Equifax, one of the three main credit reporting companies, said last week that a major data breach exposed Social Security numbers and other important information of millions of people.
The breach affected about 143 million consumers in the United States, as well as some in Canada and the United Kingdom, but Equifax didn't provide a number. Hackers had access to the data between May and July. The company publicly announced the hack on September 7, 2017
Equifax has not done much to clear up public confusion surrounding the breach, affecting nearly half of Americans. Many are left with questions regarding how this happened, and what to do now.
Here are the answers to 5 common questions:
What Information Was Stolen?
Attackers reportedly exploited a vulnerability on Equifax's website to steal names, Social Security numbers, birthdates, addresses, and, in some cases, driver’s license numbers. Credit card numbers for approximately 209,000 people, and certain dispute documents with personal identifying information for approximately 182,000 people were also accessed.
Those are all crucial pieces of personal data that criminals could use to commit identity theft. Those are what John Ulzheimer, an independent credit consultant who previously worked at Equifax, called "the crown jewels of personal information."
How Did This Happen?
Equifax told news outlets the breach was due to an Apache Struts vulnerability. Apache Struts is free, open-source software used to create Java web applications. Several vulnerabilities have been reported, all since patched, but Equifax has not said which one was involved in this breach.
“But even if Equifax had been breached due to an Apache Struts vulnerability, that’s no excuse,” said Boris Chen, vice president of engineering at tCell, a company that provides web application security. Equifax, as one of the top arbiters of consumers' creditworthiness, should be a trusted guardian of prized identity information such as Social Security and drivers' license numbers.
It's also currently unclear whether Equifax used a standard security technique of segmenting their networks, so even if hackers do get in, they can only gain access to a limited amount of data.
“A single vulnerability in a web component should not result in millions of highly sensitive records being exfiltrated. Security controls should have existed at many points along the way to stop such a catastrophic outcome,” he said.
What is Equifax doing to protect consumers after the breach?
Equifax set up a site, equifaxsecurity2017.com, where you can type in your last name and last six digits of your Social Security number to find out if your data may have been compromised. Consumers can also call 866-447-7559 for information. The company says it will send mail to all who had personally identifiable information stolen.
Equifax is also offering free credit monitoring for a year. The company says the service will search suspicious sites for your Social Security number, give you access to your Equifax report and other offerings. You can sign up at the same site listed above, and the deadline to do so is Nov. 21.
What other concerns has the breach, and its aftermath, brought to light?
In addition to the quantity and significance of the type of information that was stolen, there have been additional concerns that have come to light in the days following the discovery of the breach:
- Equifax waited six weeks before it announced the massive breach to the public.
- Three Equifax executives sold shares just days after the company found out about the hack.
- Equifax chose not to notify people who were affected; instead it set up a website.
- The website wasn't ready for days. People who entered their information were told to come back later.
- The website also required consumers to input their last names and last six digits of their social security number.
- Equifax offered free credit monitoring, but it initially required enrollees to waive their right to sue the company.
- It later backtracked, allowing people to sue -- if they send Equifax written notice within 30 days. Equifax has not removed the opt-out language from its general terms of service, but later assured customers that it won't be applied to use of the credit-monitoring service.
- Freezing credit is the best way for victims to protect themselves, but Equifax charges for freezes and has not made it easier to accomplish. On Monday, Equifax said in a tweet that "in response to consumer feedback, Equifax will waive all Security Freeze fees for the next 30 days."
- Equifax assigned easy-to-guess PINs to people who froze their credit. They later announced they were assigning more complex PINs.
What else can I do to protect myself?
- Check your credit reports. You can view your credit reports for free at AnnualCreditReport.com. You're entitled to a free copy of your credit report from Equifax, Experian, and TransUnion once every 12 months. Review it closely for unauthorized accounts or any mistakes. Visit IdentityTheft.gov to find out what to do if you recognize any unauthorized activity.
- Monitor your existing credit card and bank accounts closely. You may need to be vigilant much longer than the free year of credit monitoring Equifax is offering. "If any of the data was exposed, you will be living with that for the rest of your life," said Rich Mogull, who runs the security research firm Securosis.
- Consider placing a credit freeze on your files. Keep in mind, a freeze stops thieves from opening new credit cards or loans in your name, but it also prevents you from opening new accounts. So each time you apply for a credit card, mortgage or loan, you need to lift the freeze a few days beforehand.
- Consider placing a fraud alert on your files, if you decide against a credit freeze. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
- File your taxes early. Tax identity theft happens when someone uses your Social Security number to receive your tax refund. The sooner you file, the less chance you give thieves to file a false return.