Equifax Data Breach: Who to Trust and What to Do Now
By now you likely know about the massive data breach by Equifax which has left nearly 143 million Americans vulnerable to identity theft and fraud. That’s nearly half the U.S. population impacted! Of that 143 million, about 200,000 have had their credit card numbers exposed to the hackers. People are understandably upset and are speaking out in droves, some commentators were even calling for the end of the credit-reporting industry. The data breach has also triggered the first enforcement action in the United States against a company for their failure to protect citizen sensitive information. Normally when there is a data breach, people often are offered one year free credit monitoring and if there are any discrepancies or suspicious behavior you can take action. However, in this situation one of the credit reporting agencies was compromised in what is shaping up to be one of the single largest data breaches in modern history. So when it comes to protective measures what can you exactly do, when you can’t even trust a top reporting agency? Well let’s examine Equifax’s response first to clear up any confusion, then explore some protective measures you can take.
The Breach and Equifax’s Poor Response
As of right now, the complaint filing from Attorney General Maura Healey of Massachusetts holds some of the most complete analysis about the data breach. According to the complaint from March 7, 2017 to July 30, 2017 Equifax left customer information vulnerable to hackers. Equifax, allegedly, knew of vulnerabilities in the open-source code used on their network called “Apache Struts” however decided not to act on securing them. This allowed hackers to gain access to Equifax’s network from May 13, 2017 to July 30, 2017. This short window of time allowed hackers to steal sensitive information about 143 million Americans. Equifax knew of the breach on July 29th however decided to wait till September 7th to disclose the breach to the public and government officials.
The nearly six week window of non-disclosure was Equifax’s first mistake, which outraged the public. Shortly after discovering the hack Equifax executives sold shares about a month before notifying the public. Then when Equifax did notify the public, Equifax decided not to notify impacted individuals, instead a new domain and website were established. Potentially impacted individuals had to enter even more sensitive information to even know if they were impacted by the data breach. Even when Equifax offered free credit monitoring, they had a clause where people who sighup had to agree not to sue the company, this was later changed and made an “opt-out” measure. By default people agree not to sue unless they give Equifax written notice. Most damaging of all, Equifax initially was still charging for people to place a security freeze on their credit. The fees have now been waived as of September 11th for one month. Seven weeks after Equifax had known about the data breach the CEO, Richard Smith, finally broke his silence on the incident in an op-ed in USA Today.
Who to Trust?
Experts have been warning with all of your personal information available to hackers and the highest bidders in the black markets, you may be wondering who you can trust in this time of crisis. Equifax themselves have proven to not even be trustworthy at this time. Since revealing news of the crisis Equifax has irresponsibly been directing potentially impacted people on Twitter to a fake phishing website that was a mirror of their own. Thankfully, a cybersecurity expert was the one managing the website so people’s information did not fall into the wrong hands a second time. However such a blunder reveals that Equifax even in their response to the situation cannot be trusted to provide the best advice on what to do in this case.
Security services such as LifeLock have been taking this breach as an opportunity to sell customers on identity protection services. They have been intentionally burying a critical element of their services, that its identity protection service relies on credit reporting and monitoring from Equifax, the very company whose systems were compromised. The relationship between LifeLock and Equifax reveal how deeply ingrained Equifax, Experian, and TransUnion are to the credit system which controls people’s socio-economic mobility.
Thankfully, there are some steps you can take to protect your data right now.
As the situation unfolds there are numerous layers of security you can take to protect yourself and your credit from being impacted more than it already has. Here are a few things you can do:
If you believe or know yourself to be a victim of the data breach, then one step you can take is to contact Experian or TransUnion to place a fraud alert on your credit report which will stay active for 90 days. This will at minimum add an extra layer of protection if anyone tries to open any lines of credit with your identity.
Bank Account Alerts
While a fraction of impacted customers had their credit card information taken from them, almost everyone had their banking information stolen. This is why it is important to use that feature that comes with almost all banking institutions to set up alerts whenever there is a withdrawal, charge, or deposit made to your account. These may be an inconvenience but they can be a life saver if you’re able to act swiftly once being notified of a transaction you never made.
Credit Security Freeze
One of the most effective measures you can take during this crisis is to freeze your credit. As stated above Equifax is offering this free of charge right now. If you, understandably, have reservations about using any Equifax service you can also establish a credit freeze through Experian or Transunion. However using the other credit monitoring agencies will cost you out of pocket.
With a hold of your personal information many hackers and con artists will likely be contacting you and using the anxiety of the situation to extract information from you. You may recieve unexpected phone calls from people claiming to be from Equifax, the IRS, debt collectors, lenders, and even settled accounts. If this is the case you need to be very careful. It is suggested to hang up/close the email and contact the company directly to verify if they attempted to contact you.
Monitor Your Credit
Last but not least, make sure to monitor your credit. You can use a variety of services online, TransUnion recommends using http://annualcreditreport.com/ to watch for suspicious activity.
The Equifax data breach strikes at the heart of the U.S financial system and will likely have long lasting damage as a result. You as a consumer can stay safe from this by keeping watch on your credit and using alerts and freezes to make it harder for criminals to use your identity.