On Thursday, September 7, major credit reporting agency Equifax reported that hackers gained access to company data that possibly contained sensitive information including Social Security numbers, birth dates, and driver’s licenses. The breach affects as many 143 million Americans, which is nearly half the country.
According to CNN:
“Unlike other data breaches, not all of the people affected by the Equifax breach may be aware that they're customers of the company. Equifax gets its data from credit card companies, banks, retailers, and lenders who report on the credit activity of individuals to credit reporting agencies, as well as by purchasing public records. Equifax is mailing notices to people whose credit cards or dispute documents were affected.”
It’s believed to be one of the biggest and worst data breaches ever, and if you have a credit report, there’s a higher chance you may be involved.
When exactly did this happen? New York Times reports:
“Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in website software, according to an investigation by Equifax and security consultants. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.”
The Times article also reports this isn’t the first cybersecurity attack. Identity thieves retrieved W-2 tax and salary data from an Equifax website last year, and early this year they stole W-2 data from an Equifax subsidiary. Cybersecurity professionals noted that Equifax did not improve its security practices after those initial thefts, and should have used “multiple layers of controls.”
Equifax is mailing notices to those who were affected. You can check to see if your information was impacted here. They are also offering free identity theft protection and credit monitoring services to all consumers, not only victims of the breach, as well as the ability to freeze their Equifax credit Reports. It is important to note, however, that according to their terms and conditions, they aren’t promising to fix your credit.
After drawing much initial outrage where the verbiage of the conditions included waiving a victim’s right to sue when signing up for the TrustedID Premier service, Equifax has since changed the language stating, “the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”
As major website breaches become more frequent, it’s important to take the proper precautions to keep your personal information safe online.
*Updated March 6, 2018
*Updated September 26, 2017: We will be adding what you can do to protect yourself as more information comes out regarding the breach. Be sure to check back as we continue adding information.
What You Can Do to Protect Yourself
If you haven't done so in over a year (or ever), you can view your credit report at annualcreditreport.com. You are entitled to one free credit report from all three credit reporting companies every 12 months.
Experian provides a free dark web email scan. Thieves will resort to the dark web to retrieve personally identifying information, such as social security numbers or passwords.
Pay attention to URLs and hyperlinks sent via email or posted on social media. Equifax's Twitter account accidentally tweeted out a phishing website. You can learn more about the signs of email scams and phishing attacks on our blog here.
Continue to regularly review your bank and credit card statements. Sign up for fraud alerts with your credit card company.
It’s probably worth enrolling in TrustedID Premier, which is a package of identity theft and credit monitoring service services that Equifax is offering for free for one year. If you're wary of using Equifax, you can sign up for alternatives such as Credit Karma, which is free and provides similar services. (UPDATE March 6, 2018: we recommend not signing up for any Equifax services as it's become clear the breach affected more Americans that thought. You're better off using Credit Karma or other similar service).
Your passwords could be stronger. Make them longer, more complex, and never reuse them across multiple sites. If you haven’t changed your passwords in some time, it’s not a bad idea to start now, especially with websites that contain sensitive information such as financial or credit card data. Use a different password for each site. Password managers such as LastPass help create unique passwords for each website and saves the password for each website in a “vault,” which can be accessed by using one master password.
Enable two-factor authentication when offered. Gmail, PayPal, and Amazon are a few examples of websites that provide this additional cybersecurity feature.
Finally, as a bonus, download the extension HTTPS Everywhere for FireFox, Chrome, or Opera browsers. This extension encrypts communications with many websites, which makes your browsing more secure.