Equifax - one of the largest credit reporting agencies in the country - has been compromised, exposing personal information of up to 143 million Americans. Setting aside the irony of a hack of this magnitude against a company that provides ID theft protection solutions, here what is you need to know about it, and what you can do to protect yourself.
What We Know About the Equifax Data Breach (So Far)
The data breach was just announced in the afternoon of September 7, but was actually discovered on July 29. Through its investigation of the incident, Equifax is estimating that the breach occurred somewhere between mid-May and July.
A statement from the company does point out that their "core consumer and commercial credit reporting databases" were not compromised.
The data that was stolen during this breach includes names, Social Security numbers and birthdates for a reported 143 million Americans. That's half of the U.S. population.
Another 209,000 Driver's License and Credit Card numbers were also accessed, along with documentation on 182,000 disputed charges that contained additional personal information. Equifax will be mailing notifications to the roughly 400,000 consumers whose credit card or dispute data were accessed.
How Did The Breach Happen?
The criminals behind this hack exploited a website application vulnerability in order to gain access to the files.
(This should serve as a stark reminder that using legacy systems, and/or not having proper patch management strategies in place for all of your technology is putting your business at risk.)
What Will the Hackers Do With This Data?
One option is for the cybercriminals to sell it to other criminal outfits or hackers.
It can also be used to submit fraudulent credit applications on your behalf.
The other real possibility - and one that you should take note of - is that the data will be used to create targeted phishing campaigns.
Even cybercriminals who don't have your data may try to get in on the action by launching campaigns that purport to warn you that your information has been compromised.
Remember, cybercriminals follow the news and this Equifax data breach is a BIG story. So every hacker out there is going to consider how to exploit the fears that we all have around Identity Theft and this particular breach.
What You Should Do Next?
This type of breach is really tough, because your SSN doesn't change. In other situations you can change your password or enable two-factor authentication and breathe a sigh of relief. When your social security number is stolen, it can circulate for years and years and still hold its value. But there are still steps you can take, including:
Find Out If Your Data Was Breached
Equifax launched a dedicated website to address this data breach. The site includes a message from the company's Chairman & CEO along with FAQ's and a link called "Potential Impact" which you can use to see if your personal information is potentially impacted.
While you won't get a definitive yes, it reportedly WILL tell you if you are not at risk.
It is not lost on anyone - especially us -- the additional irony of the fact that Equifax is asking you to enter MORE personal information into their site in order to verify whether or not you were part of the breach. For more on that, check out this Washington Post article.
You may opt to wait a few days to take this step, or just proceed with other protective measures as if your data has been breached (without getting official confirmation using this tool). Remember too that if additional information was stolen, you will be receiving written notification from Equifax by mail.
They are also encouraging all consumers - whether impacted or not - to enroll in TrustedID Premier, their credit monitoring and identity-theft protection services. If your information has been potentially impacted, they are offering this service at no cost for one year. (NOTE: as of this morning the system was overwhelmed, so consumers attempting to enroll experienced some technical issues. You may need to try a few times to complete the procees.)
Equifax also has a call center that is open from 7 AM to 1 AM EST to answer questions.
Keep a Close Eye on Your Finances
Monitor your credit score, reports and all activity. Immediately report anything that seems fishy, such as notifications that new credit applications have been filed on your behalf. Fraudulent credit applications are one of the biggest risks with this type of breach.
If you discover that your data was accessed as part of this breach, it's recommended that you enroll in additional credit monitoring and identify theft services at least for the next several years. Whether or not you opt to take advantage of Equifax's offer of one free year, you should have this type of monitoring in place for longer.
The attackers who hold (or will buy) the data know that after a year many consumers will drop the extra monitoring, which means they can simply wait and a year from now, begin their work in earnest.
Freeze Your Credit Reports
Taking this step will restrict access to your credit report, which helps to prevent other credit card companies from accessing it in an attempt to open up a new (fraudulent) account.
In order put this freeze in place, you'll need to contact Equifax, Experian and TransUnion (the big three credit reporting bureaus) and request it. There is a small fee associated with this activity.
While this will prevent anyone from using your information to open a new account, the downside is that it also prevents legitimate companies from accessing it too. So if you needed to submit a loan application to buy a car or a new home, the freeze would gum up the process.
Freezing your credit reports should be considered very carefully before proceeding.
Stay Vigilant Against Phishing Attempts
Make sure you understand social engineering tactics and remember that if you are really the victim of identity theft, the last thing the company trying to help you sort it out would be doing is pressuring you to provide even more personal details.
Any unsolicted emails that are asking for (or demanding) your password or SSN should be treated as suspect.
As we noted above, between the hackers who potentially have your data and the hackers who are simply going to try to create an opportunity to scare you into clicking on a bad link and stealing your data that way, everyone is going to be keen to capitalize on the Equifax data breach story.
Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use.