Published By Janet Gershen-Siegel at September 11th, 2017
On Thursday, September 7, 2017, the Associated Press reported that there had been a data breach at Equifax, which is one of the big three credit reporting bureaus. A somewhat vague initial report gave way to more detail on Friday the eighth. Here are the details of the 2017 Equifax data breach.
Even in 2019 (when I updated this blog post), the fallout was continuing. It did not help when the company missed numerous opportunities from the start.
AP describes the attack on Equifax as a “high-tech heist”. Some 143 million Americans’ data was a part of the breach. This exposed sensitive information such as Social Security numbers. The breach was evidently an exploit in a website application.
Exposure meant the hackers had access to files between the middle of May and July of 2017. Apparently Equifax caught the breach on July the 29th but the company waited until September 7 to publicly announce it. There is no information on why there was such a delay, particularly considering the gravity of the situation.
Equifax’s stock dropped 13%, to $124.10 in extended trading subsequent to the company announcing the breach. However, perhaps anticipating the downturn, three Equifax executives seem to have protected themselves by selling shares with a combined value of $1.8 million on August 1 and 2, a mere few days after the July 29 discovery of the breach, per documents that were filed with securities regulators.
However, the company says the executives did not know about the breach when they made their trades. These executives are the Chief Financial Officer John Gamble; and Joseph Loughran, Equifax’s president of United States information solutions; plus Rodolfo Ploder, who is Equifax’s president of workforce solutions.
It remains to be seen whether such a move will be seen as insider trading, a legal matter which, under federal law, can fetch treble damages. Insider trading is taken so seriously because it undermines consumer confidence in the fairness and accuracy of markets such as the Dow and NASDAQ. The question of whether the CFO of Equifax, a person charged with knowing about probably every possible crisis involving the company, did not know about the breach, may very well be settled in federal court.
The stolen data includes:
In some instances, this also includes driver’s license numbers.
Along with the personal information taken in its breach, Equifax reported the credit card numbers for approximately 209,000 American consumers were also taken. Plus “certain dispute documents” were stolen, which contained personal information for about 182,000 United States citizens.
Furthermore, the company warned that hackers could potentially also have some “limited personal information” regarding Canadian and British residents. The company does not believe any consumers from other countries were affected. Also, the company does not believe its core reporting databases were compromised.
The biggest risk which consumers are facing with regards to the breach is the very real threat of identity theft. Identity theft is an enormous problem in our world today. It can wreak havoc on your personal and business credit scores and your overall reputation in the community.
Given that the thieves have full names and addresses, plus birth dates, and Social Security numbers, then it is possible for them to open up new charge card accounts and bank accounts, and even fill out W-2 forms in your name, thereby having the IRS unwittingly send the tax bill to you for work that they did (and even work they may have otherwise done legitimately).
Plus you know there’s just got to be a market for this sort of extensive and complete information, for anything from voter fraud to even diverting packages and mail you ordered online or elsewhere.
Equifax realizes this is a big breach – AP believes it’s the largest data breach in history involving Social Security numbers. However, it’s not the largest data breach in history, as that questionable prize belongs to Yahoo. That company was the target in a pair of digital burglaries in 2015 and 2016 which resulted in the compromising of over 1 billion accounts.
Equifax’s CEO, Richard Smith, has apologized for the incident, calling it “a disappointing event for our company”, a phrase which seems a lot like it could be the understatement of the year.
The company also took some proactive steps. They established a website, https://www.equifaxsecurity2017.com/ , where consumers could look up if their personal data could have been a part of the breach. Consumers can also telephone toll-free (866) 447-7559 for additional information. Rival Experian is also offering a free credit monitoring service to all American consumers for one year.
These steps ended up being a gateway to one disaster after another. The company did not handle the Equifax data breach well at all.
On October 12, 2017, Ars Technica reported that there were redirects on the site, which led to spammy sites (e. g. “You just won an iPhone!”) or to a download of Adobe which was anything but. Instead, the downloads were malicious and were detected as being malware by Symantec (they are the Norton people), Panda, and Webroot. Malwarebytes, Avira, and Eset also showed red flags, although for a different stage in the process.
After the recent debacle with the massive July 2017 data breach which was not reported until September, consumers should be cautious about their information online and their credit reports in particular. And not just with Equifax! Dun & Bradstreet, Experian, and TransUnion could potentially have future issues.
Recently, I provided instructions for how to set up a credit freeze due to the breach. Here are some additional steps you can take to protect yourself and your credit.
They took the page down as soon as possible, according to the BBC. Such a rapid respond contrasts with the delays which accompanied the July breach. So kudos to Equifax for at least getting that much right.
Yet it begs the question. If Equifax management could move as quickly as it did to jettison that page, then why didn’t they get a move on it when the actual breach occurred?
You should take a breach of this size very seriously. One way you can help to protect yourself is to keep private information offline as much as possible. Hence you might want to edit some of your profiles, particularly on major social media sites such as Facebook and Twitter.
Also, be sure to contact your banks, creditors, and any place which sends you bills (such as the cable company) and make certain they have your correct address. You may need to do this more than once – filling out a change of address form or card is standard operating procedure for identity thieves. They do this so they can get away with using your identity for as long as possible. If you stop getting your bills, contact those providers ASAP.
Another thing you can do is use a credit monitoring service. These services can be costly, so do whatever you can on your own before investing in one. These services can come with fraud alerts. However, you can do this yourself if you believe your information has been compromised. This is also true for credit freezes.
However, if you are too busy to monitor your own identity closely, and you have the means to pay for such a service, this can be worth it. Because Equifax is only offering free credit monitoring for one year, you may need to consider a paid option in 12 months.
In addition, do two things:
On February 10, 2020, the Boston Globe reported that Attorney General William Barr and the United States Justice Department were charging four members of China’s military on suspicion of the 2017 hack into Equifax. The Attorney General noted there have been any number of data theft by the Chinese military in recent years. These thefts have been of sensitive information such as identifying American intelligence officers. One use of Equifax’s financial data could be to find out if any intelligence officers have money issues – and would thereby be subject to bribery or blackmail. Stay tuned as we continue to follow this story.
We will be watching the Equifax Data Breach story closely as it affects personal credit and that can often mean it affects business credit as well.