• TABLE OF CONTENTS •
Equifax Hack: The Facts
How Criminals Can Use This Stolen Data
Identity Authentication: Protection from the Equifax Fallout
Was Your Information Compromised in the Equifax Hack?
What to do if your Information was Compromised
From mid-May to July 2017. Equifax, one of the three nationwide credit reporting bureaus, suffered a massive data breach in which the sensitive personal information of 143 million American consumers was compromised. Equifax discovered the breach on July 29, 2017.
Credit reporting bureaus - Experian and TransUnion are the other two - track and rate the financial history of U.S. consumers by collecting the data from credit card companies, banks, retailers, and lenders - all without consumers noticing. The fact that credit reporting bureaus house such an incredibly large amount of not only sensitive personal identifying data but also financial data is what makes them so attractive to data hackers.
On September 7, 2017, Equifax announced the hack via press report. Equifax described the hack as a "cybersecurity incident" in which "criminals exploited a U.S. website application vulnerability to gain access to certain files."
These 'certain files' contained the following information:
All the information in these 'certain files' are now compromised.
Since discovering the hack, Equifax has:
Equifax's reason for the delay between discovery of the hack on July 29 and announcement of the hack on September 7 was due to the investigation being performed by the contracted cybersecurity firm. According to Equifax, the 'issue' has been contained and will be following the recommendations of the contracted cybersecurity firm to prevent such a hack from happening again.
Equifax has stated that they will not be contacting everyone who has had their information compromised in the breach - just those whose credit card numbers or dispute records were accessed.
So, how do you know if your information is amongst those that were compromised? By having a credit report.
“If you have a credit report, there's a good chance that you're one of the 143 million American consumers whose sensitive information was exposed in a data breach at Equifax”
– Federal Trade Commision (FTC)
That's right, according to the FTC, the only prerequisite needed to be a victim of the Equifax hack was having a credit report. (If you're worried about your identity being stolen and want to do something about it now, jump ahead to the "What to do if Your Information was Compromised" section
Remember: having an Equifax record is 100% voluntary. Only those who made the choice to have ever participated in the economy are included.— matt blaze (@mattblaze) September 10, 2017
There are two main actions criminals can take when they steal identity information: use the information themselves or sell the information. Either action will inevitably result in the fraudulent use of that information.
Criminals can use stolen identity information for their profit in one of two ways: through account takeover fraud and/or through new account fraud.
Account takeover fraud describes fraud in which a criminal uses a victim's personal identifying information to literally "takeover" a financial account, such as a credit card account, that belongs to that victim. Personal identifying information - such as names, addresses, and birthdates - can potentially be used to provide enough identifying information that changes, such as a change of address, can be made on an existing account. However, the name, address, and phone number of a person can only go so far before impersonating that person becomes impossible, such as opening a new line of credit in that person's name.
You can learn more about account takeover fraud, especially in relation to data breaches, here.
New account fraud describes fraud in which a criminal uses a victim's personal identifying information to open new financial accounts in that victim's name, much like the aforementioned opening a new line of credit. In order to open new accounts, criminals typically need to have knowledge of not only a sufficient amount of a victim's personal identifying information - such as the full name, current address, and birthdate - but also the victim's Social Security number.
This is due to the fact that most new accounts are only opened after obtaining the credit report - which is obtained using a Social Security number - of the person requesting to open the new account. However, in some cases, such as transactions involving the opening of a line of credit (through a store-branded credit card) at a retail store's register, credit reports can't be obtained prior to the transaction finishing - which is one method of how criminals have been frequently conducting new account fraud.
Without a Social Security number, criminals can only do so much using a person's personal identifying information - there's a good chance that conducting account takeover is near impossible the criminal does not have a sufficient amount of a victim's personal identifying information.
Despite not having a Social Security number, however, criminals can still fraudulently, for example:
What's so scary about a hack such as the Equifax hack is that 143 million people's Social Security numbers are now potentially in the hands of those who would use that information to profit from fraud as much as they can.
It is the loss of Social Security numbers that is the most unnerving about the Equifax hack. Once a criminal gets a person's SSN, a complete take-over of a person's identity is more than possible. Armed with personal identifying information as sensitive as the SSN can potentially allow criminals to fraudulently:
Considering there was an approximate 6 week gap between the time the data breach was noticed and the time the data breach was announced, criminals who have this data have had a 6 week head-start on using the data fraudulently. Even if you froze your credit the minute the data breach was announced, your information could have already been potentially used to commit identity fraud.
