.
If it turns out someone’s information is exposed and used, it might be hard to prove it was because of the Equifax breach, and not some other hack.
“We feel vulnerable, we feel damaged and hurt by it, but in legal terms, that’s not an injury yet,” she said.
After Equifax announced its data breach, the company offered consumers credit protection — as long as they promised not to sue. The company later backtracked.
“You’re legally allowed to say if you want this, you’ve got to give up that, but that’s what makes it an ethical question in particular,” Hiller said.
But it might be up to companies to think creatively about how they protect individual consumers, Hiller said. That could mean incentivizing better security for businesses, or creating a pool for victims of identity theft, similar to car insurance practices. Equifax, of course, isn’t the first company ever hacked — Hiller pointed to similar hacks at Yahoo and Target. What’s different about this, she said, is that consumers don’t choose to patronize Equifax.
“It makes it less likely there would be any market reaction, but what will hurt them is if there’s more and more lawsuits filed, even if there’s reason to think lawsuits aren’t successful,” she said.
Too many people are getting used to data hacks, said Daniel Ferrell, a cybersecurity engineer for Sera-Brynn, a cyber risk management firm in Suffolk. This one, though, was too big to ignore.
“A lot of people I know didn’t bother to see if they were affected because they assume their data is out their anyway,” he said.
But Equifax should have known it was vulnerable, he said. That’s not the public’s fault.
“In this case, it’s pretty safe to say there’s no blame on the public, and that’s not always the case,” he said.
For Wu, the real question now is if his information will actually be used. Just because his information was compromised doesn’t mean it was used or sold. In the meantime, he signed up for Equifax’s one-year credit protection and he’s keeping a close eye on his bank statements and mail — missing bills or incorrect bank statements are red flags. He encouraged other people who’ve been hacked to do the same.
“I guess that’s something I can do for the time being. It’s hard. In general, everyone needs to be aware of this risk, no organization is immune from cyber attacks. There’s always a risk, and nowadays it’s unavoidable to put our personal info in cyberspace,” he said.
It’s up to Equifax to invest in a better defense system, but there are ways individuals can protect themselves, like being aware of the links they click on, and reacting to a hack early on.
“It’s just like taking care of our own health,” he said. “We cannot completely depend on doctors.”
Mishkin can be reached by phone at 757-641-6669. Follow her on Twitter at @KateMishkin.
