By Thomas Ritter of Thompson Burton, PLLC
The news that credit reporting agency Equifax suffered a data breach of sizable proportions (a projected 143 million people affected) set the information security community abuzz. The irony was not lost on anyone: One of the three main credit reporting agencies largely in charge of identity theft notification and prevention, Equifax’s loss of sensitive information now acts as a gateway into the future proliferation of widespread identity fraud. Although details continue to slowly emerge, here’s what we currently know, what’s important for you to know, and my suggestions on preventative measures and next steps.
Criminals gained access into Equifax’s internal system through a vulnerability in the company’s website software beginning in mid-May, and remained inside the system until late July. The perpetrators gained access to a variety of sensitive personally identifiable information, which includes (but may not be the entire scope of): names, birth dates, addresses, and social security numbers. Of even more immediate concern, 209,000 consumers had their credit card numbers stolen. On July 29, Equifax discovered the intrusion and begin the steps of breach remediation. This included notification to law enforcement and the hiring of a cybersecurity firm. At this time, the investigation is ongoing.
WHAT YOU NEED TO KNOW
Equifax has set up a website in which consumers can check to see if the breach included their personal information. Equifax prompted users to enter their last name and the last six digits of their social security number. Here’s where things get really interesting. Based upon the information entered, interested parties will either be told that Equifax doesn’t “believe” a person was impacted or “does believe [the person’s] personal information may have been impacted.”
Wow, Equifax’s “belief” that one’s information remains secure is quite the ringing endorsement. This bizarre and non-committal response bypasses any definitive answer, and instead merely provides a person with an enrollment date. It should also be noted that members of the IT community such as Brian Krebs have called into question the accuracy of whether this Prompt even provides a truthful answer.
at Equifax's credit monitoring enrollment site: I put in made up last name and random 6 digits. Same message as my real info: come back 9/13
— briankrebs (@briankrebs) September 8, 2017
Where to even begin. Let’s start with the basics. TrustedID Premier is a credit monitoring service that Equifax offers to anyone – those both affected and unaffected – free of charge. Rather inconspicuously, TrustedID is a credit monitoring service owned and operated by Equifax. The decision to keep things in-house seems questionable. Companies subjected to a data breach typically offer victims credit monitoring or identity theft protection through third-party providers, not subsidiary entities owned by the hacked company itself. As some have joked on Twitter, the decision to once again give personal information to a company who already lost said information is quite the conundrum. You would think Equifax would invite some separation between the company and the credit monitoring service offered. This looks bad, and seems like a cost-cutting measure.
Having already alluded to the vague and ambiguous response I can only infer means a person was in fact impacted, Equifax provides a future enrollment date. “On your designated enrollment date, please return to this site . . . [and] provide additional information to verify your identity.” A future enrollment date? The affected have to do more at a later time? Come on. How many people will actually remember to do this in the coming days? Rather than proactively implement credit monitoring for all those affected, the company’s decision to ask people to return at a later date suggests they may not entirely know who was affected/unaffected. Reports that Equifax Customer Service representatives have told people that they “do not have a database of impacted individuals” at this time only solidifies this theory. Moreover, other consumers noticed that the decision to opt-in and enroll in TrustedID Premier came with the caveat of some rather interesting terms and conditions: namely, a person’s waiver of any future participation in class action lawsuits. This is otherwise known as a standard arbitration clause.
Lastly, a few publications have taken the Company to task over its amateurish site set-up. As ArsTechnica noted, [the site] runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. . . worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details.
As a whole, Equifax’s early response and public relations spin looks to be a colossal failure. This should serve as a sobering reminder to companies: A well-constructed contingency plan should be in place prior to any public announcement that your company suffered one of the worst data breaches in the history of the Internet.
WHAT YOU SHOULD DO
Rest assured, you aren’t the only one wondering where the heck you go from here. Take a deep breathe, and consider the following analytical approach:
(1) Change Your Passwords IMMEDIATELY
Even if you have no reason to believe any of your email or password information was exposed, I would suggest changing passwords across all platforms (i.e., Facebook, Gmail, etc.). The vast majority of people use the same password across all types of accounts. Therefore, the retrieval of a password from a source like Equifax potentially exposes you to unauthorized access of all your accounts across all platforms. Don’t believe me? Just ask Facebook Founder Mark Zuckerberg. If you are worried about not remembering your new passwords, this may be an opportune time to start using a password manager like 1Password.
(2) Check your Financial Statements.
I would immediately log-in to all credit, checking and savings accounts. Do a quick run-through of the previous months’ statements to ensure no fraudulent activity has taken place. With 209,000 credit card numbers exposed, it’s particularly important you prioritize your credit card accounts over checking/savings. As a quick aside, people should use a credit card in almost all transactional instances. Why? Because under federal law Fair Credit Billings Act (“FCBA”), cardholder liability for unauthorized use or charges tops out at $50. This isn’t necessarily the case for unauthorized ATM or debit card charges (another blog post for another time).
(3) Check your Annual Credit Report
If you haven’t done so recently, now’s a good time to check your annual credit report. You can do so for free through annualcreditreport.com. You are entitled to a free credit report from each of the three credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months. This report will show if any accounts were recently opened in your name. Oftentimes, people are fearful to submit multiple requests for credit reports in a short period of time. Fear not — a request for credit report is known as a soft inquiry and does not affect your actual credit score. A hard inquiry, on the other hand, occurs when you’ve applied for credit. This prompts a lender to dig deeper into your credit report. Too many hard inquiries in a short period of time can have an affect on an individual’s credit score. With the Equifax hack, don’t hesitate to check your credit report with one of the three CRAs. Well, on second thought — maybe don’t check with Equifax.
(4) Think About a Credit Freeze
I’ve seen a large majority of the media suggest the implementation of a credit freeze. I would think on this before you act. In essence, a credit freeze restricts almost all inquiries to your credit report. The effect is that the opening of any new account becomes extremely difficult, as almost every legitimate creditor refuses to allow a new account opening to occur without the ability to see one’s credit report. My hesitation arises out of the work one must put in to implement and lift a freeze. The Federal Trade Commission provides a succinct summary of how credit freezes work and what people must do to obtain one. Another slightly less burdensome option may be a fraud alert.
(5) Credit Monitoring and Identity Theft Protection
Whether you choose to use Equifax’s free offer of TrustedID Premier or another reputable service, something is better than nothing. With TrustedID Premier, be aware of the aforementioned fuss over the agreement to abide by an arbitration clause. I personally question the enforceability of this particular clause, but refrain from any enrollment in TrustedID if you want to ensure your right to bring a class action or suit against Equifax at some point in the future. You have a variety of options, whether it’s with LifeLock, IdentityForce, Credit Sesame, or another. Typically these services aren’t terribly expensive and come at a rate of anywhere from $10 to $15 an individual per month.
The fallout over Equifax’s inadequate data security measures is just beginning. The ramifications from Equifax’s failure to protect consumer information will reach far and wide. As a potential victim, it’s up to you to mitigate the impending identity risk in the days and weeks to come.