equifax hacked! protect yourself. 143 million people at risk (most likely affects you!)

Sensitive information, SSNs of 44% of U.S. consumers accessed by attackers

What kind of information was compromised?

The attackers gained access to:

  • Names, Social Security numbers (SSNs), birth dates, addresses and, in some instances, driver’s license numbers for the aforementioned 143 million U.S. individuals.
  • Credit card numbers for approximately 209,000 U.S. consumers
  • Certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers
  • Limited personal information for certain UK and Canadian residents.

About the breach

“Criminals exploited a U.S. website application vulnerability to gain access to certain files,” the company curtly explained.

The breach was detected on July 29 of this year, and the company called in a “leading, independent cybersecurity firm” (reportedly Madiant) to handle forensic investigation and help with incident response.

The investigation revealed that the unauthorized access occurred from mid-May through July 2017.

Equifax has set up a dedicated website to help consumers determine if their information has been impacted and to sign up for credit file monitoring and identity theft protection with TrustedID Premier, a credit monitoring service that is also operated by Equifax.

Even those consumers who haven’t been impacted can sign up. Brian Krebs went through the process, so you can check out his report to see what you can expect.

Equifax says that they “have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

Equifax breach impact

“The amount of personal identifiable information that has been compromised in this breach is substantial, to put it in perspective, the US population was around 324 million at the beginning of the year, which means that with 143 million consumers at risk, this breach affects a large portion of the United States,” noted Vishal Gupta, CEO of Seclore.

“There is no doubt that the information obtained by cybercriminals will be used in one way or another. With access to data of millions of users used for credit reporting, credit scores and more, Equifax should have taken steps to assure information was secure regardless of where it is stored or if it leaves the network or not. Until organizations responsible for safeguarding large amounts of user information shift to a data-centric security model, they remain highly-valuable targets for hackers, who will continue to come up with inventive ways to infiltrate systems.”

Eduard Goodman, Global Privacy Officer, CyberScout, says that this incident underlies one of the key issues with the U.S. consumer credit system and centralization of credit data on Americans.

“We have become overly reliant on the three credit bureaus who act as the sole data ‘brokers’ and repositories of data for creditworthiness, making an exposure like this a very dangerous event. With loss of not just SSNs but other secondary pieces of data like previous addresses, mother’s maiden name or the banking institutions with which consumers hold loans, to some degree we have exposed an entire consumer facing security ecosystem to failure since everyone from credit loan verification to online account sign ups depend on this information to help verify us all. The impact of this breach, depending upon who actually has obtained the information and how it is misused could last for a decade.”

Equifax is one of the three main organizations in the US that calculates credit scores

No data breach is good, but some are more palatable than others. We would all rather hear that our florist got hacked than, say, our bank. And the most painful breaches, like the Office of Personnel Management or Anthem health insurance incidents that involved stolen Social Security numbers and other hard-to-change personal data, are naturally the most valuable targets for attackers. We can now add the massive credit reporting agency Equifax to that list.

On Thursday, the company disclosed that a data breach it discovered on July 29 may have impacted as many as 143 million consumers in the United States. Equifax is one of the three main organizations in the US that calculates credit scores, so it has access to an extraordinary amount of personal and financial data for virtually every American adult. The company says that hackers accessed data between mid-May and July through a vulnerability in a web application. Attackers got their hands on names, Social Security numbers, birth dates, addresses, some driver's license numbers, and about 209,000 credit card numbers. A hundred and eighty-two thousand “dispute documents,” essentially complaint submissions that include personal identifying data, were also compromised in the breach.

as much as 44 percent of the US population will feel the impact of this breach for years to come, especially when it comes to their Social Security numbers

“When this type of stuff happens, it’s like oh, crap,” says Alex McGeorge, the head of threat intelligence at the security firm Immunity, “Your Social Security number doesn’t change, so this data is going to get resold on the black market and hold its value for a while." Assuming data was stolen by criminals and not a nation state, experts predict that it will circulate for years.

There are some things you can do to protect yourself. Equifax is offering a website—www.equifaxsecurity2017.com—where you can check whether you are one of the 143 million people whose data may have been compromised. (A small number of citizens in the United Kingdom and Canada may also be affected.) Currently, the website doesn’t give you a simple answer about whether or not your data may have been affected, but it seems to tell you if it wasn’t. Equifax is also offering a year of free credit monitoring and identity theft insurance that you can (and should) sign up for on that site if you're a US resident. If your information could have been compromised in the breach, you might also want to consider paying for additional years of credit monitoring after Equifax’s free year expires. Attackers may have better luck abusing the leaked data in earnest after that first year is over and many potential victims lose free monitoring.

You should also keep a close eye on your finances. 

"Consumers should remain calm and be cognizant of their personal credit report and activity," says Mark Testoni, the president of SAP National Security Services. "Check for notifications to see if new credit applications have been filed on your behalf, and monitor your accounts for adverse action. If your details are circulated on the black market, the big risks are fraudulent credit applications on your behalf and bad actors trying to find ways to take advantage of your personal [data].”
Equifax hasn’t indicated who was behind the breach and says a law enforcement probe is ongoing. It's also unclear whether attackers compromised a third party that contracts with Equifax or a main Equifax web application. The “dispute document” data that was part of the breach is relatively specific and could indicate that the vulnerable web app was related to a customer submission service or a server that hosted databases including customer feedback logs.

The company maintains, though, that its core credit reporting databases were unaffected—cold comfort given the scale of the breach that did occur. “It begs the question, if 143 million people could be affected and this does not touch your core, where were you keeping this data?” McGeorge says. “Where does this data live that’s not your core?”

Equifax is an obvious target for hackers since it processes so much valuable, individualized data, but there is also some irony given the personal security and identity theft defense products the company sells. "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax chairman and CEO Richard Smith said in a statement. "We pride ourselves on being a leader in managing and protecting data."

There will be more questions in the days ahead about how this happened, and who at Equifax knew what, when. But it's probably time for Smith to revise his marketing pitch.

Three Equifax executives sold $2 million worth of shares days after cyberattack

Three Equifax executives sold shares worth nearly $2 million in the company days after a data breach was discovered, according to filings to the SEC
The company said the trio "had no knowledge that an intrusion had occurred at the time they sold their shares"

Three executives of Equifax sold shares worth nearly $2 million in the company days after a data breach was found to affect 143 million consumers in the United States, filings to the Securities and Exchange Commission showed.

The fillings showed that the trio – Chief Financial Officer John Gamble Jr., workforce solutions president Rodolfo Ploder and U.S. information solutions president Joseph Loughran – offloaded the shares on August 1 and August 2.

Equifax said on Thursday it discovered a data breach on July 29. The credit reporting firm said the exposed data included names, birth dates, Social Security numbers, addresses and some driver's licence numbers.