“We pride ourselves on being a leader in managing and protecting data….We also are focused on consumer protection”
These are the ironic words of Equifax CEO Rick Smith in his statement explaining that his company, which collects, reviews and holds records on more than 800 million Americans, had been breached. On September 7th, the company disclosed that they had been breached on July 29th and the records of more than 143 million Americans, along with some 44 million Brits and Canadians, had been stolen from their databases.
Never heard of Equifax? Well, considering that it’s one of the three largest credit reporting agencies in the US, if you have ever applied for a credit card, there is a pretty good chance that they have information about you stored in their database. Initial reports show that social security numbers are at the highest risk for exposure, but also exposed were driver’s licenses, dates of birth, addresses, and in the very worst scenarios, credit card numbers. It also seems that PINs may have been exposed. This information can, and most likely will, be sold on the dark web where attackers will use it to open new credit card accounts, apply for loans and commit all other sorts of ID fraud.
Exquifax’s Many, Many Misteps
What’s being called the “most economically damaging hack in US history” is also becoming one of the worst handled breaches too.
First off, it took the company an unacceptable 6 weeks to disclose that there had been an incident. Then, just days after the breach was found, three top execs sold huge shares of company stocks. They claim they had “no idea” regarding the incident, but that’s just a bit hard to swallow.
Once they announced the breach, their next misstep was providing consumers with an online security check tool. Users were instructed to enter some information and the tool was supposed to accurately determine if their information had been involved in the breach. In theory, that is. The “security check” was entirely dysfunctional right from the start; curious users put in false information only to be told that their fake identity had been breached. Oh, by the way, the information required by the security check to check if the user’s information was exposed? The last 6 digits of his or her social security number, which is ironic for a company that couldn’t keep that same info secure.
Lastly, the company is providing anyone who signs up one free year’s worth of identity protection. That’s nice, but after the first year, you’ll have to start to pay for the service. Considering that typical fallout from a data breach like this lasts a lifetime, one year is pathetically inadequate and moreover, Equifax just turned this huge misfortune into a business opportunity.
What the Equifax Debacle Means for You
With the scope of the breach and the horribly executed disclosure, security experts are advising every adult in the US to assume that their own data has been exposed. Since Equifax has announced that they will not be alerting anyone if they have been exposed even once they have more clarity, there seems to be no way to effectively rule out exposure. This means that from here on in, anyone who cares about their identity must ramp up their awareness where their ID is concerned. Sound complicated? It doesn’t have to be. Here is a primer:
- Get in the habit of regularly checking your accounts for suspicious transactions. The faster you can alert your credit card company to anything out of the ordinary, the better your chances of fixing it.
- Freeze your account with the three big credit agencies, Equifax, Experian (which incidentally, was also breached a few years back) and TransUnion, which will prevent attackers from opening lines of credit with your identity. It’s an easy enough, automated process in which you will be given a PIN, which is required to open any new accounts. Just understand that you’ll need to unfreeze your account using your PIN when you do anything that necessitates a credit check, like opening new cards or applying for loans. Be aware, fees may apply for this service.
- Alternatively, you can put a credit alert on your card with each credit report company, which means that any lender must alert you when anyone, including (and hopefully only) you, tries to open a new line of credit. This is typically a free service and must be renewed every 90 days.
Unfortunately, the madness doesn’t stop there; hackers use opportunities like this to draw in even more victims using phishing tactics. They may send emails or make calls that claim to be from Equifax, another credit monitoring service or bank to trick you into revealing personal information. You can bet that these calls and emails will be highly personalized because, well, they already know a whole lot about you. So how can you tell a phishing email from a real one? No legitimate company will ever ask you for sensitive information via email or phone call.
On a positive note, state attorney generals around the US are heading up investigations into the breach and how it’s been handled and numerous class action suits are underway. Importantly, if you’re planning on joining in a class action suit, make sure to keep away from the company’s online security check tool, which as part of the terms and conditions, bars users from joining suits against them.
With the flurry of major data breaches that happen almost weekly, protecting your ID is more important than ever. Now is the time to ensure you are prepared with the tools you need to stay secure.