My guess is that all of you have heard about the recent cyberattack against Equifax that potentially exposed the personal information of 143 million people, nearly half the U.S. population. Many of you have probably used the site Equifax created to check and see if your information has been compromised. All of us in the office are part of the potentially affected club. The personal information leaked earlier this month included names, Social security numbers, birthdates, addresses and, in some cases, credit card info and driver’s license numbers. Isn’t it ironic that an agency many people use to guard against identity theft has now exposed many of us to that very risk? Since the mega-breach occurred, Equifax has made mistake after mistake causing consumers to lose all faith in the company.
Following the breach, Equifax quickly set up a website to help people determine whether they had been affected, www.equifaxsecurity2017.com. To make matters worse, on four occasions, Equifax accidentally tweeted the wrong web address to check if your information was stolen. The incorrect link they tweeted directed you to a fake phishing site that, thankfully, was actually set up by a software engineer to educate people rather than steal their information. Nick Sweeting, the programmer who created the fake site, said it was dangerously easy to impersonate and it only took him 20 minutes to build his clone. He claims he did it solely to draw attention to the weakness of Equifax’s security. For a company struggling with public trust, this was a particularly bad mistake. They should have simply built pages to handle the breach directly off its main site, Equifax.com, instead of an entirely different website address.
Equifax learned about the breach at the end of July and took roughly six weeks to disclose it. The mega-breach took place between mid-May and July, but a report from Mandiant (the firm hired to investigate the hack) revealed that a smaller network breach took place in March, likely pulled off by the same attackers. The attackers got into Equifax’s systems through a known vulnerability that went unpatched. Equifax had attempted to apply the patch to all its systems but unfortunately missed several systems. It has also come into light that a digital platform used by Equifax employees in Argentina used the administrative logon credentials “admin, admin”. Now there are a lot of questions on how inadequately secured Equifax’s data was.
To add fuel to fire, Equifax’s CFO and two other senior executives cashed in on almost $2 million of Equifax stock once they learned about the hack. An Equifax representative claims they had no knowledge that an intrusion had occurred at the time they sold their shares. This is currently being investigated by the FBI. In other news, the company’s Chief Information Officer and Chief Security Officer are retiring effective immediately.
I’m sure what you really want to know is should you be worried if your information has been accessed? As I’ve said before, a healthy sense of fear is not bad when it comes to securing your information. If your information was compromised, you should enroll in the free service Equifax is providing, TrustID Premier. This includes 3-Bureau credit monitoring of Equifax, Experian, and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers.
The most important thing is to be vigilant. Certainly pay close attention to your credit card statements as more than 200,000 credit card numbers were exposed. The good thing about credit cards is that the company extending the credit serves as the intermediary. If you see a charge you didn’t make, you call them immediately and they will cancel the card and you are not on the hook for the fraudulent charge(s).
The potential for identity theft really puts us at risk for fraudsters to open bogus charge accounts and file fake tax returns. You should check your credit reports which you can do for free. Freezing your credit is the best way to protect yourself from most identity theft. You would have to do this with all 3 agencies. Equifax’s service will take care of it for them, but the other 2 agencies will cost a few dollars to lock and then unlock if needed. It’s a bit of a hassle if you’re someone who regularly opens retail accounts, frequently leases cars, changes their utility providers, etc. If you don’t open new charge cards or otherwise need new credit, locking your account isn’t very inconvenient.
You can also place a fraud alert on your account for free with the other 2 agencies. While not perfect, it would at least let a creditor know to look more closely if someone tried to open an account. The tax return issue is a little more problematic. The IRS had a really big problem with accepting fake returns and issuing refunds in the past. They’ve made progress in addressing this but it’s still a problem that is out of our control.
This was such a monumental failure that there will certainly be some legislative action that comes from this. I think the longer-term fix will come later once the state Attorney Generals and Congress have their say. For now we can take extra steps to monitor our security and be quick to act if any suspicious activity occurs.