(I originally posted this on Sept. 8, 2017. Here is an update from a week later.)
Here are a few articles about the Equifax data breach, first reported Sept. 7, 2017.
- A New York Times article, here.
- A nice Krebs on Security writeup, here.
- SC Magazine posted a piece, here.
- And a ZDnet article, here.
It’s all over the news. Lots of noise so far, little information. Here is a bulleted summary of what we know to date.
- Attackers penetrated Equifax in May, 2017 and gained access to data about 143 million people.
- Somebody discovered it on July 29, 2017. Apparently, the attackers took advantage of a web site flaw. As of Sept. 8, 2017, that’s all the tech details we know.
- A few Equifax execs sold a bunch of stock around Aug. 1, 2017. Equifax PR people say the execs had no knowledge of the data breach. Uh-huh.
- Equifax hired Mandiant, a respected IT forensics firm, to investigate.
- Equifax set up a website, https://www.equifaxsecurity2017.com, for anyone to look up whether they might be effected. Feed it a last name and the last six social security number digits. Note the irony of feeding a social security number to a website for a company that just reported somebody exploited a web site flaw to steal 143 million social security numbers from another company website.
- Equifax told the world about the intrusion on Sept. 7, 2017.
This latest Equifax breach is a big deal, but the ugly truth is, after years of data breaches, our personal information is already up for sale. And it’s not the first Equifax breach. Quoting the Krebs on Security article I linked above:
This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.
And Equifax is not the first credit reporting agency to lose our personal information. Take a look at a tangled story about how Equifax competitor, Experian became an unwitting partner in an identity theft ring in the Krebs on Security post right here. Here’s another article.
You read that word correctly. I really did say, partner. Experian unwittingly partnered with an identity theft ring from Vietnam a few years ago after buying a company named Court Ventures back in 2012.
Wonderful – we can’t trust the credit reporting agencies everyone uses to assess our trustworthiness. Now what? The most workable solution I’ve found is setting up a credit freeze. Which means paying money to these same credit reporting agencies to set it up and trusting they’ll do their jobs.
Here is a link to another Krebs on Security post with details. Here is a link to the US Federal Trade Commission page about credit freezes. And one more link to a Consumer Reports page about credit freezes, here.
The idea is, pay a fee to each credit reporting agency to flag your record with a freeze notification. Anyone who wants to open an account in your name will theoretically check with one of these agencies and deny it, since it’s flagged as frozen. But this is a hassle because if you want to borrow money for, say, a mortgage or a car, you have to spend money to unfreeze your credit with the relevant agency, and then spend more money to freeze it again. Not a bad gig if you’re a credit reporting agency. A hassle if you’re a consumer, but it might save you from an identity thief.
Also, be on the lookout for emails claiming to come from Equifax with “click here” links claiming to set you up for free credit monitoring for a year. As of this writing, I know of no such emails, but it’s inevitable some senior manager at Equifax who doesn’t know better will want to send one. It’s part of the typical pattern. Check your email header to make sure any email claiming to come from Equifax really does come from Equifax, and make sure the “click here” link really does point where it claims to point. See my post about How to Spot a Phishy email for more.
I’ll update this post as new information becomes available.
Finally, keep an eye on my dgregscott.com website for resources. I have a bunch of mini-seminars and blog posts with how-to information, and you’re welcome to all of it, no strings attached. And if you like what I put together, I’d appreciate it if you would consider buying a copy of one of my books. Here is a link for more book information.