The Aftermath of the Equifax Breach

Oran Cohen

September 13, 2017

Post Apocalypse Data World

In Sept of 2017, news broke that Equifax, one of the world’s three largest consumer credit reporting bureaus, had suffered a massive data breach. This follows the infamous US OPM (Office of Personnel Management) hack of 2015. The OPM hack, of course, covered government employees and just about anyone who had security clearance including covert operatives otherwise known as spies. The data of 21.5 million people were released in that hack.

Equifax thankfully did not leak a list of classified US government personnel but they did leak the data of approximately 143 million US consumers (pretty much the entire working population!), some 44 million British consumers (out of about 48 million adults in the UK) and some undisclosed number of Canadian consumers. In addition, leaked were about 209,000 credit card numbers.

With these two hacks covering so much of the US population the time has come to assume that the personal information you thought was private is not. That includes your name, social security number, address, birth date, and in some cases driver’s license numbers. Basically, everything one would need for identity theft.

Take a deep breath. Now ask yourself what can you do about it. Changing your social security number is nearly impossible so unless the US government decides to respond by changing the system (not feasible in the short term), you can’t change your SSN. Therefore, here are some recommendations for you to follow.

Item 1 is something you should already be doing. But just in case you weren’t start now.

1. Check your credit card statements for unknown or suspicious purchases. Then check your bank statement for any suspicious transactions. If you have any concerns, contact the relevant financial institution as soon as possible.

2. To quell further damage we suggest that you enable Multi-Factor Authentication (MFA) on all the services that you can. The less a hacker can find out about you by getting into poorly protected email accounts, or Facebook account, etc, the harder it is for them to impersonate you. Unfortunately, the data they will already have makes identity theft easy, but you don’t want them calling the bank and impersonating you to conduct a transfer. Take a look at turnon2FA for sites that offer it and instructions on how to enable it.

3. The three largest credit bureaus (Equifax, Experian, and TransUnion) are obligated by law to make available once per year to you a free copy of your credit report. Therefore, you can request a copy of your credit report from a credit bureau approximately every 4 months on a rotating basis. Check it over for any loans, credit cards, etc that you don’t actually have. It would be pretty bad to discover that your credit rating has been ruined by identity theft 10 years down the line when you decide to upsize your home. Dealing with it immediately will be a large hassle, but much easier than dealing with it in 10 years, or when the collection agency comes knocking.

4. Finally, all three major credit bureaus are required to allow you to “freeze” your credit rating (except in Michigan!). However, after freezing your credit rating you will be unable to apply for a loan or new credit card without unfreezing it. This may have a positive spin if you’re one of those people who constantly applies for new store credit cards to enjoy the savings they offer! There is a fee to freeze and unfreeze your credit rating. Equifax has committed to waiving their credit-freeze fees for 30 days (the other credit bureaus are yet to follow suit).

When you freeze your credit rating (with each bureau) you will be issued a PIN number. Please make sure to make a secure note of this PIN (keeping it with your credit reports makes sense!). After all, if you lose it you might need to prove your identity to the credit bureau using all the information that was leaked. If your credit rating was frozen at the time of the hack you should contact the bureau to get a PIN all the same since without that PIN your rating could be unfrozen with the leaked data.

Many are saying that freezing your credit rating is the most important step but, if someone unfreezes it using the stolen data and social engineering, you are still going to be stuck trying to clear things up unless you also follow item 3). There is also something unsettling about paying Equifax a charge to freeze and unfreeze your credit rating when they are responsible for leaking your data. At the time of writing, at least 23 class-action suits have been filed against Equifax. Here are a couple of excerpts from the complaint filed in North Georgia, which covers Atlanta where Equifax is HQ’ed:

“Equifax had the resources to prevent a breach, but neglected to adequately invest in data security, despite the growing number of well-publicized data breaches.” – Experian, one of the three other major bureaus, was breached for the second time in 2015. Shouldn’t that have been a wake-up call?

“Had Equifax remedied the deficiencies in its data security systems, followed security guidelines, and adopted security measures recommended by experts in the field, Equifax would have prevented the Data Breach and, ultimately, the theft of its customers’ PII.”

As individuals, we must take these sensible steps to ensure that we don’t become victims. But many of us are business owners too, which means that we are increasingly viewed not only as victims of hacking but also increasingly liable for the disruption they cause. Even more, the reason why we should be taking every security measure possible. From a legal standpoint, it’s going to get harder and harder to justify inaction if our customers’ PII is compromised as a result of a hack on our systems.

For more information on how our offensive services can help protect your organization from attacks, please contact Shay Pinsker at [email protected], or visit our website.