They say the Equifax data breach may be the largest security breach to date. The July hack exposed the personal information of 143 million Americans. And, in spite of disrupting the business news feed last week, the breach was not the first one to hit Equifax. According to a Bloomberg report on September 18, there was also a breach of Equifax data files in March. Equifax says the two breaches are not related and that they informed customers of the March breach, apparently with little fanfare. Nevertheless, the fact that one of the largest and oldest credit reporting agencies suffered two data breaches within six months has caught the attention of more than the press. Government lawmakers and regulators are contemplating sanctions, increased regulations and possibly lawsuits.
How did the Equifax Data Breach Happen?
Hackers took advantage of a flaw in a web building application tool used by Equifax to run its online dispute portal. The tool—Apache Struts—is used by many government agencies and large corporations. Because of the flaw in the platform, when Equifax customers logged onto the online dispute portal, the door was opened for hackers to take control of the website. Equifax retained Mandiant, a cybersecurity firm to help identify what data had been stolen and the extent of the breach.
What did the Hackers Get?
The cybercriminals responsible for the Equifax data breach stole social security numbers, birthdates, addresses and, to a limited extent, driver’s license numbers. More than half of the consumers in America are impacted. According to Equifax, hackers also gained access to the credit card numbers of roughly 209,000 people and the dispute documents of roughly 82,000 customers, which included significant personal identification. The breach took place from mid-May until the end of July, but the company did not admit to the cyber attack until September 7. Chances are highly likely that your information was stolen.
What do you need to do?
Equifax has added staff to its call centers, to handle the avalanche of concerned and somewhat irate customers. It has also waived the fees you normally would pay to freeze your credit report, but this is only the beginning of what you need to do.
1. Check to see if Your Data was Hacked
Equifax has set up a special site for consumers to confirm if they are among the 143 million impacted by the data breach. Go to their “potential impact” tab on the website and put in your last name and last six digits of your social security number. Be sure to use a secure computer, not one that you share, and an encrypted network connection. Interestingly, the site will only confirm if you are not affected.
The hackers stole information on 143 million consumers. This is a lot of people. They will not use all the information at once. Therefore assuming the information is in the hands of private hackers and not a government agency, it could be years before your information is used, if at all. Probably the most troubling aspect of the breach is the stolen social security numbers. These numbers do not change and are a very valuable commodity on the black market. The stolen social security numbers can be in play for quite some time.
2. Review Your Credit Reports
Take the free credit report offered now by Equifax to see if there has already been activity on your accounts. However, one check of your credit report is not going to be sufficient. The nature of the Equifax data breach requires that you check throughout the coming year, at least. Apply for the free report available from the other reporting agencies and stagger your requests so that you receive one each quarter. Scrutinize the details carefully and immediately report any signs of fraudulent activity. For instance, data security experts say that the most common next step for the hackers is to open accounts in your name, using the personal data they have stolen. Look out for any credit card or loan applications for which you did not apply.
3. Freeze Your Credit Report
Take advantage of the Equifax free credit report freeze. This will prevent the hackers from opening any loans or credit accounts in your name. However, this freeze impacts you too. If you find yourself ready to apply for a loan, for instance, you will need to unfreeze your credit report a few days in advance.
If you are hesitant about freezing your ability to be spontaneous, you can initiate a fraud-alert program. This free service requires lenders to take additional measures to confirm your identity before processing your application. The fraud-alert can only be activated for 90 days at a time. Considering the potential length of time that the cyber thieves might be in possession of your personal data, you will need to renew the program every 90 days to be fully protected.
If it has been confirmed that you are a victim of the Equifax data breach, then you are entitled to a free, 7-year fraud-alert program, as well as two credit reports within 12 months from each of the reporting agencies.
4. Examine all Credit Card, Loan, and Bank Account Activities
If you have not been a stickler about tracking your credit card charges and bank activity you might want to become one now. At least for the next half year, you should scrutinize your bank statements for any fraudulent activity and examine your credit card statements for any charges you do not recognize.
Sign up for monitoring services, such as CreditKarma.com, which is free, or paid services such as Identity Guard and LifeLock. The latter will monitor activity on all three credit reporting agencies and alert you to any suspicious activity.
5. File your Taxes Early
Hackers will file fraudulent returns in hopes of obtaining refunds from the government in your name. As soon as you have everything organized, file your returns.