Late Thursday, news broke of a huge data breach which impacted Equifax, a credit-monitoring agency. Credit-monitoring agencies have loads of sensitive data about millions of people.
The vast majority of adults have some sort of credit score - whether it's good, bad, or neutral. Lots of people from a variety of socioeconomic groups, at least at some point in their lives, acquire mortgages and car loans. Those who don't will usually have at least one credit card in their lifetimes.
Agencies like Equifax use all of the data they gather on millions of people to help banks, credit card companies, telecommunications companies (think cellphone plans), and other types of lenders make decisions about whether or not an individual or organization is worth a certain credit risk.
Who is Affected by the Breach?
The data breached in the cyberattack on Equifax includes social security numbers, people's names, birthdates, driver's license numbers, home addresses, and some credit card numbers. If you're American, there's a very good chance that you are affected. Equifax says that about 143 million Americans had their data breached. According to a 2016 US Census estimate, the American population is about 323 million.
If you're not American, you may still be a victim of Equifax's data breach. Equifax says that some Canadians and Britons also had their personal information exposed, but the agency won't disclose numbers at this time.
With regards to the affected Canadian and UK citizens, Equifax said:
"Equifax will work with UK and Canadian regulators to determine appropriate next steps. (We've) found no evidence that personal information of consumers in any other country has been impacted."
Equifax discovered the breach on July 29, even though the news wasn’t made public till September 8. Upon discovery, Equifax hired a cybersecurity firm to conduct a forensic review to determine the scope of the breach. Equifax said the cyberattack occurred between mid-May and July 2017.
Gartner security analyst Avivah Litan said:
"On a scale of one to 10, this is a 10 in terms of potential identity theft. Credit bureaus keep so much data about us that affects almost everything we do."
Associate professor of the accounting and information systems division of the UBC Sauder School of Business in Vancouver Hasan Cavusoglu said:
“Every company will have some exposure to risk depending on the kinds of information they keep about their customers. The more information you keep, the more likely it is that adversaries will target your organization. If we create these 'superentities' – like super data collection companies – we are collecting much larger data sets and they will be more likely to be targeted.”
Next Steps and Remediation
To find out if you're a victim of the breach, Equifax has setup a website for you to check: https://www.equifaxsecurity2017.com. You can also phone 1-866-447-7559.
Cylance’s Director of Product Management & Marketing, Hiep Dang, offers a few further suggestions for those concerned about the Equifax breach:
A few things everyone should do immediately in light of the Equifax breach:
- The most important tip here is to freeze your credit if you are affected or worried. This is the best way to proactively defend yourself from getting your identity stolen in a breach scenario, the rest are more layers of notification. https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
- Be extra cautious with anything claiming to be associated with the Equifax via email and social media. The bad guys will exploit the paranoia and frenzy this is causing and social engineer you to click on emails with malicious links or disclose additional personal information
- Check with Equifax competitors Experian and TransUnion for unexpected credit checks or accounts being created.
- Monitor credit card and bank activity for unauthorized charges/transaction. If your bank has it, setup alerts for charges over a certain dollar amount that is out the norm for your normal charges.
- Change passwords (especially financial accounts) regularly. If you're still repurposing the same passwords across different accounts, stop it! Use a password manager to generate random passwords and make them at least 16 characters
- Enable two-factor authentication on every account that allows it. If your password has been compromised, this is another barrier for the bad guys to get access to your accounts.
- You can check HaveIBeenPwned, which we recommend to everyone. This is also important to keep in mind when you’re thinking about reusing passwords across different accounts.
- In addition to signing up for free credit monitoring, you can request a free credit report from Experian, TransUnion, and Equifax at www.annualcreditreport.com. Don't be fooled by other sites claiming to offer you free credit reports.
- Be sure to read the fine print if you opt for the Equifax credit monitoring and make sure you fully understand your rights.