Beware—Criminals Could Be Using Your Confidential Information.
The Equifax breach may have affected 143 million Americans. When you consider that there are 247,813,910 adults living in the United States, that’s over 50%. The odds are pretty good that you’ve been affected.
Your private information may now be in the hands of criminals, with ongoing consequences as they sell your data to others.
If you’re affected, items like your Social Security number, birth date, address and driver’s license number could be used to steal your identity, credit card numbers and more.
Equifax discovered the “unauthorized access” on July 29th. An investigation is ongoing, and so far, they’ve found that the breach jeopardized credit card numbers for about 209,000 consumers and personal identifying information for approximately 182,000.
Equifax set up a Website — https://www.equifaxsecurity2017.com that you can visit to see if you’ve been impacted by the breach. They invite you to enroll in TrustedID Premier, a 3-bureau credit monitoring service (Equifax, Experian and Trans Union) which is operated by Equifax. You’ll be asked to provide your last name and the last six digits of your Social Security number, and based on this they’ll send you (or so they say) a message indicating whether your personal information was impacted. Regardless of whether your information may have been impacted, the company says it will provide everyone the option to enroll in TrustedID Premier until Nov. 21, 2017.
The Problem with Equifax’s Solution
Some are advising against enrolling in Equifax’s offer: http://frequentmiler.boardingarea.com/2017/09/08/is-the-equifax-cure-worse-than-the-hack/)
Plus, the Trustedid.com site Equifax promoted for free credit monitoring services was only intermittently available due to the high volume of traffic following the announcement about the breach.
And the site won’t necessarily tell you whether you were affected. Many haven’t received a yes or no answer to the question of whether they were impacted, but instead the message said that credit monitoring services weren’t available, and to check back later in the month.
Equifax says you’ll get free service for one year. The fact that they’re offering you their own identity protection services doesn’t seem quite right—To me it appears to be a conflict of interest. Typically, credit monitoring is free for a period of time, and then the company will try to upsell additional protection. And, why should we now trust Equifax to do anything right security-wise after this incident? Think about this.
Whose Fault Is This?
Who’s responsible? Equifax. The fact that the criminals obtained such a large amount of confidential data from the Equifax website implies that they didn’t update the security for their Internet-facing Web applications. This may have been due to a lack of security leadership at Equifax, as they were in the process of looking for someone to fill the role of VP of Cybersecurity. Nevertheless, this is no excuse. They could have hired an outside Managed Service Provider to ensure they were protected.
This isn’t the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans:
- In May 2017, criminals exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.
- In 2015, a breach jeopardized the personal data on at least 15 million consumers.
- Earlier, Experian granted access to its databases to a Vietnamese man posing as a private investigator in the U.S. In reality, he was running an identity theft servicethat let cyber thieves look up personal and financial data on more than 200 million Americans.
Three top executives at Equifax sold millions of dollar’s worth of stock during the time between when the company says it discovered the breach and when it notified the public and investors. (Sounds fishy? I think so.)
The executives said they didn’t know about the breach when they sold their shares. Bronstein, Gewirtz & Grossman, LLC, a law firm in New York, announced that it’s investigating potential insider trading claims against Equifax.
Equifax will be target of multiple class action lawsuits as a result of the breach, but there’s no guarantee is will result in any money for affected consumers.
What Should You Do?
You can assume that all your personal information has already been jeopardized in this breach, and that it’s been sold many times over to other cybercriminals.
Here’s my advice:
Sign up for credit monitoring if you can. (Note: It’s typically not possible to sign up for credit monitoring services after a freeze is in place.)
Place a security freeze on your file with Equifax and the other major credit bureaus. Businesses should also do so with Innovis, a bureau that runs credit checks on businesses. The security freeze will block any creditors from viewing or pulling your credit file, unless you unfreeze it. With a freeze in place on your credit file, ID thieves won’t be able to get lines of credit in your name, and the freeze will help to protect your credit score because each credit inquiry lowers it.
More information on how to file a freeze is available here.
Protect Your Business and Internet-Facing Websites.
Just because you own or manage a business that’s much smaller than Equifax, you could be targeted by these same criminals. Ensure your IT security is robust and up to date. If you need assistance, contact our security experts at CyberStreams in Seattle, Bellevue and Western Washington. (425) 2 firstname.lastname@example.org This is the best that you can do for your business and customers.