“Once your personally identifiable information has been stolen, people can use that information to basically impersonate you. They can create fake loans and fake bank accounts. And the names will be posted on lists that become available to future hackers”
– Fleming Shi, Senior Vice President for Barracuda Cybersecurity
Take for example, the case of a criminal opening a new credit card in your name and maxing it out, without making even one payment. The missed payments and the amount of the credit card debt will all end up on your credit report. Once that happens, getting basic life necessities, such as a new cell phone or a loan for a car, can be difficult, if not impossible.
In other words, the goal of most criminals who fraudulently use other people's personal identifying information is to financially profit in some form or another off of that information, ruining the financial stability and reputation of that person in the process.
“That’s the foundational identification information for U.S. consumers. It’s enough to allow cyberthieves to take over you online.”
– Mark Nunnikhoven, head of cloud research for Trend Micro
The potential for millions of people to secure their identities from unauthorized use for financial activities is incredibly alarming - not only for individuals whose identities have been compromised but for businesses across almost all industries, particularly those in the retail and financial sector.
While people who have had their information compromised in the hack can take steps to protect their identity, there are actually steps that businesses can take to not only protect U.S. consumers from the ensuing identity fraud fallout but to also protect their businesses from falling victims themselves to identity fraud.
Consider for a moment: Where will criminals be using all the fraudulent information stolen in the hack? At businesses.
Not only can criminals potentially fraudulently use a victim's credit card, but they can also potentially open new lines of credit at a department store, for example. If a criminal decides to come into your store, armed with a stolen SSN as well as detailed knowledge on the person being impersonated, how will you be able to tell that they are a criminal?
Businesses who regularly extend lines of credit, such as a retail store with store-branded credit cards, automotive dealerships, and financial institutions should be particularly wary of identity fraud in the wake of a data breach.
Additionally, businesses that accept credit cards should also be on alert for identity fraud via fraudulent credit cards, especially since EMV regulations state that businesses who allow fraudulent credit card transactions in particular situations, even unknowingly, is liable for the cost of the fraudulent transaction. Learn more about how EMV regulations impact the liability of businesses here.
One method of making sure people are who they say they are is to authenticate identities. Identities can be authenticated by checking identity documents, such as driver's licenses or passports.
Although sensitive personal identifying information was lost in the Equifax hack, the one thing that criminals cannot get their hands on through a hack is the real identity document of a person. A criminal may have a person's name, address, and SSN, but if they need to 'prove' their identity using an identity document, they're simply going to have to produce a fake identity document. And lucky for you, virtually all government-issued identity documents are riddled with hard-to-reproduce security features.
By making sure that transactions are accompanied by identity documents and making sure that those identity documents are indeed the real thing, you can be sure that all transactions made by your business are legitimate, and not fraudulent.
And just how do you authentication identity documents? By checking for security features. For example, on almost all state-issued drivers licenses, there exist security features that can only be seen under ultraviolet (UV) light. If you make sure that these security features not only exist on each identity document, but also make sure that they exist exactly where they're supposed to, you can authenticate the identity of any customer.
In the aftermath of any data hack, especially one as large as the Equifax hack, businesses would be wise to have devices capable of authenticating identity documents on hand.
Stealing the identity information of people is one thing, but creating fake identity documents that can pass the scrutiny of machines - without breaking the bank - is another thing. Criminals are only finding it lucrative to steal identities because the financial cost of impersonating a victim stops at the price they paid either to perform a data hack themselves or purchase identity information from other criminals.
Consider just how much the lucrative nature of identity fraud disappears once criminals have to make sure that every fraudulent transaction they attempt must be accompanied by fake identity documents that are made well enough to bypass a machine's ability to detect minute inconsistencies between a fake identity document and a real identity document.
Authenticating identity documents takes away the ability of identity thieves to meaningfully use the identity information that they steal through hacks. Identity authentication stops personal identifying information from being fraudulently used.
If it wasn't iterated clearly enough above: if you have a credit report, you should go ahead and assume your information was compromised in the Equifax hack.
Considering that the U.S. Census Bureau estimated in 2016 that there were 323.1 million people living in the United States, a hack of this magnitude means that potentially 44.26% of the U.S. population has had their information compromised.
That's over 4 in 10 people, folks! At this point, it'd be safer to assume that your information was compromised and follow one of the preventative measures below to protect your identity.
