What’s the Story?
Yesterday, Equifax announced it suffered a massive data breach that may have resulted in the personal data of up to 143 million people being compromised by currently unidentified hackers. The compromised data reportedly includes full names, birth dates, social security numbers, addresses, and, in some cases, driver’s license numbers. It is currently unknown who the hackers were or the full extent of the breach. It is very likely this information will not be made public. Here is the statement from Equifax’s breach website:
Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Equifax has extensive access to a huge amount of financial and personal data for nearly all American adults. As one of the three major credit reporting firms in the United States, it is a critical player in the credit industry and a resource for financial institutions when they evaluate the creditworthiness of individuals for any type of loan (mortgages, cars, credit cards, etc.). As such, the company also has access to data from various financial institutions and the government regarding credit cards, loans, debt, and payment history. Although Equifax reported there is no evidence of unauthorized activity on its core consumer or commercial credit reporting databases, there is a possibility that some of this additional data may have been compromised. It remains to be seen whether Equifax will confirm that this was not the case.
Unfortunately, it took Equifax five weeks (after discovering the breach) to notify the public. While it is important to recognize that Equifax felt they needed to understand the breadth and depth of the breach before going public, it means that for those five weeks, 143 million victims remained ignorant and unable take action to protect themselves.
What this means for those affected is that their personal and financial data is now in the hands of illicit hackers, whose most likely action will be selling the data on the dark web to the highest bidder. Victims can eventually expect attempts to steal their identity: Credit cards opened in their name, unauthorized loans appearing on their credit reports or other fraudulent activity. For higher public profiles and individuals with high net worth, the stolen data could also be used for extortion or blackmail.
What can you do to protect yourself?
- Assume your data was stolen. Go to “equifaxsecurity2017.com” and check to see if your information “may have been included” in the information that was stolen.
- Enroll in identity theft protection. Equifax is offering enrollment in their free monitoring service.
- Consider getting new credit card numbers, tighten up your passwords on your financial accounts, regularly check your credit reports to look for fraudulent activity, and close any accounts you no longer use or need.
- Consider freezing your credit files with the three credit bureaus. This prevents potential creditors from viewing your credit history. When you know you need credit, you can always unfreeze it.
- Expect email scams and phishing attempts that try to exploit your vulnerability. Be wary of any unsolicited email (whether it is directly addressing the Equifax breach or not). Learn to recognize phishing emails. Do not open attachments and do not click on links within emails.
We also recommend information security professionals inform their workforce of this breach and educate their staff on how to protect themselves. Since employees often access the internet and their email from a company network or computer, organizations may also be at risk.
Unfortunately, this breach will have repercussions for years to come: Hackers have been known to sit on stolen data for a few years and then look for buyers when the “coast is clear”.