Equifax, one of the three largest credit agencies in the U.S., has been targeted by cybercriminals before, but a breach that was revealed on September 7, 2017, is being called “as bad as it gets” by privacy experts. With 143 million consumers possibly affected, it’s not the largest breach ever, but it is one of the worst based on the sensitivity of data that may have been stolen.
**Update: it’s now being reported that Equifax suffered another major breach, first reported by Bloomberg, in March. However, Equifax has stated that the earlier breach was unrelated to the September 7 publicly announced breach.
**Update: The latest reports (October 2, 2017) have indicated that the total consumers impacted is 145.5 million.
**Update: A CBS News article published on October 12, 2017, stated that “Hackers reportedly altered Equifax’s credit report assistance page that would send users malicious software pretending to be Adobe Flash. Although it took the affected page offline just to be cautious, Equifax said Thursday afternoon that its systems were not compromised and that the problem did not affect the portal the company has set up for consumer disputes stemming from the earlier breach.”
**Update: USA Today reports on March 1, 2018, that Equifax has indicated that an additional 2.4 million people were affected by its massive 2017 data breach, the second time it has revised up estimates of the number of Americans whose information was stolen. According to the article, “The company said hackers stole partial driver’s license information from this latest group of victims. The news brings the total number of Americans affected by the breach, which occurred between May and July, to about 148 million.”
**Update: On July 22, 2019, Equifax has reportedly agreed to pay up to $700 million in a settlement deal with the Federal Trade Commission (FTC), related to lawsuits resulting from the 2017 Equifax data breach that impacted about 148 million Americans, providing up to $425 million to help affected consumers. The FTC site tracking the data breach settlement says the claims process will begin once the court has approved the settlement agreement.
**Update: Consumer claims are being accepted as of July 25, 2019, in the Equifax Data Breach Settlement. Impacted consumers can submit claims at the official Equifax Data Breach Settlement Administrator site through January 22, 2020.
**Update (August 8, 2019): The FTC is warning consumers to be aware of fake Equifax Data Breach Settlement sites, which are attempting to fraudulently collect personal information or are charging fees for assistance in filing a claim. The claims process is free, and consumers should only file claims through the official Equifax Data Breach Settlement Administrator site.
**Update (February 10, 2020): The U.S. Department of Justice announced that they have charged four Chinese military hackers with breaking into Equifax’s networks and stealing the personal information of about half the U.S. population in the 2017 Equifax data breach.
Equifax Data Breach Timeline
On July 29, 2017, Equifax says it discovered some type of unauthorized access had occurred. At that point, it hired an outside forensics firm to conduct an investigation. That investigation found that hackers had gained access to the company’s system from mid-May to July by exploiting a weak point in website software; certain files were stolen, but Equifax did not provide additional detail about those files.
Sensitive consumer information that may have been compromised has been said to include:
- Social Security numbers
- Driver’s license numbers
- Full names
- Birth dates
- Credit card numbers for 209,000 consumers
- Documents with personal information used in disputes for 182,000 people
**Update: PC Magazine has reported that in a statement they received from Equifax, “Spokeswoman Meredith Griffanti said the company ‘manually reviewed’ the photos stolen from its dispute portal and ‘found 3,200 images of passports or passport cards.'”
**Update: On May 7th, 2018, Equifax detailed the precise breakdown of personal information compromised.
**Update: It has been since reported, by USA TODAY, that hackers took advantage of a security vulnerability, “two months after an industry group discovered the coding flaw and shared a fix for it, raising questions about why Equifax didn’t update its software successfully when the danger became known.” There have also been a number of reports that Equifax’s (now former) chief security officer studied music composition in college and had no security degree.
**Update: On Tuesday, September 26, 2017, the media broke the news that Equifax’s CEO, Richard Smith, who also served as chairman of the Equifax board, has stepped down.
**Update: On Tuesday, October 10, 2017, the Wall Street Journal reported that driver’s license data for more than 10 million Americans was also compromised, along with a file containing 15.2 million U.K. consumer records affected.
Equifax Data Breach Victims
With Social Security numbers and other sensitive information, the criminals that broke into Equifax’s systems can cause trouble for consumers in many ways for years to come. Address changes and credit cards can be canceled, but Social Security numbers are the Holy Grail of identity theft for a reason—they’re connected to a person forever.
Equifax said it is working to alert customers via mail who were affected by the breach. In the meantime, it is directing consumers to a website, www.equifaxsecurity2017.com, to see if they may have been impacted by the breach. At the time of this blog being published, there were complaints that the website wasn’t working properly and wasn’t telling consumers if they were impacted.
**Update: The Equifax page directs you to then sign up with their own credit product, TrustedID. Since Equifax owns TrustedID, they are essentially asking you to share your personal information with the same company that breached it. Additionally, the package they are offering is significantly limited and only focused on credit – it does not address or protect you from the huge fallout of having a compromised identity. Credit fraud makes up 28% of identity theft risk – if all you do are credit freezes, you haven’t addressed the other 72% of identity theft that can happen.
How to Protect Yourself and Your Family Against Identity Theft
At IdentityForce, the best advice we can continue to provide is to stay vigilant. Because the Equifax breach allegedly happened at the end of July, it’s been more than 6 weeks since identity thieves may have received access to Personally Identifiable Information (PII). We recommend that Americans everywhere continue to be mindful of the information you are giving out.
Here are some additional steps you can take today in light of the Equifax data breach:
6 Tips for Potential Equifax Data Breach Victims
- Request A Free Copy Of Your Annual Credit Report: Take great care to review your credit reports. If you find inaccurate information, contact the companies listed on the credit report(s) directly. You can also contact the Identity Theft Resource Center, a non-profit, at (888) 400-5530 to assist you, and/or subscribe to an identity and credit monitoring service to alert you when your personal information is used, as credit monitoring alone is not enough.
- If You Confirm That You’re A Victim Of Identity Theft, Create An Identity Theft Report With The Federal Trade Commission (FTC): Expect law enforcement to request a copy of this report when you contact them.
- Consider Placing An Extended Fraud Alert Or Security Freeze On Your Credit: Creditors will still have access to your credit file, even though you’ve placed a 7-year extended fraud alert, but must first contact you to verify your identity before extending credit. A credit freeze generally prevents creditors from accessing your credit file. To request one, you must call each credit bureau directly. Laws vary by state and you can learn more about specific state regulations related to a credit freeze.
- File Your Tax Returns As Soon As You Can: Filing an early tax return protects you from identity thieves who could file and collect your tax refund before you do. You can also request a Personal Identification Number (PIN) in order to submit your tax return. In the case of the Equifax data breach, it especially pertinent to stay on top of this to allow time to remediate any issues.
- Contact The Social Security Administration: Request a copy of your wage earnings report to verify that your social security number is not being used fraudulently, which could result in your owing taxes for wages earned by someone who’s stolen your information.
- Contact Your Health Insurance Carrier: Request a copy of your health insurance statement in order to identify any fraudulent medical claims.
30 DAY FREE TRIAL | Award-winning Identity Theft Protection
Don’t wait to get the best identity theft protection. IdentityForce’s award-winning identity theft protection services go beyond credit monitoring, protecting your personal information from potential data breaches, alerts you when your sensitive information appears on the Dark Web, and much more. Sign up today to get IdentityForce UltraSecure, plus your first 30 days are FREE.