The Equifax Hack Is Worse Than Originally Thought And Checklist Of Actions
Updated: Sep 6, 2021
ALERT SUMMARY
1. In September of 2017, Equifax announced a data breach that exposed the personal information of 147 million people. The credit-reporting agency Equifax disclosed one of the most significant data breaches in recent history, saying information including the Social Security numbers of 143 million consumers was potentially compromised. While the massive breach at Yahoo involved more accounts, topping 1 billion, that intrusion exposed people's phone numbers and passwords. Equifax said its breach includes “names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.” The company added that credit card numbers for approximately 209,000 U.S. consumers were accessed, along with some dispute documents that contain personal identifying information for about 182,000 U.S. consumers.
2. Equifax is offering a number of free services to people, including credit monitoring. (You can find more information at a site Equifax set up, and see our expert advice below. Equifax originally said that by signing up, you would opt into arbitration and waive your right to take part in a class-action lawsuit for the credit-monitoring service. But this waiver didn't apply to the breach at large. The company later dropped the restrictions for the free credit-monitoring service, saying customers who sign up because of the data breach aren't subject to the clause and won't be prevented from joining class-action suits.
3. The breach happened mid-May through July 2017 and was discovered July 29, Equifax said. It also said it has seen no evidence of unauthorized activity on its core consumer or commercial reporting databases. “It’s one of the worst hacks imaginable," says Dan Guido, CEO of the cybersecurity firm Trail of Bits. “People should be extraordinarily angry at companies like Equifax. We place a huge amount of trust in them about money matters, but they’re so easily compromised by simplistic attacks like this one.”
Additional Alert Information
The hack, the largest in US history, exposed sensitive information, including names, Social Security numbers, drivers' license numbers and addresses. Equifax first disclosed the hackin September 2017, three months after the company discovered the breach. Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data. The data breach prompted the resignation of CEO Richard Smith and investigations by federal regulators, multiple states attorneys general and the company faces a number of civil lawsuits.
Equifax had a much smaller attack in March 2017 against one of its subsidiaries, which had not been widely reported before. The company said it notified the few thousand people affected at the time, which included employees of Northrop Grumman, Allegis Group, and the University of Louisville.
Guido wonders whether the major breach over the summer might mark the beginning of a "post-authentication era," in which this widely accepted personal information becomes essentially useless in establishing an individual’s identity.
“There’s no sense in treating this like confidential information anymore,” he says. “When you call up your cell-phone company they typically ask for this information, like your Social Security number or your driver's license number. And it’s simply no longer possible to accurately identify people using these typical trust markers.”
Unlike a credit card company or retailer, consumers generally don't choose to do business with credit-reporting firms. Instead, those companies gather information on consumers as part of their business.
"The credit bureaus collect highly sensitive consumer data, including Social Security numbers and detailed credit histories, and they have a legal and ethical obligation to protect it," says Jessica Rich, vice president of consumer policy and mobilization at Consumer Reports.
"While it’s fine that Equifax is offering consumers free credit card monitoring, that's just a Band-Aid," she adds. "Companies need to take data security much more seriously so these breaches don't happen in the first place. That's why we need stronger data-security laws with tougher penalties.”
Richard Smith, chairman and CEO of Equifax, said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes."
Next Steps - For additional details and Step-By Step Instructions on how to protect and respond to this Alert, follow the link below.
Comentários