On the cyber frontier, more than 143 million Americans were just hit by a digital disaster, this one in the form of a successful hack against Equifax.
Equifax is one of three credit reporting agencies, Experian and TransUnion being the others. They provide credit information for 820 million consumers and 91 million businesses. The damage which can be done to you as a result of a hack like this is bad, and when your identify is stolen, it can be hard to bounce back.
Why did Equifax have my information?
At Equifax, you’re their product. You didn’t sign up to be a member of their database, and you can’t opt out of their systems (unless you want to stop using credit). They have gathered information on you via the reporting delivered by organizations that provide you with credit and want to understand financial risk. Places that provide you with mortgages, car loans, utilities, etc., and report back on how well you are performing your financial obligations.
Equifax deals in you.
You’re the merchandise. They want to gather as much information possible to determine your creditworthiness. As such, the type of information held in their databases spells trouble in a hack like this. Unlike other large attacks, changing your password isn’t going to work. How could you? You never had an account to start with.
So what was taken?
As many as 143 million records of personal information on Americans, including 209,000 credit card numbers, and 182,000 other kinds of documents containing personal identifying information such as driver’s license info. Equifax waited six weeks to announce this attack (discovered July 29, 2017). They estimate that unauthorized access occurred from mid-May through July 2017. Ignoring the questionable and ethical activities leadership appeared to take during this time, six weeks is an eternity in the online world.
Why would someone want this information?
Identity fraud is big business. Cyber actors can use the information for nefarious self-gain, or sell the information to others who are more than willing to leverage illegal acts for a hefty return on investment. It is also a trove of information for foreign intelligence agencies.
How can this information be used?
Once your information is out there, and depending how it’s being sold and used, it allows people to impersonate you. They can create fake bank accounts, loans, request credit in your name… the list goes on.
How did they hack?
Equifax is saying that a flaw in the popular Apache-STRUTS web software was to blame. While we await more details, including what specific vulnerability was exploited, this poses a number of questions:
▪ Did their software have all the latest patches applied?
▪ Was this a zero-day attack (whereby a vulnerability was exploited that had not had time to be patched, leaving zero days to respond)?
▪ What layers of security did they have in place?
▪ How do they know that *only* this amount of information was accessed? Given the amount of time the hackers appeared to have access, it’s possible they could have taken everything.
What are my options?
To be frank… the options aren’t great. In our current system, it’s next to impossible to recover if this happens to you. It’s a depressingly naive system. Your best defense is to keep an eye out for attempts to gain credit in your name.
It’s not pleasant to think about, but we are the losers in this. Equifax, while its reputation will take a hit, will recover. We, however, continue to have information on our identities, financials, health, backgrounds (including classified data and fingerprints) possibly being passed around with no recourse.
The best you can do is join the game of “privacy whack-a-mole,” as you attempt to stop each fraudulent attempt while watching for a new one pop up using the same information elsewhere. If you haven’t already, here are some first steps you may want to consider:
A credit freeze. It will lock your information so only the organizations currently accessing your credit information are allowed to continue accessing it (mortgage, credit card, loan companies). You can do this at Equifax here, and also at Experian (here) and TransUnion (here). Once frozen, any time you or anyone else tries to check your credit and open a new line of credit, you will need to provide them with a PIN number and an amount of time to temporarily thaw your credit report, or provide them with the name of the company that should be given access to your report. If you do this, you should do it for all the credit bureaus, as it doesn’t make sense to do it for just one.
You are entitled to one free annual credit report from each of the major reporting agencies. You can request this information at annualcreditreport.com. Consider requesting one from each of the three companies every four months for best coverage.
Equifax is offering one free year of credit monitoring. Initially, they elected to go with the head-scratching approach of limiting your legal options as a result of this hack. But under pressure, they updated their policy to include “monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action.” So, while it may seem strange, it is probably worth doing.
Were you impacted by this hack?
Unfortunately, it’s incredibly likely. You can search [link since taken down by Equifax] to see if you may have been. Their site requires that you enter your last name and then the last six digits of your social security number.
Would stricter government regulations help prevent data breaches?
Regulations could help raise awareness of the situation, especially at the board level, and resulting pressure may help organizations take the reasonable steps necessary to demonstrate the security of their customers data.
However, it doesn’t matter how much regulation is enforced. Cybercrime moves faster than regulation, and cyber criminals, especially those well prepared and funded, will gain access to their target.
Is there anything that would help prevent these hacks?
We believe that AI is the answer to detecting events such as this, by learning and observing threats on the network and raising them for human review and intervention immediately. With machine-learning solutions, cyberattacks can be caught in real time, making it impossible for hackers to access systems and remain undetected for extended periods of time.
Until organizations employ these types of cyber defense solutions, data will remain vulnerable. In this case, all there is to do now is take the steps recommended above and pay attention.