As mentioned above, Equifax has provided a way for people to check whether or not their information was compromised in the attack. However, there have been reports of false results when checking whether or not information was compromised in some instances; and as of September 11, 2017, Equifax has yet to comment on whether or not false results issue has been addressed, much less fixed. The result given by the Equifax site should be taken with a grain of salt for now.
There are several things you can to do prevent the misuse of your personally identifying information:
Each of the points above is expanded upon below.
Equifax has provided a way for people to not only find out if their information was compromised in the breach, but also protect the misuse of their information through their website, www.equifaxsecurity2017.com.
People can enter their last name and the last six digits of their Social Security number to see if their information was compromised in the breach. If your information was compromised, you can get a year of free credit monitoring through TrustedID Premier and other services. Even if your information was not compromised, you can still get a free year of credit monitoring through TrustedID Premier. The deadline to enroll in the free credit monitoring service is November 21, 2017.
The TrustedID Premier credit monitoring service includes:
Initially, in order to enroll in the TrustedID Premier credit monitoring service, people had to agree to an "arbitration clause", which waived their right to participate in a class action lawsuit, class arbitration, or other representative action. On September 8, Equifax clarified that this arbitration clause did not apply to this recent hack.
On September 10, Equifax removed the arbitration language from their site and further clarified that they "will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself."
A strong word of caution: You may want avoid to taking steps to secure your identity information through Equifax. There are other means of securing your identity without going through Equifax – please see below.
While Equifax has obviously taken steps to attempt to do some damage control, there have been signs that the steps taken are not secure. There are two issues than have come up that have caused even more alarm in the aftermath of the data breach: the fact that their website – www.equifaxsecurity2017.com - has returned false results when checking whether or not a person’s information has been compromised by the breach and the fact that placing a credit freeze (see below) through Equifax has resulted in a non-random PIN.
There have been reports when fake personal information – such as a person with the surname “Test” and the SSN “123456” – is entered on the site, a result that the person “may have been impacted” by the breach is returned.
Just wow. If you enter "Test" and "123456" on Equifax's hack checker page, it says your data has been breached. pic.twitter.com/cTjTs7Frjv— Zack Whittaker (@zackwhittaker) September 8, 2017
There have been additional reports of getting two different results when the same information is entered. Being unable to provide a correct response even for something as simple as checking data against data raises the question about the competence of Equifax’s response in the wake of the data breach.
If checking @Equifax for PII impact, check twice. I got different results last night and today.— Erin Denise (@erininwestloop) September 8, 2017
To date, this false returns issue has not been addressed, much less fixed, by Equifax.
As early as September 8, 2017 – the day after the data breach was announced – people have noticed that the personal identification number (PIN) issued by Equifax when attempting to place a credit freeze on Equifax credit reports is not random – the PIN issued is actually just the timestamp of when you placed the credit freeze in the following format: MMDDYYHHMM.
Screenshot of when you're assigned an Equifax security freeze PIN. It's just a timestamp of when you made the freeze: MMDDYYHHMM. pic.twitter.com/xna8aaQ2b3— Tony Webster (@webster) September 9, 2017
The glaring problem with this is that the PIN is needed to lift the credit freeze – there is absolutely nothing secure about Equifax creating PINs that are so easy to guess using brute-force methods. Although this PIN issue was fixed on September 11, 2017, people who had already placed a credit freeze will need to obtain a new PIN through the mail (yes, snail mail).
The most unnerving thing about the PIN issue is that this non-random method has been used by Equifax for over at least a decade.
Verified PIN format w/ several people who froze today. And I got my PIN in 2007—same exact format. Equifax has been doing this for A DECADE.— Tony Webster (@webster) September 9, 2017
In fact, the issue was noticed and brought to the attention of Equifax over a year ago – but, unsurprisingly, nothing was done about it. Until now, of course.
Here's someone more than a year ago informing Equifax that their PINs are simple timestamps. pic.twitter.com/HOqSPtZnXo— Ken Norton (@kennethn) September 12, 2017
Whether or not you want to trust Equifax at this point with securely monitoring any misuse of your identity information is your choice.
US legislation mandates that every US consumer be given access to their credit report for free from each of the three credit reporting bureaus (Equifax, Experian, and TransUnion) at least once per year. If you haven't obtained your free credit report in the past year, you can obtain it here.
Each credit report should contain an organized list of all information related to your credit activity. Credit reports contain information such as:
When looking through your credit report, look out for:
If you find any suspicious or fraudulent activity on your credit report, contact the fraud department of the credit card company or loan-issuing institution where the activity took place.
