Equifax, a consumer credit reporting company, discovered a breach in its online systems that could impact 143 million consumers.
When did the breach occur?
The breach occurred from mid-May to July and was discovered on July 29. Equifax alerted the public on Sept. 7.
What information was involved?
Hackers gained access to files with names, birth dates, Social Security numbers (SSN), driver’s licenses and addresses. They also stole the credit card numbers of 209,000 consumers.
Why should I care?
The Equifax breach has been described as “massive” and “epic.” Adam Levin, chairman and founder of CyberScout, calls it a watershed event—one of the largest and worst breaches ever—because of the number of people affected and the type of information exposed. Impacted consumers are now vulnerable to a number of identity theft crimes and are often on their own to repair the damage done.
How did the breach occur?
Hackers exploited a vulnerability in Apache Struts, a kind of open-source software that companies like Equifax use to build websites, according to The New York Times. The security weakness was identified in March and a security patch to fix it was available. That means Equifax could have installed the patch two months before the breach but didn’t.
Who was behind the breach?
A group of hackers called “PastHole Hacking Team” claimed responsibility and demanded 600 Bitcoin in ransom or they’d release the data. Intelligence officials say it’s too early to confirm who’s behind the breach, but one theory is that a nation-state hit the company.
What is Equifax doing about the breach?
The Atlanta-based company set up a website where consumers could find out if their information was exposed. Consumers were asked to provide their last name and six digits of their SSN. Once submitted, they would receive a message saying if they were affected. Equifax also said it was offering one year of free credit monitoring and included terms of service language that barred enrollees from participating in class-action lawsuits. Public reaction was swift, and the company has since removed that language.
How has Equifax handled the breach?
Equifax has been surprisingly inept in its response. Consumers, privacy advocates, lawmakers and regulators all have expressed outrage. U.S. breach notification laws require notification in 30 days—sometimes 45 days in exceptional circumstances—after discovery of a breach. During that time, any company would be scrambling to analyze the damage, but it appears that Equifax gave short shrift to how to notify consumers whose information was violated long after the damage had been done.
What is the fallout from the breach?
A slew of class-action lawsuits claiming personal harm to consumers have been filed since the breach. We can also “expect commercial class actions claiming potential harm to businesses and other organizations,” that depend upon credit bureau data to verify identities and determine credit worthiness, according to Eduard Goodman, CyberScout’s global privacy officer.
State and federal government initiatives have begun and may lead to regulation. In the long term, it’s likely that a replacement for the Social Security number as a unique way to verify identity will be needed. Alternatives may arise in the marketplace, through regulation or a combination of both.
What should Equifax do for consumers?
Ideally, Equifax should offer five years of credit monitoring to consumers. That would be ideal, but unlikely.
What should consumers do?
CyberScout recommends these steps for consumers:
- Contact providers. Ask your insurers, banks and employers if they offer identity management services, which often are a low-cost or free addition to existing services and will protect you going forward for the long term. Identity management services look for signs of fraud and provide access to specialists who can help you recover from identity theft quickly.
- Review credit reports for any unusual activity. Visit annualcreditreport.com, the government-mandated source for free annual credit reports. Investigate suspicious activity and monitor it until it’s resolved. Also, look for signs of fraud in your medical files, on your Social Security statement, in insurance claims, and in public records.
- Place a fraud alert on your credit file. An alert placed with one of the three major credit bureaus (yes, that includes Equifax) signals to potential creditors that you could be a victim of identity theft. Initial fraud alerts last for 90 days and require potential creditors to confirm the legitimacy of your identity before granting credit. Extended fraud alerts last for seven years and are available to consumers who are confirmed identity theft victims with a valid police report.
- Consider placing a security freeze on your credit report. This may be necessary if you're experiencing fraud as a result of the data breach. A freeze locks access to your credit, so no one will be able to open a new account in your name. To determine whether a freeze is right for you, read more here.