On September 7th, Equifax shocked millions with its acknowledgment that a data breach at the company could potentially affect as many as 143 million U.S. consumers (to put that number into perspective, census data estimates the total U.S. population at 324 million).
Equifax’s vulnerability traces back to early March, when Cisco Systems noted an online security flaw that could expose servers around the internet. Equifax claimed its technology experts worked to update vulnerable systems, though we now know those patches were ultimately not successful.
From mid-May to late-July, hackers were able to access significant Equifax data. Equifax first became aware of the problem on July 29th when the company’s security team noted “suspicious network traffic associated with its U.S. online dispute portal web application.” On August 2nd, the company brought in Mandiant (the cyber-investigations unit of FireEye) to look into the matter. Early in the investigation, Mandiant estimated that as many as 50 million individuals may have been affected, though those projections grew significantly over the weeks that followed.
Who Might Be Affected
As many as 143 million consumers may have been affected (in some fashion) by the breach. Exposed data include names, birthdates, Social Security numbers, addresses and some driver’s license numbers. Equifax said credit card numbers for approximately 209,000 U.S. consumers were stolen; it said that such credit card information likely belongs to individuals who had previously signed up for the company’s credit-monitoring services. Equifax also noted the breach revealed “personal identifying information” on 182,000 U.S. customers involved in credit report disputes.
What Is Equifax Providing
Equifax has created a special website (www.equifaxsecurity2017.com) which provides further details relating to this incident. Individuals can click on the “Potential Impact” tab to see if they may have been impacted by the data breach (disclaimer: some security experts have warned that the tool is fairly limited and that it is preferable to assume that you have been compromised (and take precautionary actions accordingly)).
Equifax is offering a free year of credit monitoring services (‘TrustedID Premier’), regardless of whether or not an individual was affected by the data breach. Initially, consumers had worried that signing up for the free service might void their right to sue the company, though Equifax recently clarified that language involving arbitration and class-action waiver clauses would not apply to this incident for any individuals signing up for the free credit monitoring services.
Other Steps to Take
Individuals have several tools that they can employ to protect their credit. Two of the more common defenses are a “security freeze” and a fraud alert.
- A “security (or credit) freeze” restricts creditors from accessing an individual’s credit files. Since creditors need to view an individual’s credit file to assess their credit risk, blocking creditors such access thus prevents would-be thieves from successfully establishing credit cards or loans in your name.
- A credit freeze does not impact already existing (open) lines of credit.
- A credit freeze does not affect your credit score.
- In order to place a security/credit freeze, you need to notify each of the major credit bureaus (Equifax, Experian, TransUnion and Innovis). Depending on your state of residency, the credit freeze may cost up to $15.
- Once you have completed the application process, the credit bureaus will issue a unique PIN allowing you to unfreeze your credit file in the future. [Security experts recommend that you store the PIN in a secure location.]
- A “fraud alert” instructs lenders not to grant credit in your name without contacting you first for approval (by whichever means of communication you choose in the fraud alert).
- A fraud alert is relatively easy to place (and can often be done over the phone or online).
- A fraud alert only lasts 90 days and must then be renewed to keep the fraud alert active. (Caveat: you can obtain an extended fraud alert for 7 years if you have been a victim of identity theft and have a police report to provide substantiation.)
- A fraud alert is merely a request for lenders to contact you first. They are not legally required to contact you first, thus making a credit freeze a much more secure option.
- Review your credit report. You can obtain a free credit report every 12 months at AnnualCreditReport.com. Many of the credit bureaus also offer a “3-in-1 credit report” for approximately $40. This report generally includes your credit history on file with Equifax, Experian and TransUnion and may also include your FICO score.
- Monitor your financial accounts. Review statements for any suspicious activity. Should you find any suspicious transactions, report them immediately.
- Use caution when giving out your personal information. Scam artists “phish” for victims by pretending to be banks, stores or government agencies. They do this over the phone, in emails and by postal mail.
- Treat your trash carefully. Shred or destroy papers containing your personal information including credit card offers and “convenience checks” that you do not use.
- Protect your computer. Protect personal information on your computer by following good security practices – use strong, hard-to-guess passwords (preferably with a combination of letters (including CAPS), numbers, and special characters); use firewall, anti-virus, and anti-spyware software that you update regularly; download software only from sites you know and trust (and only after reading the terms and conditions). Use caution in opening emails from unfamiliar sources. Do not click on links or attachments in spam email or in pop-up windows.
Other Helpful Resources
- “The Equifax Breach: What You Should Know” by Brian Krebs (Krebs On Security). September 17, 2017
- “What You Should Do This Weekend to Protect Your Credit From the Equifax Data Breach” by John Patrick Pullen. Fortune. September 15, 2017
- “ ‘We’ve Been Breached’: Inside the Equifax Hack” by AnnaMaria Andriotis, Michael Rapoport, and Robert McMillan. The Wall Street Journal. September 18, 2017
- “Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes” – Equifax (News & Events). September 15, 2017
- “Data Breach: Five Things to Do After Your Information Has Been Stolen” – Experian
This report is intended for the exclusive use of clients or prospective clients of New England Investment & Retirement Group, Inc. Content is privileged and confidential. Dissemination or distribution is strictly prohibited. Information has been obtained from a variety of sources which are believed though not guaranteed to be accurate. Past performance does not indicate future performance. This paper does not represent a specific investment recommendation. Please consult with your advisor, attorney and accountant, as appropriate, regarding specific advice.