September 7, 2017

Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.

In a press release today, Equifax [NYSE:EFX] said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing, but that the breach also jeopardized credit card numbers for roughly 209,000 U.S. consumers and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

In addition, the company said it identified unauthorized access to “limited personal information for certain UK and Canadian residents,” and that it would work with regulators in those countries to determine next steps.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer Richard F. Smith in a statement released to the media, along with a video message. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.

Equifax has set up a Web site — https://www.equifaxsecurity2017.com — that anyone concerned can visit to see if they may be impacted by the breach. The site also lets consumers enroll in TrustedID Premier, a 3-bureau credit monitoring service (Equifax, Experian and Trans Union) which also is operated by Equifax.

According to Equifax, when you begin, you will be asked to provide your last name and the last six digits of your Social Security number. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, the company says it will provide everyone the option to enroll in TrustedID Premier. The offer ends Nov. 21, 2017.

ANALYSIS

At time of publication, the Trustedid.com site Equifax is promoting for free credit monitoring services was only intermittently available, likely because of the high volume of traffic following today’s announcement.

As many readers here have shared in the comments already, the site Equifax has available for people to see whether they were impacted by the breach may not actually tell you whether you were affected. When I entered the last six digits of my SSN and my last name, the site threw a “system unavailable” page, asking me to try again later.

equifaxtry

When I tried again later, I received a notice stating my enrollment date for TrustedID Premier is Sept. 13, 2017, but it asked me to return again on or after that date to enroll. The message implied but didn’t say I was impacted.

enrollmentequifax

Maybe Equifax simply isn’t ready to handle everyone in America asking for credit protection all at once, but this could be seen as a ploy by the company assuming that many people simply won’t return again after news of the breach slips off of the front page.

Update, 11:40 p.m. ET: At a reader’s suggestion, I used a made-up last name and the last six digits of my Social Security number: The system returned the same response: Come back on Sept. 13. It’s difficult to tell if the site is just broken or if there is something more sinister going on here.

Also, perhaps because the site is so new and/or because there was a problem with one of the site’s SSL certificates, some browsers may be throwing a cert error when the site tries to load. This is the message that OpenDNS users are seeing right now if they try to visit www.equifaxsecurity2017.com:

opendns-equifax

Original story:

Several readers who have taken my advice and placed security freezes (also called a credit freeze) on their file with Equifax have written in asking whether this intrusion means cybercriminals could also be in possession of the unique PIN code needed to lift the freeze.

So far, the answer seems to be “no.” Equifax was clear that its investigation is ongoing. However, in a FAQ about the breach, Equifax said it has found no evidence to date of any unauthorized activity on the company’s core consumer or commercial credit reporting databases.

I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.

More information on the difference between credit monitoring and a security freeze (and why consumers should take full advantage of both) can be found in this story.

I have made no secret of my disdain for the practice of companies offering credit monitoring in the wake of a data breach — especially in cases where the breach only involves credit card accounts, since credit monitoring services typically only look for new account fraud and do little or nothing to prevent fraud on existing consumer credit accounts.

Credit monitoring services rarely prevent identity thieves from stealing your identity. The most you can hope for from these services is that they will alert you as soon as someone does steal your identity. Also, the services can be useful in helping victims recover from ID theft.

My advice: Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.

The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich. Typically, the way these arrangements work is the credit monitoring is free for a period of time, and then consumers are pitched on purchasing additional protection when their free coverage expires. In the case of this offering, consumers are eligible for the free service for one year.

That the intruders were able to access such a large amount of sensitive consumer data via a vulnerability in the company’s Web site suggests Equifax may have fallen behind in applying security updates to its Internet-facing Web applications. Although the attackers could have exploited an unknown flaw in those applications, I would fully expect Equifax to highlight this fact if it were true — if for no other reason than doing so might make them less culpable and appear as though this was a crime which could have been perpetrated against any company running said Web applications.

This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers. Experian also for several months granted access to its databases to a Vietnamese man posing as a private investigator in the U.S. In reality, the guy was running an identity theft service that let cyber thieves look up personal and financial data on more than 200 million Americans.

My take on this: The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.

In a statement released this evening, Sen. Mark Warner (D-Va.) called the Equifax breach “profoundly troubling.”

“While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach – involving Social Security Numbers, birth dates, addresses, and credit card numbers of nearly half the U.S. population – raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans,” said Warner, who heads the bipartisan Senate Cybersecurity Caucus. “It is no exaggeration to suggest that a breach such as this – exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans.”

It’s unclear why Web applications tied to so much sensitive consumer data were left unpatched, but a lack of security leadership at Equifax may have been a contributing factor. Until very recently, the company was searching for someone to fill the role of vice president of cybersecurity, which according to Equifax is akin to the role of a chief information security officer (CISO).

The company appears to have announced the breach after the close of the stock market on Thursday. Shares of Equifax closed trading on the NSYE at $142.72, up almost one percent over Wednesday’s price.

This is a developing story. Updates will be added as needed.

Further reading:

Are Credit Monitoring Services Really Worth It?

Report: Everyone Should Get a Security Freeze

How I Learned to Stop Worrying and Embrace the Security Freeze

Update: 8:38 p.m. ET: Added description of my experience trying to sign up for Equifax’s credit monitoring offer (it didn’t work and it may be completely broken).


262 thoughts on “Breach at Equifax May Impact 143M Americans

  1. Manifest Irony

    Did anyone hear about the PINs Equifax are issuing to people who request a credit report freeze? Apparently it’s a 10 digit number composed of the date and time when the request is made. It’s like they’re not even trying.

