Late last week, Equifax – one of the four largest credit reporting bureaus in the United States – disclosed that in July, they experienced a massive data breach that cloud very well represent the largest compromise of significant personally-identifiable information (PII) ever. As reported by the company, data on over 143 million people was compromised, and the scope of that data included some of the most sensitive data that exists regarding individuals: names, addresses, birth dates, and Social Security numbers were captured, along with credit card numbers and other PII for a subset of those persons whose data was breached. Equifax disclosed that the compromised data included residents not only of the United States, but also Canada and the UK.
Suffice to say, this represents a massive opportunity to enrich the criminal(s) who stole the data by selling this data (either on the open Dark Web, or potentially to a nation-state or other buyer who contracted them to acquire this information), and it represents the biggest single opportunity for massive identity theft to date in the Internet era. The ramifications of this data breach will likely be felt far and wide across great swaths of society, and for many years to come.
While the mechanics of how the data was breached are not fully known at present, security industry journalist and blogger Brian Krebs reported on Tuesday of this week of a consulting firm that discovered one of Equifax’s Internet-facing applications designed to allow employees to manage credit card disputes was easily exploited through a default, easy-to-guess username and password combination to view and manage the credentials of Equifax employees. One can imagine that, using Equifax employees’ own credentials, it would not be particularly difficult to exploit other systems to gain access to this massive trove of data; and in fact, Equifax reported Wednesday that a vulnerability within the Apache Struts library was the attack vector used by the criminals to conduct the data breach (although Equifax has not yet reported on the specific application(s) that were compromised).
More importantly than how the breach occurred, however, is what you can do to minimize the risks:
- Immediately visit the website that Equifax has setup, equifaxsecurity2017.com. This site, established by Equifax, allows you to determine whether your data was potentially compromised by entering your name and last six digits of your Social Security number. If you have been potentially compromised, Equifax will offer you the opportunity to enroll in a credit monitoring service; you should take advantage of this if you’ve been a target.
- Enroll in credit monitoring for all four credit reporting bureaus: Equifax, Experian, Trans Union and Innovis. Equifax is only offering (and can only offer) credit monitoring for their own agency; however, there are four major credit bureaus. By implementing a credit monitoring service across all four bureaus from a third-party, you will be notified when new accounts are opened in your name.
- Consider freezing your credit file. While credit monitoring is useful for informing you when someone has opened a new account in your name, it can only do so after-the-fact. A credit file freeze actually prevents such actions by disallowing a credit check (or “pull”) on your credit file. Without the ability to check your credit, it is highly unlikely that a lender (auto, mortgage, credit card, etc.) will approve a loan or revolving credit line. This dramatically reduces the likelihood that someone will be able to use identity theft for any financial gain. Each of the four major bureaus offers credit file freezing, which requires establishing a PIN so that you can “un-freeze” the hold in the event that you actually require a credit pull for a legitimate reason (such as buying a car or home, or opening a new line of credit). To implement a freeze on your credit file, contact all four major credit bureaus; implementing a freeze is available through their websites.
While the long-term implications of the Equifax data breach will not be fully understood for many months – and potentially years – the fact is that individuals who were potentially impacted by the breach have some effective tools to minimize the risk that they will become a victim of identity theft due to this massive security incident. The best that each of us can do now is learn whether we were potentially affected, take control of our credit, and remain vigilant.