Equifax Data Breach May Have Affected 143 Million Customers

Equifax Data Breach May Have Affected 143 Million Customers

Equifax said Thursday that 143 million people could be affected by a recent data breach in which cyber-criminals stole information including names, Social Security numbers, birth dates, addresses, and the numbers of some driver’s licenses.

Additionally, credit card numbers for about 209,000 people were exposed, as was “personal identifying information” on roughly 182,000 customers involved in credit report disputes. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Equifax is one of three nationwide credit-reporting companies that track and rate the financial history of U.S. consumers. It gets its data — without you even knowing — from credit card companies, banks, retailers, and lenders.

Equifax will not be contacting everyone who was affected, but will send direct mail notices to those whose credit card numbers or dispute records were accessed.

The company suggests you sign up for credit file monitoring and identity theft protection however, we suggest you refrain from taking their offer of free credit monitoring for 12 months. If you accept, you could be opting-out of your rights to participate in an upcoming class action lawsuit. If you don’t care to be compensated for the data breach, you can enroll in the free credit monitoring. To do so, go to www.equifaxsecurity2017.com and click on the Check Potential Impact tab. You must submit your last name and last six digits of your Social Security number there. At that point you’ll be given a date when you can return to the site and sign up for the service.

The site says once you’ve submitted your information you will receive a message indicating whether you’ve been affected. But it’s unclear when or how you will receive that message.

Other cyberattacks, such as the two breaches that Yahoo announced in 2016, have eclipsed the penetration at Equifax in sheer size, but the Equifax attack is worse in terms of severity. Thieves were able to siphon far more personal information — the keys that unlock consumers’ medical histories, bank accounts and employee accounts.

“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

How to Protect Your Information Online

There are more reasons than ever to understand how to protect your personal information. Major website breaches seem ever more frequent.

Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.

“Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms. Litan said.

To make matters worse, potential victims have had trouble contacting Equifax to find out if they are a victim of the breach.

Adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.

The fillings showed that the trio – Chief Financial Officer John Gamble Jr., workforce solutions president Rodolfo Ploder and U.S. information solutions president Joseph Loughran – offloaded the shares on August 1 and August 2.

Equifax said on Thursday it discovered a data breach on July 29. Although, in their earnings call transcript dated July 27th, the three execs seemed to believe their stock was on the way up.

The company handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.

Equifax also houses much of the data that is supposed to be a backstop against security breaches. The agency offers a service that provides companies with the questions and answers needed for their account recovery, in the event customers lose access to their accounts.

“If that information is breached, you’ve lost that backstop,” said Patrick Harding, the chief technology officer at Ping Identity, a Denver-based identity management company.

Equifax said that, in addition to reporting the breach to law enforcement, it had hired a cybersecurity firm to conduct a review to determine the scale of the invasion. The investigation is expected to wrap up in the next few weeks.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Richard F. Smith, chairman and chief executive of Equifax, said in a statement. “Confronting cybersecurity risks is a daily fight.”

Using the data stolen from Equifax, identity thieves can impersonate people with lenders, creditors and service providers, who rely on personal identity information from Equifax to make financial decisions regarding potential customers.

Equifax has created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.

People can go to the Equifax website to see if their information has been compromised. The site encourages customers to offer their last name and the last six digits of their Social Security number. When they do, however, they do not necessarily get confirmation about whether they were affected. Instead, the site provides an enrollment date for its protection service, and it may not start for several days.

The company also suggests getting a free copy of your credit report from the three major credit bureaus: Equifax, Experian and TransUnion. These are available at annualcreditreport.com. It also suggests contacting a law enforcement agency if you believe any stolen information has already been used in some way.

Equifax’s credit protection service, which is free for one year for consumers who enroll by Nov. 21, is available to everyone and not just the victims of the breach.

Equifax is offering consumers the ability to freeze their Equifax credit reports, said John Ulzheimer, a consumer credit expert who often does expert witness work for banks and credit unions and worked at Equifax in the 1990s. Thieves could have information stolen from Equifax and used it to open accounts with creditors that use Experian or TransUnion.