Having a "fraud alert" on your credit report means that credit card companies as well as other institutions that issue lines of credit or loans will be required to verify your identity before they can obtain your credit report.
Placing a fraud alert on your credit report is free and quite simple: all you have to do is contact one of the three credit reporting bureaus - Equifax, Experian, or TransUnion - and request that a Fraud Alert be placed on your credit report. Each credit reporting bureau is required to inform the other two bureaus that you have requested a Fraud Alert and those two bureaus are required to place Fraud Alerts on your credit report as well.
There are three types of Fraud Alerts available:
Here is the contact information for the three credit reporting bureaus:
While a Fraud Alert may prevent the opening of new accounts in your name, it will not prevent the misuse of your existing accounts - which is why constant vigilance over your existing accounts is highly recommended in the wake of hack the scale of the Experian hack.
Lifting a Fraud Alert is free and quite simple as well: simply get in touch with one of the three credit reporting bureaus to lift the Fraud Alert at all three credit bureaus.
Having a "credit freeze" on your credit report means that no one, including creditors (credit card companies, loan companies, etc.), will be able to access your credit report unless the credit freeze is lifted; a fraud alert, on the other hand, allows for access to your credit report as long as creditors verify your identity first. However, creditors with whom you already have existing accounts will be allowed access to your credit report, even with a credit freeze in place.
Placing a credit freeze is a bit more complicated than placing a fraud alert: you have to contact each of the three credit bureaus and request to have a credit freeze placed on each of your credit reports. In further contrast to a fraud alert, placing a credit freeze is not necessarily free. Depending on the state, placing a credit freeze can cost between $5 and $10 per credit report. Additionally, the length of time a credit freeze lasts varies by state.
Once a credit freeze is placed, each credit bureau in which you placed the credit freeze should mail you a confirmation letter that contains your unique PIN (personal identification number). When you're ready to lift the credit freeze, you'll need to provide your PIN to the corresponding credit bureau. Credit freezes cannot be lifted, even temporarily, without this PIN. There may also be a cost to lift the freeze, depending on the state.
To find out whether or not your state charges a fee to place or lift a credit freeze and how long your state allows for a credit freeze to remain in place, click here.
Please note: if you are a victim of identity theft (i.e., your information has been fraudulently used), placing and lifting a credit freeze is free, regardless of the state in which you reside.
Here is the contact information for the three credit reporting bureaus:
Similar to fraud alerts, a credit freeze cannot protect you from fraudulent activity for your existing accounts - which is why it is important to monitor your existing accounts on a regular basis, as further explained below.
Reviewing your account statements does not require you to contact any credit bureaus or pay any fees - this step in prevention is something you can do starting right now for free. You should try to make it a daily habit to check the transactions made on your credit card, your bank account, and any other financial account you have.
Reviewing your credit report should be free as long as you have not received your free credit report in the last 12 months. You can obtain your credit report for free from each of the three credit reporting bureaus once every 12 months here.
The one thing that neither a fraud alert nor a credit freeze can do is detect fraudulent activity on your existing accounts. For example, neither a fraud alert nor a credit freeze will be able to stop a criminal from accessing and fraudulently using your current credit card account.
As of now, the only way to make sure that your current accounts are not compromised is to vigilantly and frequently monitor all your existing accounts. Checking your credit report as frequently as possible is recommended as well as it can potentially show suspicious activity, such as a change in address on a certain account, that you may have missed despite constant monitoring of your accounts.
Catching fraudulent activity on your existing accounts is made even more important by the fact that people are not liable for the fraudulent charges made to their account. However, they are responsible to report this fraudulent activity in a timely manner - waiting too long could potentially impede your ability to recover those fraudulent charges.
Although it is too early to perform this step, it is important to keep in mind that it is highly recommended that you file your tax return as early as possible. The reason for this is that Social Security numbers were compromised in the Equifax breach, meaning criminals can file fraudulent tax returns in your name and obtain a refund that was due to you.
Many tax fraud victims find out that their identities were compromised when they attempt to file their tax return to only have the IRS tell them that a tax return as filed under their identity already.
You can do any, all, or none of the above steps to take preventative measures to protect your identity - the choice is yours.
There are several warning signs to look out for that your information is being fraudulently used, if your information was compromised through the hack or otherwise:
If you find out that your information is being used fraudulently, make a report with your local law enforcement agency immediately.
As mentioned in the first section, certain UK and Canadian residents have had their information compromised in the hack. Equifax is currently working with the respective regulators to determine the appropriate next steps.