September 26

“Based on the information provided, we believe that your personal information may have been impacted by this incident.”

Sound familiar? You and 143 million other people in the United States, the UK, and Canada.That’s right – Americans weren’t the only ones affected by the massive Equifax data breach.

This vague declaration is automatically generated on a branded Equifax page when you click the “Am I impacted?” button. The problem is the language: “may have been” is not a clear yes or no. Equifax cannot definitively pinpoint who will be affected, or when. And the worst part is, the fallout from the Equifax breach is only just beginning.

“Based on the information provided, we believe that your personal information may have been impacted by this incident.” - Equifax: Zero Credit for Poor Handling of Massive Data Breach

Credit where credit is due, right? One-third of the credit bureau trio, — Equifax, Experian, and TransUnion —Equifax’s failure is one of epic proportions. In trying to deflect blame and keep their reputation intact, the company completely mishandled the data breach.

It’s been quite a year for data breaches (many a result of escalating and evolving ransomware), but this situation was largely precipitated by Equifax’s negligence. Companies who feel they are taking extensive preventative measures can always do more. Being on the defense is not the same as mounting an offense.

What happened?

Equifax discovered the breach on July 29. In the bureau’s defense, they did act immediately. The criminal data breach exposed sensitive personal data for more than 143 million consumers. Sensitive data includes: names, addresses, Social Security numbers, dates of birth, and driver’s license numbers. In addition, the hackers stole “credit card data for 209,000 consumers and credit dispute information for 182,000 consumers.”

How did this happen?

Equifax blamed the breach on Apache Struts, its open-sourced software provider, pointing to a web server vulnerability. Bristling at the accusation, Apache defended its software, noting that since the breach had already been detected, there would have been a patch available for the corresponding vulnerability. So, the only way this could hold true is if: “the attacks either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time[,] called a Zero Day Exploit.” In truth, it’s unclear whether the server vulnerability played a role.

It has also come to light that Equifax’s Argentina database could have been the point of entry in its failure to create a secure and complex password. The database was protected with a common—and very insecure—user name and password: admin. For a company who houses consumer data for approximately 820 million people, they regarded best practices for secure passwords and as a result, may have sabotaged their own cybersecurity defenses. In fact, the password “admin” was ranked 15th on SplashData’s annual “Worst Passwords List”, alongside the likes of “123456”, “password”, and “football”.

Private cybersecurity firms as well as law firms are investigating both the cause of the breach and whether or not Equifax violated any securities laws.

How did Equifax mishandle the situation?

  1. While Equifax did react right away, they didn’t inform the public until more than a week after the initial red flag. And when Equifax did admit the mistake, they tried to point fingers at Apache (noted above).
  2. Equifax immediately set up a website specifically pertaining to the “cybersecurity incident”, how they were handling it, as well as how consumers could take action. However, the website originally generated the same vague response, no matter what was plugged into the form—even gibberish. This has since been fixed, but consumers don’t receive a definitive answer.
  3. Further, the website was to promote TrustID, a credit monitoring software service that is now being offered to consumers, free for one year. Sounds great, right? Initially, there was some confusing language in the fine print when signing up for the service which seemed to indicate that enrolling in TrustID waived a consumer’s right to sue Equifax. Further, the TrustID subscription would eventually auto-renew, allowing Equifax to make a future profit off their mistake.

What is Equifax doing to remedy the situation?

Confronted by major backlash, Equifax has made an about-face.

Equifax has since taken accountability for the breach and outlined its contingency plan going forward in the form of multiple Progress Updates for Consumers, concrete facts regarding the incident, and internal personnel changes. There’s a dedicated customer support line call center open every day. There is even a video from Equifax’s CEO, Rick Smith, directly addressing consumers and taking full responsibility for the outcome.

Equifax has removed and clarified all questionable language. Yes, consumers can still take legal action in the instance of identity theft. No, Equifax will not be auto-renewing TrustID subscriptions. Equifax is committed to raising their cybersecurity score.

How did Equifax get my information?

Millions of people are wondering how Equifax exposed their sensitive information when they never consented to give Equifax the information in the first place. Equifax is one of the “Big Three” credit reporting bureaus. The businesses operate by pulling information from banks and other financial institutions and amass a fully comprehensive financial profile of an individual. Consumers cannot opt out of this. In fact, there are many other companies that track and collect personal information without consent.

What can I do to protect myself?

Unfortunately, you can’t always control who collects your personal information. Fortunately, you can precautions to protect your own data and minimize the impact of a future breach or identity theft.

1. Fortify your passwords according to best practices. If you haven’t changed your passwords recently, do so now.

2. If you can, pull your annual free credit reports from the Big Three bureaus. Double-check the information is correct and keep monitoring your accounts for suspicious activity.

3. Implementa credit freeze (currently free from Equifax). No one will be able to open a new account in your name without identification.

4. Utilize two-factor authentication when available. It’s an extra layer of account security which the user must add information that only he or she has (for example, security questions or a fingerprint scan).

5. File your taxes early to avoid duplicate and fraudulent filings. In addition, you can lower your withholding. You’ll pocket more of your paycheck and have a smaller annual tax return if a crook does get ahold of your funds.

And above all, be vigilant!

Category: helpful hints, data loss prevention

Tags: , , , , , , , , , , ,

Comments

Commenting is closed for this article.