Update, September 9, 2017: Equifax has updated their site due to the various issues consumers were having with the site. You can now immediately learn, with ease, if your information was part of the data breach at https://www.equifaxsecurity2017.com/.
Disturbing news in the United States yesterday: major credit bureau, Equifax, was hacked, and up to 50 percent of Americans may be affected. Furthermore, the type of information gained is a little bit terrifying:
- Social security numbers
- Dates of birth
- Disputed charge info
- Credit card numbers and info
This event represents the largest and most potentially impactful cybersecurity incident the United States has ever seen. Hackers exploited a vulnerability on Equifax’s web-based servers (likely the same online servers that provide online credit reports) to gain access to the vital information.
Here’s what Equifax’s press release contained:
“Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.
Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.”
Other Security Vulnerabilities
Unfortunately, this incident indicates that the potential for the other two major credit bureaus, TransUnion and Experian, could potentially be breached — or perhaps have been breached already. What’s even more concerning is that security experts believe the exploits being used today are simply slightly more sophisticated versions of exploits in existence since the early days of the internet.
Chief security researcher Alex Heid, who works for SecurityScorecard, agrees. In an interview, he explained it by drawing parallels between the future and the past.
“As surprising as it seems, the same web application vulnerabilities from decades ago are still some of primary vectors that are leveraged by hackers in modern attack scenarios,” he said. “…it seems that the underlying legacy codebase that handled the [Equifax] web application was vulnerable enough for an attacker to exploit.”
For those of you who aren’t particularly inclined, “legacy” as it is used here simply means “old method” or “outdated.”
Advantages for Hackers
So what’s the advantage? The most obvious benefit for hackers is easy access to information that allows them to commit identity theft. This could be as simple as creating utility accounts with stolen credit cards or as complex as money laundering schemes that set up online gaming accounts with stolen financial info, make huge purchases, and then resell them for thousands of dollars at profit. A would-be thief could even totally forge false identity information with just a social security number, date of birth, and basic identification info, allowing them to take out loans, seek employment, commit crimes, or enroll in health programs while remaining largely untraceable.
Big Money for Crooks
Other cybersecurity and financial health specialists see it as a boon for hackers because they can directly sell social security numbers online. Dark Web black markets contain a plethora of databases with information just like this, where they’re sold for sometimes as little as a few dollars. That doesn’t seem like much until you consider the population of the United States sits at around 323.1 million. At just $5 per SSN, that’s $1,615,000,000 going into the hands of organized crime.
An Inside Job?
Was the breach an inside job? New information released just this morning points to what may be coincidental — but experts just aren’t sure yet. It turns out three major Equifax managers sold shares in the company just a short time before the bureau announced the breach.
Although Equifax claims neither of the managers knew of the breach, and that the sales were simply a coincidence, many are questioning the strange timing. The bureau discovered the breach on July 29. All three managers sold shares on August 1.
Cahill Gordon & Reindel LLP law firm’s senior counsel, Bart Friedman, commented on the spurious connection.
“I don’t know how the board will allow these executives to continue in their positions. Yes, they should have a careful investigation and have an independent law firm interview the executives and review their emails and determine what they knew and when, but the end result is likely clear.”
Protect Your Credit and Finances
Whether or not you interact with a credit bureau regularly, either through credit monitoring or yearly credit reports, chances are hackers accessed your information, too. Your safest bet is to register a complaint and request a note on your file through all three major credit bureaus.
Equifax created a website allowing Americans to check if their information was accessed, and if it was, to register for free credit monitoring. However, site users report sketchy interactions and questions — broken captchas, the site requesting full social security numbers, automatic enrollment in a credit monitoring program without permission, and in at least one case, a big, red “deceptive site” warning from Google when coming in from search. Until these issues are resolved, we cannot with good conscience recommend utilizing the site to check or protect your information.
You can, however, check your credit score and recent credit requests for unusual access or information. If you haven’t already, now is also probably a good time to invest in identity fraud protection or speak with your financial institutions to learn what they do to protect your data and finances.