The Equifax breach that we learned about late last week affected an estimated 143 million Americans. This translates to over 40% of the population’s worth of data in our country. As of noon on Monday, September 11, 2017, the culprits have yet to be identified.
The severity of the Equifax breach, in particular, is that they handle the very information that other organizations use to verify identify and protect against stolen data and hacking. Furthermore, a good chunk of their whole business model is the protection and monitoring of sensitive data.
Don’t panic. We have the information here to help you through it.
When did this happen?
The breach occurred somewhere between mid-May and July 2017, but it wasn’t discovered until late July.
How did the criminals get the data?
According to Equifax, the hackers identified a web application vulnerability and attained unauthorized access to the files via that weak spot. There are a few potential roots of a gap like this, including programming errors or configuration mistakes.
What data was compromised?
An immense amount of data equal to the crown jewels of user information was stolen. These essentially enable hackers to commit identity theft on repeat. Information stolen included: Social security numbers, names, addresses, birth dates, driver’s licenses and other identifying codes, addresses, credit card information, etc.
Why do hackers want this data?
As you likely gather, most of this information doesn’t even have a shelf life. The implications here are potentially years worth of residual identity theft cases, many of which will survive undetected!
Consider the value of an email address, nevermind something as permanent as a social security number.
Why did Equifax wait so long to announce the breach?
You may be wondering why, in this and other cases like the LinkedIn and Yahoo breaches, it takes so long for companies to disclose the news. Well, this isn’t as simple as it might seem. Equifax is already facing its first resulting class action lawsuit for waiting over 6 weeks from the detection date.
That’s 6 weeks that Americans were subject to all of the implications of this grave event without their knowledge and, as a result, without being able to fight back.
So why did Equifax wait?
The short answer: Because they could.
The long answer: There is no explicit requirement as to how many hours or days a company can wait to disclose material info, though waiting too long results in scrutiny as one would expect. Equifax hasn’t responded to questions about why it took them so long to make the breach public, and the SEC, the US Federal Trade Commission, state attorneys general, and the US Attorney’s office for that district of New York all have yet to identify whether they’re pursuing the “why” either.
The fact is that legally the investigations can take weeks or months before enough is known to become legally obligated to disclose the situation. It does take some time to investigate internal and peripheral systems to find out if anything was actually compromised when a security breach is detected. In the interim, they certainly would want to be mindful about alerting hackers that the breach was discovered, especially if there’s a chance that they could track the hacking back to the source. From there, the scale of the incident is evaluated, and the hunt continues.
Different types of information require different disclosures, and that varies depending on the location of the data and the organization. Sorting out all of this can take time, and this slows the process even more.
Lawmakers who are trying to tackle the issues of national vs. state level laws on data breach notification have begun to suggest coupling the requirements with data security standards – that is, regular compliance and security checkpoints to ensure that they can nip breaches in the bud.
How do you know if your data was hacked?
First of all, there is no guaranteed way to verify whether or not your data was compromised. Sorry.
Worse news even: Unlike companies with memberships and identified customers, many of the people affected by the Equifax breach may not even be aware that this company handles their data. The data is aggregated from credit card companies, stores, banks and credit unions, public records, and other lenders who report of credit of people reporting to agencies.
Equifax offers this form to allow you to check whether your data was potentially compromised. They are also supposedly mailing notices to anyone whose cards or documents were affected. That said, we urge you not to be too quick to enroll in any monitoring or ID protection services (free or otherwise) with Equifax or any other organization at this time. Why? You may actually lock yourself out of consumer rights such as the ability to participate in class-action lawsuits.
So, what should you do now?
Just as lawmakers and security experts suggest, data security practices are paramount to avoiding and/or surviving breaches.
- The FIRST action you should take as a consumer, regardless of whether you suspect your data to be stolen or not: Review your accounts. Look over your bank accounts and credit card statuses.
- Update your passwords and PIN’s! If you are using defaults, change them.
Here are some tips to choosing stronger passwords.
We also have suggestions for how to keep track of all of your passwords since that can often deter users from getting creative.”
Change your PINs from defaults to unique codes! - Start using some of those more advanced security features on your accounts. You know- the ones you skip because they require “too much work”. The extra step is worth it (literally).
*** Use multi-factor authentication (MFA). This will require more than one verification method to add that second critical layer of security that will help to safeguard access to your assets and apps while keeping it simple. - Don’t use debit cards when making online purchases. You are more likely to have legal rights to dispute illegitimate charges, and there is no direct link to any cash you might have in the bank.
- Review your credit reports regularly. Look for inaccuracies.
- Do not access financial accounts or enter personal credit card info or bank account data online while you’re connected to public wireless hotspots.
- Always ensure that financial firms and providers are using additional security questions and procedures; otherwise, you have the right to question the security of that transaction and safety of the interaction.
- Set up fraud alerting for all financially-tied accounts. Even without a credit freeze, fraud alerting makes it so lenders are required to call you and verbally verify that it’s you who is submitting an application.
- If you got confirmation that your data was among the compromised, our strong suggestion is for you to freeze your credit so long as you aren’t in the middle of a large transaction like purchasing a home. Even then, we do suggest it for the sake of your future credit and financial standing and security. This short and easy process will lock up the ability for fraudsters to use your credit to apply for housing and goods, checking accounts, credit cards, and so on. Although it comes with a marginal fee ($5-$10 per bureau) it will give you serious piece-of-mind untill you want to lift or “thaw” it out again by simply contacting your credit bureau. You can even do a temporary lift and re-freeze it to limit the exposure. Again, small price to pay in the scheme of things.
- Plan to file taxes as early as possible. Get to it before the scammers can try to commit identity theft at that time. They could use your social to get a tax refund or even a job.
The idea is to take little steps, at the very least, to make yourself less attractive to scammers and hackers than the person who is leaving themselves wide open. Even if your sensitive data is already leaked, these steps can help preserve your accounts and your sanity!
Prime time for phishing: Beware!
Cyber criminals are already taking advantage of this opportunity to infultrate inboxes claiming to be offering to “check if data was compromised” or asking for credit card and financial information to “check” if you were exposed. They may even pose as your bank or credit union claiming that you have fraudulent charges. Do not fall prey – pay attention and check your sources!
If you’re the person responsible for keeping your organization cyber-safe, get in touch with us to learn how we can help and what you can be doing to combat threats from all angles inside and out.