Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.
In a press release today, Equifax [NYSE:EFX] said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing, but that the breach also jeopardized credit card numbers for roughly 209,000 U.S. consumers and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
In addition, the company said it identified unauthorized access to “limited personal information for certain UK and Canadian residents,” and that it would work with regulators in those countries to determine next steps.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer Richard F. Smith in a statement released to the media, along with a video message. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.
Equifax has set up a Web site — https://www.equifaxsecurity2017.com — that anyone concerned can visit to see if they may be impacted by the breach. The site also lets consumers enroll in TrustedID Premier, a 3-bureau credit monitoring service (Equifax, Experian and Trans Union) which also is operated by Equifax.
According to Equifax, when you begin, you will be asked to provide your last name and the last six digits of your Social Security number. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, the company says it will provide everyone the option to enroll in TrustedID Premier. The offer ends Nov. 21, 2017.
ANALYSIS
At time of publication, the Trustedid.com site Equifax is promoting for free credit monitoring services was only intermittently available, likely because of the high volume of traffic following today’s announcement.
As many readers here have shared in the comments already, the site Equifax has available for people to see whether they were impacted by the breach may not actually tell you whether you were affected. When I entered the last six digits of my SSN and my last name, the site threw a “system unavailable” page, asking me to try again later.
When I tried again later, I received a notice stating my enrollment date for TrustedID Premier is Sept. 13, 2017, but it asked me to return again on or after that date to enroll. The message implied but didn’t say I was impacted.
Maybe Equifax simply isn’t ready to handle everyone in America asking for credit protection all at once, but this could be seen as a ploy by the company assuming that many people simply won’t return again after news of the breach slips off of the front page.
Update, 11:40 p.m. ET: At a reader’s suggestion, I used a made-up last name and the last six digits of my Social Security number: The system returned the same response: Come back on Sept. 13. It’s difficult to tell if the site is just broken or if there is something more sinister going on here.
Also, perhaps because the site is so new and/or because there was a problem with one of the site’s SSL certificates, some browsers may be throwing a cert error when the site tries to load. This is the message that OpenDNS users are seeing right now if they try to visit www.equifaxsecurity2017.com:
Original story:
Several readers who have taken my advice and placed security freezes (also called a credit freeze) on their file with Equifax have written in asking whether this intrusion means cybercriminals could also be in possession of the unique PIN code needed to lift the freeze.
So far, the answer seems to be “no.” Equifax was clear that its investigation is ongoing. However, in a FAQ about the breach, Equifax said it has found no evidence to date of any unauthorized activity on the company’s core consumer or commercial credit reporting databases.
I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.
More information on the difference between credit monitoring and a security freeze (and why consumers should take full advantage of both) can be found in this story.
I have made no secret of my disdain for the practice of companies offering credit monitoring in the wake of a data breach — especially in cases where the breach only involves credit card accounts, since credit monitoring services typically only look for new account fraud and do little or nothing to prevent fraud on existing consumer credit accounts.
Credit monitoring services rarely prevent identity thieves from stealing your identity. The most you can hope for from these services is that they will alert you as soon as someone does steal your identity. Also, the services can be useful in helping victims recover from ID theft.
My advice: Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.
The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich. Typically, the way these arrangements work is the credit monitoring is free for a period of time, and then consumers are pitched on purchasing additional protection when their free coverage expires. In the case of this offering, consumers are eligible for the free service for one year.
That the intruders were able to access such a large amount of sensitive consumer data via a vulnerability in the company’s Web site suggests Equifax may have fallen behind in applying security updates to its Internet-facing Web applications. Although the attackers could have exploited an unknown flaw in those applications, I would fully expect Equifax to highlight this fact if it were true — if for no other reason than doing so might make them less culpable and appear as though this was a crime which could have been perpetrated against any company running said Web applications.
This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.
In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers. Experian also for several months granted access to its databases to a Vietnamese man posing as a private investigator in the U.S. In reality, the guy was running an identity theft service that let cyber thieves look up personal and financial data on more than 200 million Americans.
My take on this: The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.
In a statement released this evening, Sen. Mark Warner (D-Va.) called the Equifax breach “profoundly troubling.”
“While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach – involving Social Security Numbers, birth dates, addresses, and credit card numbers of nearly half the U.S. population – raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans,” said Warner, who heads the bipartisan Senate Cybersecurity Caucus. “It is no exaggeration to suggest that a breach such as this – exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans.”
It’s unclear why Web applications tied to so much sensitive consumer data were left unpatched, but a lack of security leadership at Equifax may have been a contributing factor. Until very recently, the company was searching for someone to fill the role of vice president of cybersecurity, which according to Equifax is akin to the role of a chief information security officer (CISO).
