While most of the discussion about the Equifax data breach has been around the impact to individuals and protecting their personal credit, I want to discuss the impact to our banks and how we need to review and potentially update our policies and controls knowing the potential information that can be leveraged by hackers.
The Equifax breach has potentially exposed personal information for almost half of the US population. The data potentially in the public domain contains information that many organizations use to ‘authenticate’ their customers for phone calls, resetting passwords. etc. Imagine if your standard procedure for verifying a customer that has called into your financial institution consists of verifying their address, SSN, maybe even a previous address, a drivers license number, etc. Any of this information is potentially now in the hands of the bad guys.
What Can you Do?
Financial Institutions need to review their policies related to how they know their customers. If they leverage any of the potentially breached types of information, then some changes are going to need to be made. Some of this type of data was already public, like a mailing address, but much of the other data, such as SSN, previous addresses, credit information, or drivers license number was not but can no longer be trusted to verify a person is who they say they are. This also goes beyond just phone verification, as a good enough fake drivers license could be printed up that might work well at a walk up teller line, even though it may not pass the muster with the TSA or the police.
This is the time to have your departments review their policies and procedures for verifying for customers. Procedures for Walk-Up customers as well as Phone calls need to be reviewed. Make sure the process your organization is following mitigates the risk associated with the data breach that just occurred and ensure that you have minimized the risk of impact for your financial institution.