Equifax Breach: What It Means and What You Should Do

This post has been updated since the original publish date of September 12, 2017, and will continue to be updated as new developments are received. 

What Happened

Equifax, one of the “big-three” U.S. credit bureaus, disclosed on September 7, 2017, that a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.

In a press release, Equifax [NYSE:EFX] said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing but that the breach was believed to have occurred as early as mid-May 2017.

How It Occurred

Equifax has not released the exact details of how the breach occurred. However, according to FAQs posted on the website created by Equifax to handle the incident, the breach appears to have occurred through the exploit of a security vulnerability in the company’s web applications using open source software Apache Struts. The specific vulnerability was Apache Struts CVE-2017-5638, which was made public on March 6, 2017. This is more bad news for the company as it means that Equifax had not patched their systems as of the time the hack started two months later. An article by Jeremy Kirk posted on bankinfosecurity.com provides a good explanation of the specific vulnerability and Equifax’s failed security practices.

What This Means

The data lost is sufficient for criminals to perpetuate widespread identity theft and fraud, including tax refund fraud. According to a posting on FTC’s website, the breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

What You Should Do

According to the FTC, these are the following steps you need to take at a minimum:

  • Visit the website created for this incident by Equifax – www.equifaxsecurity2017.com.
  • Enter the requested information to see if Equifax believes you were affected by the breach.
  • Regardless of whether Equifax believes your information was affected, you can (and should) enroll in the free credit monitoring service Equifax is making available for one year. Once you register, the website will give you a date, and that is the date you are to return to the website to complete the enrollment process.

It has been rumored online in recent days that enrollment in the free TrustedID Premier service precludes the consumer in participation in class action lawsuits against Equifax. That rumor has been dispelled by New York Attorney General Eric Schneiderman and Equifax itself. According to FAQs posted on the website Equifax created to handle the incident, “To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. We have already removed that language from the Terms of Use on the site www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident. Again, to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”

What Else You Should Do

It is worth noting that popular security researcher Brian Krebs has pointed out several flaws with the website and incident response setup by Equifax in his blog krebsonsecurity.com. It may also be faulty logic to depend on Equifax to take care of you now anyway, after they failed to protect all of your data in the first place. As noted by a Forbes article, Equifax has had several security issues in the recent past.

So, in addition to the previously mentioned steps, we strongly recommend that you consider the following measures:

  • Check your credit reports from Equifax, Experian, and TransUnion – for free – by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could indicate identity theft. Visit IdentityTheft.gov to find out what to do.
  • Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts. For information about how to freeze your credit files with the main credit bureaus, Equifax, Experian, and TransUnion, we recommend you visit the website of personal finance expert Clark Howard.
  • Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
  • If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
  • File your taxes early, as soon as you have the tax information you need, before a scammer can beat you to it. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.
  • Last but not least, maintain your vigilance and do not fall for phishing schemes and other scams relating to this incident. Fraudsters take advantage of the panic resulting from incidents like this. Do not click on links in emails from people you do not know or even those that look like they come from companies trying to reach out to you about your accounts. Go directly to the website of the company you have an account with and log on there.

There are also other options for identity theft protection services such as LifeLock, TrustedID, etc. An article ranking these services can be found at consumeraffairs.com. Weaver does not endorse any particular identity theft protection service.