On September 7, 2017, Equifax publicly announced a major data security breach that impacts up to 143 million individuals that had their personal information including Social Security Numbers exposed to criminals. The root cause for the data breach was web server software (called Struts) that was not patched with a security patch made available in April (CVE-2017-5638). This breach was followed by a series of missteps by Equifax leadership including forcing a limitation of liability to the firm from individuals who determine if they are victims by registering on a specific Equifax website (Equifax has since walked this requirement back).
On September 15th, Equifax announced that they replaced the Chief Information Officer (David Webb) and the Chief Information Security Officer (Susan Mauldin) with interim leaders.
The implications for enterprises that deal with consumers, include a significant increase in consumer demographic and personal information available in the dark web for criminals to use to bypass current identity management controls that use passwords. This is additive to the over 3 billion user credentials harvested in 2016 which together drives the obsolescence of passwords.
The implications for the credit bureau industry and specifically Equifax are more significant.
Equifax announced on September 7, 2017 that a data breach at the company could have affected 143 million Americans. Information said to be compromised includes Social Security Numbers, birth dates, addresses, driver’s license numbers and credit card numbers in some cases. Even if you have never heard of Equifax or used them, they may still have your information. Equifax is one of the “big-three” when it comes to credit reporting and rating of credit history of U.S. Consumers. They get their information from credit card companies, banks, retailers and lenders.
The Breach was discovered on July 29th of this year, and Equifax immediately stopped the intrusion. The company engaged a leading outside cybersecurity firm to conduct a review and determine the scope of the breach. The company also notified local law enforcement and continues to work with authorities as the investigation is ongoing.
Equifax will NOT be contacting everyone that was affected. They will only send mail notices to those whose credit card numbers or dispute records were accessed. The company is suggesting that you sign up for free credit file monitoring service offered through TrustedIDhttps://www.equifaxsecurity2017.com/trustedid-premier/Premier.
- Visit the https://www.equifaxsecurity2017.com/page to get all of your questions answered and to sign up for the free credit monitoring
- Equifax has setup a designated phone line 866-447-7559for questions
- Review your bank statements and credit card statements regularly (recommend weekly). If you see unauthorized activity, immediately report it to the bank or credit card company
- Request a copy of your credit report. You are entitled to a free credit report once a year from all three of the major credit reporting agencies. (Equifax, TransUnion and Experian)
- Place fraud alerts on your credit reports. Lenders must verify your identity before issuing credit in your name
- For a Fee, you can place a long-term freeze on your account. This will take your credit report out of circulation and credit cannot be issued unless you lift the freeze
- Visit the Federal Trade Commission’s website, ftc.gov/idtheftfor additional information on how to protect yourself
Open source information:
https://www.equifaxsecurity2017.com/
https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/
http://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/