Compromising the names, birthdates and Social Security numbers of 143 million Americans is pretty bad. In fact, it’s hard to imagine how a data breach could be worse unless you were to simply increase that number.
But our lack of imagination doesn’t mean the breach isn’t, FAR worse than it sounds. When you start to look at the potential consequences of such a breach, it actually becomes difficult to really stress just how bad the breach could be.
Equifax, for its part, isn’t helping.
First, it appears, Equifax’s IS team failed to apply a security patch to Apache Struts, despite the patch being available 2 months prior to the breach. This, rightfully, lead to the dismissal of the company’s CIO and CSO and now the resignation of CEO, Richard Smith.
Once discovered, Equifax waited six weeks to disclose the breach.
Next Equifax set up a website with a clunky URL, Equifaxsecurity2017.com, instead of something less easy to confuse or mimic like, oh, I don’t know – equifax.com/breach or breach.equifax.com which would have helped Equifax avoid their next mistake. Equifax’s official Twitter account tweeted links to a phishing website explicitly designed to draw attention to how bad Equifax’s response has been. Luckily this site was run by a fella who wears a white hat.
Once you reach the real Equifax site, you may still be told that it – the real Equifax site – is likely a phishing site because it wasn’t actually registered to Equifax, used flawed security and ran on WordPress – a fine platform, but not adequate for enterprise-level security needs.
I would call this “amateur hour” but that would be insulting to amateurs everywhere.
Let’s jump forward and just assume you’re one of the half of all American adults potentially impacted by this breach. What is Equifax offering? A 1-year subscription to Equifax’s own ID theft protection product. Because who better to protect your identity than the folks who compromised it in the first place?
Now, maybe you’re saying “let’s give them credit, at least they are trying to help by giving everyone 1-year of protection” which sounds reasonable until you take into consideration the fact that, the compromised data doesn’t have a 1-year expiration date. In fact, it’s likely that *most* people, who actually are impacted, won’t be impacted at all until well after that complimentary year has expired.
Why? Because we’re talking about 143 million identities (ignoring the potentially 40 million more in the UK and Canada) to potentially exploit which means, to hit every target in 1 year, the criminals would have to go through 391,781 identities PER DAY, every day, for a year straight.
So, 1 year of protection is woefully inadequate. A lifetime subscription to the service, while MUCH better may still be insufficient because it may be several years before we have an assessment of the true fallout.
What does all this mean for you? Well, it’s hard to say. Obviously the best case scenario is that you’re never impacted and your credit is as good or bad as it should be. Worst case: you spend spend years fighting back against accounts opened by folks who aren’t you. You may even have to deal with tax issues due to fraudulent tax filings in your name.? This happens to be once of those situations where having no little to no credit history may put you at a huge advantage.
What should you do?
The first thing you should do is, despite my mocking above, use Equifax’s dedicated site www.equifaxsecurity2017.com and see if you’ve been impacted.
If it says they don’t believe you were compromised, wait a week and check again. There have been numerous reports of people checking multiple times and receiving different responses.
If it has been, you need to completely understand your options.
Take advantage of Equifax’s free ID theft service. Something is better than nothing. The biggest concern folks had with signing up for this service was the legal verbiage that suggested you would waive your rights to be a part of any class action. They have since removed that verbiage and made clear that by using this service, you are not waiving any such rights.
If you’re reluctant to use Equifax to protect you from the bad guys they let in, you can get all of the same services through various companies. It isn’t an all-in-one solution, but it isn’t a 1-year limited solution from an seemingly inept company, either.
Get a copy of your credit report now. This is the most important thing you can do, even if you aren’t at risk. Knowing what is on your credit report is vital to maintaining good credit, and having a record of your current credit report will make it easier to identify unusual activity or fraud at a later date.
The website annualcreditreport.com is the only 100% free way to receive a complete copy of your credit report from all three agencies, companies like Credit Karma are great for tracking general credit building success but only provides a composite score.
A rather proactive option is to “freeze” your credit report. Equifax is not charging for the credit freeze service through November 21st. Why Nov 21st? No idea.
A few things to keep in mind if you go this route:
1. A free credit freeze from Equifax ONLY freezes your Equifax account. Freezing your TransUnion and Experian credit reports will still cost money.
2. If you freeze your credit, you’ll need to “thaw” it if you need to run any checks on your credit. So it doesn’t only lock out the bad guys.
3. A freeze will not stop anyone from charging credit lines which are already active.
Another proactive step you can take is setting up fraud alerts with one of the credit reporting agencies (you only need to set it with one). When a fraud alert is set, companies are required to verify your identity prior to opening any new accounts. The downside is that if you want the fraud alert to be ongoing, you’ll have to manually renew it every 90 days.
Once you feel that you’ve taken the necessary steps to safeguard yourself, make sure to check with friends and family who may not understand the breach, its potential consequences, or how to proceed – especially older, less tech-savvy family members who are less likely to be alerted to issues, and more likely to fall victim to scam phone calls, emails, and phishing websites.
Like what you’ve just read? Why not subscribe to the BlueDog Blog?
[yikes-mailchimp form=”1″ submit=”Subscribe Now!”]