Who is Equifax?
This is probably the best place to start because many people don’t really know who Equifax is, even though they have access to the personally identifiable information of consumers all over the world.
Equifax is a consumer credit reporting agency based in Atlanta, GA. They collect and analyze consumer data from banks, credit card companies, businesses, lenders and more. Equifax then uses that information to produce business credit reports, analytics, demographic data and software - ironically some of that software is for fraud prevention. They then sell all of this information to businesses.
The Situation: One Breach After Another
On September 7 Equifax announced a security breach that affected up to 143 million Americans; the number of those affected in the UK and Canada is still unknown. Equifax’s press release states that the credit card numbers of 209,000 Americans were compromised along with the social security numbers, addresses, and driver's license numbers of roughly 182,000 US consumers. The full extent of the breach is not yet known.
According to the statement Equifax released regarding the cyber-security incident they discovered the breach on July 29, and the “unauthorized access” took place from mid-May to July of 2017.
As if that wasn’t enough, on September 13 another breach was made public, this time affecting their operations in Argentina. In this case an Equifax employee portal could be accessed simply by typing “admin” for both the username and password. Once inside the portal, employee and consumer information, including national identity numbers, which are the equivalent to social security numbers, could be found. All of this was uncovered and reported by Brian Krebs, and you can view his whole report on his excellent security blog, Krebs on Security. The credit bureau has since taken the entire portal offline, but the damage of having more than 14,000 records exposed has already been done.
The Equifax Response
While Equifax hasn’t officially responded to the incident in Argentina, they did respond to the breach affecting the US, UK, and Canada in a way that has been somewhat controversial.
The first thing they did was set up a website for individuals to check if their information was exposed by the breach. While in theory this is a great step to take, there have been reports of individuals entering random names and information and receiving results indicating that the fictional person “may have been impacted,” casting doubt on the reliability of the entire system.
The second step Equifax has taken is to offer free credit monitoring and identity theft protection. This monitoring includes:
- Three credit bureau monitoring
- Copies of Equifax credit reports
- The ability to lock and unlock reports
- Identity theft insurance
- Internet scanning for the individual's social security number
They will also be mailing notices to consumers who were impacted.
Although this is a great thing for Equifax to offer, for the first couple of days after the breach there was a lot of concern over the credit monitoring offer as many believed it sounded as though enrolling in the monitoring program waived their right to sue. Equifax has since changed the wording and clarified their arbitration clause to make it clear that if you enroll in the credit monitoring program you still have the right to take legal action should you wish.
“To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action.”
What Happens Now?
As of September 14th, Equifax is under federal investigation. The Federal Trade Commission has announced that they are investigating the data breach. They are also under investigation from the Consumer Financial Protection Bureau.
As for what you should be doing…
Make sure that you’re keeping a watchful eye on all of your accounts and check your credit report. You can also set up fraud alerts on your accounts as an extra verification step should anyone try to apply for credit using your information. There are also a couple more long term things to keep in mind.
Back in October we wrote a post on email extortion scams that are common after large breaches, and this will undoubtedly prove true following this data breach as well.
The FTC is also warning people to be vigilant when it comes time to file taxes. They are instructing people to file their taxes as soon as they can because the Equifax breach exposed social security numbers. The IRS website has a good Taxpayer Guide to Identity Theft.
Major breaches like these are a very serious reminder to take data and network security seriously. For every major breach like these, there are many more data thefts and ransom attempts aimed at smaller companies that may not make the news. Could your business recover from a serious security incident? Contact us today to learn more about our managed security services if you aren’t sure how your company’s defenses stack up.