In early September 2017, Equifax, one of the three nationwide credit reporting bureaus, announced that as many as 143 million Americans had been compromised after a cybersecurity breach allowed access to sensitive information. Although the announcement was not made until September, Equifax admitted that the breach had been discovered on July 29 and had occurred at some point between mid-May and July.
What Happened
Equifax claims that website application vulnerability was to blame for the cybersecurity breach. Although details of what caused the breach have not been released, security analysts say that cybersecurity vulnerabilities are often easy to hack. It’s possible that there was a programming error or mistake in configuration. Many experts claim that cybersecurity is often underfunded in large companies, making them vulnerable to breaches. In 2016, Equifax was warned about basic scripting bugs in its system, but there was no action taken by the company to resolve those issues. This attack on Equifax is widely believed to be the largest security breach involving social security numbers.
What Was Taken
The security breach at Equifax allowed hackers to gain access to important personal information, including but not limited to:
- Birth dates
- Social security numbers
- Driver’s license numbers
- Credit card numbers
- Addresses
Any of these pieces of information alone would be enough for sophisticated criminals to create problems for consumers, but together, it’s a shocking number of data to fall into the wrong hands. All of the data stolen can be used by criminals to commit identity theft – both in the short and long terms.
Who was Affected
The most frightening thing about the breach is that you may be unaware that you were affected. Equifax collects and stores data that creditors use to determine credit worthiness. Almost all the information stored is personal information, including court judgments and the balance on credit accounts. The company set up a website that allows you to enter your last name and a portion of your social security number to see if you have been affected.
Equifax Response
Equifax is offering free credit monitoring for one year following the incident, and consumers have until November to enroll. Once you’ve entered your information into the database at the Equifax Data Breach site, it takes you to another screen where you can sign up for free monitoring. Equifax’s monitoring service allegedly searches suspicious sites to see if your social security number appears and gives you unlimited access to your Equifax credit report.
Equifax has also said that it will notify any consumers by mail whose personal information may have been compromised. However, the company’s response has been met with considerable backlash. Initially, in order to sign up for free credit monitoring, you were required to agree to binding arbitration, which would give up your right to sue Equifax should your identity be compromised. Recently, Equifax announced that the arbitration clause would not apply to anyone affected by the recent breach.
Congressional Investigation
Democratic Congressman Mark Warner asked the Federal Trade Commission to conduct a thorough investigation into the security breach. He asked that the investigation include a review of Equifax’s security practices and the company’s response to consumers who may have been affected.
It was also discovered that three days after the company learned of the breach, three senior executives at Equifax sold almost $2 million worth of stock. Equifax claims that the executives had not been apprised of the breach when the stock was sold. Members of Congress are also concerned that Equifax delayed notifying the public for more than a month after it learned of the breach.
History of Breaches
This is not the first data breach at the major reporting agency. In 2016, personal information of more than 430,000 employees of Kroger was leaked due to a data breach at W-2 Express, a subsidiary of Equifax. A class action lawsuit ensued with attorneys for the plaintiffs pointing out that Equifax willfully ignored weaknesses in data security.
In June 2017, Equifax reported that credit information used by their partner, Lifelock, had been exposed through an online portal. As far back as 2013, the New Hampshire Attorney General found that IP address operators were able to access personal information at Equifax much more easily than they should have been able to, prompting Equifax to adjust their identification process.
Security analysts who are reviewing Equifax’s website are finding many instances of old software and script issues that would make the company vulnerable to attack. What they have found indicates that Equifax disregards cybersecurity as older software has fewer protections than newer software.
Because the nature of the data stored by Equifax is designed to be personal, this data breach is much more troubling than those in the past. As Congress continues to investigate how this breach happened and Equifax works to correct its system, experts recommend accessing your credit report on an annual basis and checking it closely. You can get a free report every year by law from AnnualCreditReport.com. It’s recommended that you continue to check your report on an annual basis since thieves may hold on to your information for several years.