How to protect yourself after Equifax breach
As credit reporting company Equifax came under scrutiny Friday for its revelation of a breach of confidential information experts called among the most serious ever, customers began scrambling to figure out just what they could do to protect themselves from the misuse of their most sensitive personal data.
The Atlanta company acknowledged Thursday that a massive breach that took place from mid-May through July may have exposed the personal data of 143 million Americans — more than half of the U.S. adult population — to malicious hackers. Attackers stole names, birth dates, addresses and — most alarmingly — Social Security numbers, which could enable them
to do anything from falsely open a bank account to apply for disability benefits.
“On a scale of 1 to 10, we have a big, fat 10,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit research group.
New York Attorney General Eric Schneiderman announced Friday that his office had opened an investigation into the data breach, requesting specific details about when the company found out about the breach; the cause; and whether there was evidence of identity theft, abuse of financial information or data being offered for sale illegally.
Equifax said it has hired a cybersecurity firm, which is “conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.”
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Richard F. Smith, Equifax’s chairman and CEO, said in a statement.
The company said it has “found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”
But if customers believe their information may have been compromised, what can they do?
“There’s not a lot of tools out there to combat” Social Security number theft, said Daniel Castro, vice president at the Information Technology and Innovation Foundation. “This information is going to be rapidly commoditized and sold on the dark web.”
Equifax has offered customers a free creditmonitoring service for one year. It is also offering customers a credit freeze, which would ban institutions from looking at a user’s credit data without explicit permission.
Castro, though, said one year of protection is inadequate, because hackers could use Social Security data for years on end.
Equifax handles data on more than 820 million people and more than 91 million businesses worldwide, according to its website. It also managed a database with employee information of more than 7,100 employers. This is the third time Equifax has been breached in the past few years — but it’s by far the most serious.
Some Equifax customers, like 63-year-old San Franciscan Linda Racine, who signed up for its free credit-monitoring services Thursday, noticed a major caveat in the fine print: an arbitration clause that could cause them to relinquish their right to participate in a class-action lawsuit.
As explained in the company’s terms of use, customers using its free services are subject to mandatory and binding arbitration. Customers can opt out of the arbitration provision if they write to Equifax Consumer Services within 30 days of enrolling, according to the company.
“I didn’t realize that when I signed up for it,” Racine said.
New York Attorney General Schneiderman criticized the arbitration clause, saying in a tweet that the fine print was “unacceptable and unenforceable.” On Friday, as outrage continued to build, the company put out a statement about the arbitration and classaction clause, saying that there was “no waiver of rights for this cybersecurity incident.”
After hearing about the breach, as directed by the company, Racine entered her last name and the last six digits of her Social Security number at equifaxsecurity2017.com to check if her data had been compromised.
When she got the notification that she was at risk, she said, “I wasn’t surprised.”
The free monitoring service Equifax has offered won’t be ready for her to use until Sunday, and other customers may have to wait well into next week to use theirs.
The efficacy of the equifaxsecurity2017.com site, which is linked off Equifax’s main site, has also come into question. It requires more Social Security digits than the usual last-four, and on Friday, when “test” was entered as a last name with “123456” as the digits, the site said this identity could have been compromised. The same was true for “Johnson” — a common last name — plus “123456.”
Other steps people can take to protect their compromised information include: signing up for a Social Security account with the Social Security Administration if they haven’t already, to prevent a hacker from doing so in the future; getting a copy of their credit report from annualcreditreport.com, a federally authorized site (though one of the companies providing the credit report is Equifax); and putting fraud alerts on bank accounts, mortgage accounts and other financial accounts.
Cybersecurity experts have marveled at the scope and far-reaching ramifications of the Equifax data breach. One point of comparison: An attack on the federal Office of Personnel Management records in 2015.
At the time, experts called that attack one of the largest breaches of government data in U.S. history. Similar to the Equifax breach, everything from Social Security numbers to names and addresses was compromised.
Two years later, the effects of that breach are still being felt, according to Dixon of the World Privacy Forum.
The victims “all had a lot of problems,” she said. “They’ve really had to stay on top of things.”