With 40% of the US Population Potentially Affected by the Equifax Data Breach, Here's What You Need to Do

Credit and consumer data company Equifax this week announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers, roughly 40% of the US population.

Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017.  The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for some UK and Canadian residents. 

What's the Big Deal?

What is significant about the latest attack, is not only the sheer size of it but the potential harm through identity theft and future fraud as cyber criminals can use these identifying factors to open bank or credit card accounts, access medical information, file taxes and receive the refunds, or make new purchases in your name. This attack will have a legacy effect as those affected will not be changing their specific identity features so they could be subject to attacks anytime in years to come. 

It's the third major cybersecurity threat for the agency since 2015. Between April 2016 and March 2017, TALX, an Equifax subsidiary that provides online payroll, HR, and tax services, was hacked, with cyber criminals able to change the four digit customer employee password and steal tax data after successfully answering personal questions about those employees. Using a pin number instead of two-factor authentification is bad enough, but to have it followed by an even worse attack shows that the company is lacking in preventative vigilance. 

What Happens Now?

Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes:

• 3-Bureau credit monitoring of Equifax, Experian, and TransUnion credit reports; and copies of Equifax credit reports.
• The ability to lock and unlock Equifax credit reports.
• Identity theft insurance, and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year.

However, many are critical of this approach which in effect signs people up for the monitoring without providing any definitive answer as to whether they've been subject to a data breach. The company has also been robustly criticized after three Equifax senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach.

What You Can Do

With any attacks like these, it's vital that consumers stay vigilant. Some things that may help:

• Monitor all of your accounts for any suspicious activity (someone may be using your social security number for example) and contact the provider as soon as you are concerned.

• Change passwords and use two-factor authentication where available.

• Get help from Identitytheft.gov if there are any irregularities as they provide a detailed action plan in the effect of any misuse from changing ID to freezing credit reports and clearing your name of criminal charges. They're the kind of activities you hope you don't have to deal with, ever, but it's good to have all of the information in a central place, coordinated by a legitimate source of knowledge.

• There is also the option of long term security monitoring for a fee. Equifax's offer to date is only for a year, highly inadequate considering the repercussions of the breach could last years. 

Currently, we have no idea for what purpose the data was stolen or by whom. It could have been career criminals ready to sell the information on the dark web, opportunistic hackers who struck it lucky or those with links to international governments. Our identity is like a far reaching web which shoots threads into all kinds of places from our social media to our banking to our images posted online. This is not the first of these kinds of attacks and the severity shows that those professionals we expect to protect our information offer little evidence that they are able to do so. We need to take personal responsibility to secure our own cyber identity.