Equifax Data Breach May Have Affected 143 Million Customers
Equifax said Thursday that 143 million people could be affected by a recent data breach in which cyber-criminals stole information including names, Social Security numbers, birth dates, addresses, and the numbers of some driver’s licenses.
Additionally, credit card numbers for about 209,000 people were exposed, as was “personal identifying information” on roughly 182,000 customers involved in credit report disputes. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Equifax is one of three nationwide credit-reporting companies that track and rate the financial history of U.S. consumers. It gets its data — without you even knowing — from credit card companies, banks, retailers, and lenders.
Equifax will not be contacting everyone who was affected, but will send direct mail notices to those whose credit card numbers or dispute records were accessed.
The company suggests you sign up for credit file monitoring and identity theft protection however, we suggest you refrain from taking their offer of free credit monitoring for 12 months. If you accept, you could be opting-out of your rights to participate in an upcoming class action lawsuit. If you don’t care to be compensated for the data breach, you can enroll in the free credit monitoring. To do so, go to www.equifaxsecurity2017.com and click on the Check Potential Impact tab. You must submit your last name and last six digits of your Social Security number there. At that point you’ll be given a date when you can return to the site and sign up for the service.
The site says once you’ve submitted your information you will receive a message indicating whether you’ve been affected. But it’s unclear when or how you will receive that message.
Other cyberattacks, such as the two breaches that Yahoo announced in 2016, have eclipsed the penetration at Equifax in sheer size, but the Equifax attack is worse in terms of severity. Thieves were able to siphon far more personal information — the keys that unlock consumers’ medical histories, bank accounts and employee accounts.
“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.
Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.
How to Protect Your Information Online
There are more reasons than ever to understand how to protect your personal information. Major website breaches seem ever more frequent.
Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.
“Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms. Litan said.
To make matters worse, potential victims have had trouble contacting Equifax to find out if they are a victim of the breach.
Adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.
The fillings showed that the trio – Chief Financial Officer John Gamble Jr., workforce solutions president Rodolfo Ploder and U.S. information solutions president Joseph Loughran – offloaded the shares on August 1 and August 2.
The company handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.
Equifax also houses much of the data that is supposed to be a backstop against security breaches. The agency offers a service that provides companies with the questions and answers needed for their account recovery, in the event customers lose access to their accounts.
“If that information is breached, you’ve lost that backstop,” said Patrick Harding, the chief technology officer at Ping Identity, a Denver-based identity management company.
Equifax said that, in addition to reporting the breach to law enforcement, it had hired a cybersecurity firm to conduct a review to determine the scale of the invasion. The investigation is expected to wrap up in the next few weeks.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Richard F. Smith, chairman and chief executive of Equifax, said in a statement. “Confronting cybersecurity risks is a daily fight.”
Using the data stolen from Equifax, identity thieves can impersonate people with lenders, creditors and service providers, who rely on personal identity information from Equifax to make financial decisions regarding potential customers.
Equifax has created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.
People can go to the Equifax website to see if their information has been compromised. The site encourages customers to offer their last name and the last six digits of their Social Security number. When they do, however, they do not necessarily get confirmation about whether they were affected. Instead, the site provides an enrollment date for its protection service, and it may not start for several days.
The company also suggests getting a free copy of your credit report from the three major credit bureaus: Equifax, Experian and TransUnion. These are available at annualcreditreport.com. It also suggests contacting a law enforcement agency if you believe any stolen information has already been used in some way.
Equifax’s credit protection service, which is free for one year for consumers who enroll by Nov. 21, is available to everyone and not just the victims of the breach.
Equifax is offering consumers the ability to freeze their Equifax credit reports, said John Ulzheimer, a consumer credit expert who often does expert witness work for banks and credit unions and worked at Equifax in the 1990s. Thieves could have information stolen from Equifax and used it to open accounts with creditors that use Experian or TransUnion.
“It’s like locking one of three doors in your house and leaving the other two unlocked,” Mr. Ulzheimer said. “You’re hoping the thief stumbles on the locked door.” He recommended that all those affected immediately place a fraud alert on all three of their credit files, which anyone can do for free.
Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come, Mr. Ulzheimer added.
Beyond compromising the personal data of millions of consumers, the breach also poses a potential national security threat. In recent years, Chinese nation-state hackers have breached insurers like Anthem and federal agencies, siphoning detailed personal and medical information. These hackers go wide in their assaults in an effort to build databases of Americans’ personal information, which can be used for blackmail or future attacks.
Governments regularly buy stolen personal information on the so-called Dark Web, security experts say. The black market sites where this information is sold are far more exclusive than black markets where stolen credit card data is sold. Interested buyers are even asked to submit to background checks before they are admitted.
“Cyberwar is in large part conducted through data mining and cyberintelligence,” Ms. Litan said. “This is also a Homeland Security risk as enemy nation states build databases of Americans that they then use to get to their targets, for example a network operator at a power grid, or a defense contractor at a missile defense company.”