  2. Liz M

    Any update on whether the data breach included PINs that unlock security freezes?

  3. VegDiabetic

    Do people also freeze credit report for their children or infant?

    1. Christopher

      It’s been recommended. They won’t need credit for a while anyway. Just keep track of the PIN in a safe place you won’t lose for when they want credit in the future.

  4. Nick

    Thank you for all of the great information! I went through the process of freezing my file for each agency but had to wonder if all of the security questions I had to answer about myself were also stolen in the Equifax breach. At least you need a unique PIN to unfreeze your files, but it does seem easy for a hacker to log into each site and change your personal information without you knowing.

  5. Dayle

    Is anyone else as concerned as I am about their drivers license number being stolen? Does everyone realize a fake ID with your number can be created and if tickets are given to the fake ID holder and go unpaid, warrants will go out for your arrest. I cannot find anyway to protect yourself from that. You can get the DMV to possibly run reports when you request, maybe?

  6. fp

    The other credit bureaus are not any better.

    I managed to place a freeze @equifax, experian and innovis, but transunion system would not and asked me to call. I called and when I entered the zip code, it would not recognize it and disconnected. I tried again and after entering my info and selected a PIN, instead of being transfered to an agent I got a busy signal and the call was dropped again. It is thus impossible to even contact them, let alone place a freeze.

    These companies were created and operate the way they do because all 3 branches of our so-called govt did n’t do nothing to control them We’re going to see those corrupted hypocrites “grill” the CEO’s and again do nothing after the lobbying and $ contributions by these companies.

    America is finished. At this point there is nothing and nobody to protect the public from the corporate-govt system that screws it.

  7. fp

    I don’t think it is realized that this has essentially destroyed SSN as a trusted identifier. Not that it was foolproof until now, but now it’s practically dead.

    I also guarantee you that this event will take years of blah-blah and ultimately there will be no real solutions. That’s because the US public accepts and tolerates everything done to it and there is no incentive to stop the corruption and exploitation.

  8. Drew Hall

    Equifax is calling it a “cybersecurity incident” rather than Epic Fail Data Breach. Kinda like Attorney General Lynch calling it a matter and not an investigation.

  9. Chris

    I was one of the “lucky winners” of this breach as well.

    OPM – check. Target – check. Experian – check.

    I finally “took the plunge” and just froze my credit at all four.

    smh so hard my neck hurts…

  10. Joe Jeffers

    Placed freezes at Equifux(free), Chexsystems(free) and Innovis(free). Ten bux to do Experian. Just leaves Transfusion, which has a “free” service Trueidentity(?) which is supposed to let you lock/unlock your credit file. Trying to find out more about this vs just paying the freeze fee. Fun way to spend the day, not.

  11. Adam Snetiker

    This has the potential to be a complete disaster if it isn’t already. As soon as I saw this news I recommended people check to see if they’re impacted and sign up for free identity theft protection because it seems like a good idea to take advantage of it. After reading this, however, I’m starting to think there are criminals behind that offer too.

    Like you, I put in my last name and the last 6 digits of my social security number (which is also a weird thing I’ve never seen before, it’s generally the last 4) – and got a return date of tomorrow, September 12, to enroll. I’m not sure I want to come back now, but I’ll keep following you to see what happens.

  12. Karl Gruber

    I saw this on Reddit, so take it with a grain of salt, but apparently the TOC when you sign up for TrustedID says you to forgo your right to sue Equifax.

    1. Karl Gruber

      Looks like they were rumbled, and have changed the TOC.

      “We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, http://www.equifaxsecurity2017.com. The Terms of Use on http://www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.”

  13. JON F HART

    Rick Smith, Chairman and CEO of Equifax,

    Please explain, to all the citizens that have had their personal information stolen off of the EQUIFAX WEB SITE, WHY ARE WE ONLY GOING TO GET ONE (1) YEAR OF CREDIT MONITORING? The names, Social Security Number and Addresses are lost forever. Therefore, you MUST cover each citizen for as long as their NAMES AND SOCIAL SECURITY NUMBERS remain alive.

  14. Amper$and

    LoL – Love the list of ‘Preferred Qualifications’ in above VP link:

    Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
    (PPL didn’t do the basics, things happened and now, we’re fckd)…

    Poise and ability to act calmly and competently in high-pressure, high-stress situations. (we need a general; joint chief of staff)…

    Executive presence and ability to interface with senior company leaders as well as senior management of Customers; ability to explain and defend the security posture, actions and strategies.
    (even though we’re fckd, make it seem like we aren’t)…

    Must be a critical thinker, with strong problem-solving skills.
    (make sense of the BS, make up things that sound pause-able )..?

    Excellent analytical skills, the ability to manage multiple projects under strict timelines, (2 YEARS AGO would have been GREAT)!

    as well as the ability to work well in a demanding, dynamic environment and meet overall objectives. (bail us out of fckery)..

    High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.
    (poker face, hold EVERYTHING in, don’t be seen in public again);

    High degree of initiative, dependability and ability to work with little supervision. (bail us out already, save the ship, we’re fckd).

  15. James

    I wonder if 143M is the number of Americans who have credit histories.

  16. Sasha

    If they have all of my personal information, security questions/answers, etc. what good is it going to do for me to freeze my account and get a PIN number? All the hacker has to do to get my credit unfroze is to login, provide all of the personal identification information that was previously stolen, social security number, dob, security questions/answers, etc. and request my PIN number to be changed so they can have it to do whatever they want.

Comments are closed.