“It’s like locking one of three doors in your house and leaving the other two unlocked,” Mr. Ulzheimer said. “You’re hoping the thief stumbles on the locked door.” He recommended that all those affected immediately place a fraud alert on all three of their credit files, which anyone can do for free.

Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come, Mr. Ulzheimer added.

Beyond compromising the personal data of millions of consumers, the breach also poses a potential national security threat. In recent years, Chinese nation-state hackers have breached insurers like Anthem and federal agencies, siphoning detailed personal and medical information. These hackers go wide in their assaults in an effort to build databases of Americans’ personal information, which can be used for blackmail or future attacks.

Governments regularly buy stolen personal information on the so-called Dark Web, security experts say. The black market sites where this information is sold are far more exclusive than black markets where stolen credit card data is sold. Interested buyers are even asked to submit to background checks before they are admitted.

“Cyberwar is in large part conducted through data mining and cyberintelligence,” Ms. Litan said. “This is also a Homeland Security risk as enemy nation states build databases of Americans that they then use to get to their targets, for example a network operator at a power grid, or a defense contractor at a missile defense company.”

 

 

  • Abdel Van Der Djellal

    What a bunch of amateurs. Having this much sensitive data should make security #1 in your list but you chose to prioritize $$$… You can shove your apology up your butts. We as consumers should be compensated in $$ for your recklessness…

    • Brenda Childs

      Can you say “Class Action Lawsuit”?? I agree. ⚖️
      Equifax has ONE JOB!! To keep consumer information SAFE. And they couldn’t do it. I wonder how many times they’ve been hacked and the public was not made aware?

  • Robin Hagin

    What the hell??? Equifax has been hacked??? You’d think they’d have the highest security in the nation considering all the private info they have. Whoever hacked Equifax have just hit the jackpot. Plus this happened in July, so the hackers really have a great head start. What’s even sadder, some hackers got into another business so they offered myself and others a year free of monitoring.. guess by who? Yup. Equifax.

    • Sheryl Morris

      Actually, it happened mid-May through the end of July. Equifax did not find out until July 29!

      • Phill Carpenter

        Sheryl Morris and apparently execs dumped stock on Aug 2

  • Melanie Comello

    So, let me get this straight. They found out that they were hacked, which could potentially affect 143 million U.S. customers, going on a month and a half ago? And they wait this long to let us know that they’re heartbroken by this event? Just what, long enough for this to actually have severe effects on consumers, vs. on July 29th, when people could’ve possible done preventative actions to hope to thwart off any adverse effects to their credit scores or worse, their bank accounts? Yep, seems like a company that’s genuinely concerned with their ahem, i mean your financial well being.
    Bet this hack has nothing to do with them outsourcing. Obviously, any company within the credit bureau industry that uses offshore outsourcing has your best interest at heart! Right Equifax?

  • Noah Collins

    Unbelievable – Equifax can never be trusted again. How do I join the class action? Don’t care if the lawyers all get paid as long as it bankrupts you. How do I sign up for your, questionable, free protection – the site doesn’t work, of course. Can’t protect anyone’s data, and can’t build a functioning site to address the fact that you can’t protect anyone’s data. Should you even still try? Probably not. Hang it up, you’re done. No lender should EVER trust any information you provide ever again.

  • Kay Oxford

    You can’t reach anyone by phone, they leave you on hold forever. What the hell is Equifax Trusted ID Premier? They want to enroll you in it without telling you anything! There’s no way to find out if you’re one of the 143,000,000 affected. We need a class action suit. They renewed me for another year without telling me this first!

  • Sean Snyder

    Credit agencies have swooned, swindled, and strong-armed their way to the top of our microeconomic food chain, and here’s one of them playing fast and loose with our futures. The average person has a hard road ahead in life without the agencies’ blessings, and they pass their judgement based on their mathematical opinion of our choices, and yet they’ve made the insufferable choice to let our data be abducted. Mistakes happen, yes, but not investing in cybersecurity commensurate with the level of potential harm is unacceptable. I might even venture to say it’s criminal (or should be). I want them held liable. F*ck these guys.