Ok, ok… I’m jumping on the Equifax bandwagon. Because my friends know I’m a cybersecurity “expert,” I’m getting pommeled with questions about the Equifax breach, just like everyone else in the infosec biz. The truth is that there are a lot of conflicting reports going around right now, so concern and confusion are to be expected. The good news is that there are a couple of excellent articles online from security experts that may help answer some of the most fundamental questions.
Just today I’ve been in two separate webcasts by infosec experts discussing the situation, and over the next several days, weeks and months, I expect to be reading, watching, listening and discussing the breach and its consequences with other cybersecurity professionals.
Here is what we know:
- Equifax’s data was initially breached some time in mid-May, 2017.
- Equifax detected the data breach on 29 July 2017.
- Equifax announced the breach on 7 September 2017.
- Over 143 million U.S. records are known to have been compromised.
That means that Social Security Numbers, names, addresses and other personal details are out in the wild.
- Additional data for Canadian and United Kingdom accounts was also compromised.
(So far I haven’t been able to get numbers or other specifics regarding the international impact.)
Equifax has been scrambling in reaction to this incident. From what I’ve seen, all they have managed to do is confuse and/or piss people off. For example, they tried to set up a website to help customers in advance of sending the press releases, but the site is still not working and probably won’t be for a while.
They also tried to add fine print to their process where you sign up for their help that waived your right to sue them. Then there is their “dark web scan.” If you haven’t figured it out already, it’s a scam to make more money off their screw-up. Don’t bother.
Why is this a big deal?
Credit reporting agencies collect data about you. How much money you make. Where you work. Where you live. What you buy. Whether or not you are married. You get the idea…
Then they sell that data to banks, car dealerships, realtors, potential employers… In short, they make money off of you by selling your personal details, without asking your permission, and with little or no consequence if they get it wrong. And they do. And it’s a PITA-royale to try and correct their oh-so-mighty reports when they get it wrong.
So the fact that someone (and we still don’t know who) stole this extremely sensitive information about 143+ MILLION people means that that mysterious someone (or something) has everything they need to:
- Open credit cards, bank accounts and loans in the name of the victims. (aka You and Me.)
- Change key details on the credit accounts of the victims, not only with Equifax, but with the other three credit reporting agencies.
- Create false credentials (drivers licenses, passports, even library cards!) using the name and personal details for the victims.
- More and worse things… You really don’t want to know.
What can you do?
Unfortunately, not much. Our existing finance and credit system is built around these corporations, their policies and their dictates. You cannot buy a car, a house, or get any kind of financial credit or aid without using their services. It is a monopoly owned by a handful of very, very rich corporations.
At this point it looks like your first and best line of defense is to freeze your credit reports with the top four (yes, FOUR) credit reporting agencies, Equifax, Experian, Innovis and Trans Union. Before you do so, however, I recommend that you find out more about the Equifax breach, how credit freezes work, and what the impact will be on you.
Here are some common questions and answers. Disclaimer time: I am neither a credit management expert nor a lawyer. Before you take any action you should investigate further and/or contact your bank or credit union.
Q: What is a credit freeze?
A: Technically, when you request a security freeze on your credit report, all that is frozen is the ability for 3rd-parties to request a copy of your credit information. This is good because it means no one can get a new credit card, car loan, or buy a new house using your credit information. But that also means that you can’t get a new credit card, car loan, or buy a new house using your credit information, either. At least, not until you have the freeze lifted from whichever agency is being used by the bank involved.
Q: What about credit monitoring? Will that help?
A: Credit monitoring services (like Credit Karma) tell you about fishy activity involving your credit report after it has happened. This allows you to take action to repair any damage, but only after the fact. Credit reporting does nothing to prevent having your credit information misused.
Q: What else can I do?
A: Most of the recommendations below are basic to digital hygiene, but they bear repeating, especially now.
- If you have an account with any credit reporting agency, change your password(s). Even if you don’t know that your account was included in the breach, assume that it was.
- Monitor your bank and credit card accounts for suspicious activity. Don’t forget to include credit cards from like Sears, Macy’s, and other retailers. Those are credit cards, too.
- Be very suspicious of any emails or phone calls you receive with offers to protect or fix your credit.
– If it’s a phone call, it is 99.725% likely that it’s a scam. Just hang up.
– If it’s an email, DO NOT CLICK ANY LINKS IN THAT EMAIL. I don’t care how legitimate the email looks. Do not trust them.
- Next year, file your taxes as quickly as possible. The sooner you file, the less likely someone else will file a fraudulent claim in your name.
- Learn more about basic ways to be safe online, and incorporate computer safety into you daily life.
- Contact your local, state and federal representatives and tell them that credit security is an important issue to you and that you want them to take action to make sure something like this won’t happen again.
Here are a couple of additional articles I recommend to help you better understand this situation.
On the Equifax Data Breach – Bruce Schneier
How I Learned to Stop Worrying and Embrace the Security Freeze – Brian Krebs
Special thanks to Lance Spitzner at the SANS Institute for his excellent webcast and the references he provided.