The company appears to have announced the breach after the close of the stock market on Thursday. Shares of Equifax closed trading on the NSYE at $142.72, up almost one percent over Wednesday’s price.
This is a developing story. Updates will be added as needed.
Further reading:
Are Credit Monitoring Services Really Worth It?
Report: Everyone Should Get a Security Freeze
How I Learned to Stop Worrying and Embrace the Security Freeze
Update: 8:38 p.m. ET: Added description of my experience trying to sign up for Equifax’s credit monitoring offer (it didn’t work and it may be completely broken).
Excellent explanation of the situation, Brian!
I hope many readers access and follow your advice.
I went through the process and it didn’t even tell me if I was impacted — it simply enrolled me TrustedID Premier automatically starting 9/12. Are you serious Equifax?
Same here. I didn’t know whether it was implicit that I was affected, that they are wholly incompetent instead of semi-…or both.
Yep, got the same message.
Completed the form for an elderly relative and got a message confirming she was *not* part of the breach (psh, we’ll see), though … so I’m assuming I am.
Yep, same here as well. Appalling.
Same here. That non-informative response reminded me of what happens when you visit a phishing site. How sure are we that the attackers aren’t still in control and have engineered this request for our last name and the last 6 digits of our SSN?
Same here; it didn’t report on whether I’d been affected, but just told me to come back on 9/12. That sort of non-informative response troubles me; it’s what I’d expect to see from a phishing site. How certain are we that the Equifax hackers aren’t still in control and harvesting our last name and the last six digits of our SSN?
Me neither. All it did was give me a date to return and enroll. I found a fraudulent charge on my Visa a few days ago and the card was canceled. Now maybe I know why.
I got the same thing. The boilerplate on the page before it says everyone checking will be enrolled, and you will be told if you were or may have been revealed.
I guess that means I’m clear for this.
However, I couldn’t get through to anyone to setup a freeze on my account.
Same thing happened to me. However, when my sisters went through the process, it informed them that they were not affected.
So, I presume that means that I was affected.
Same experience for me. Just happy for credit freezes. Now to talk to my state representatives about changing the statute for $10 credit freezes to $0 credit freezes. Think I’ve got a good case to make now.
Exactly same here, only on the 11th.
Weak…
Same here, just an enrollment date. I’m hoping that if you only get an enrollment date and no other message, your Equifax fires were not impacted. Any comment on that, Mr. Krebs?
I got the same cryptic message. The site specifically says “you will receive a message indicating whether your personal information may have been impacted by this incident”, but it just says come back on 9/13 to enroll. So was I affected or not?
It did not even do that much for me.
Put in my name and the six digits, check that I am not a robot, but does not let me click on Continue.
If I hover over the button a circle with a line thru it (whatever it is called) shows.
Great job, Equifax.
Tried it on another computer of mine.
Went thru.
Got the “you may be impacted”
Was told to sign up for TrustedID premier on Sept. 12.
I can imagine the traffic on the sign-up site that day.
ditto…….no yes or no, just “here is your sign up date” in the future……….this is such bs. We are basically subjugated to credit info companies and their lax security culture. There should be less than four companies, maybe two max in order to control the amount of doors crooks have. Firstly the perps should be life in prison, secondly, there should be massive scrutiny on the affected company, standards, and in this case heavy penalty or doomsday solution, like a shut down.
Bloomberg is reporting that 3 Equifax executives sold about $1.8 million of stock before the public announcement of the breach (and after the breach was discovered). https://www.bloomberg.com/amp/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack
Anybody else smell insider trading investigation coming in the wind.
My thoughts exactly. I’m just imaging a Senate panel with Senator Warren tearing into them like she did with the former CEO of Well Fargo.
She can tear into them all she wants, rake them over the coals like Shkreli, but if Trump’s regulators don’t choose to actually prosecute, they can sit there and smirk at us, too.
“have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.”
And, more importantly, due for a very expensive class action suit.
I would be astounded if there weren’t several class action lawsuits filed by tomorrow.
Brian, I read elsewhere that if one accepts their oh-so-generous (not) offer of credit monitoring, you give up your right to be part of/benefit from a class action, and you MUST go to arbitration if you want to seek any redress. And we all know how that’ll go….
Hey Rick,
You should check out the update I filed today:
https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/
Also, as another reader has pointed out, Equifax has updated their security2017 page to include:
“In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”
The problem with class action suits is that often the lawyers make millions and the participants get pennies.
Once I was invited to join a class action suit (some stock).
Filled out a few pages of paperwork.
Got a check for $1.47.
Talk about making less than the minimum wage for the time I spent on it …
Brian, I can’t thank you enough for 2015 article How I Learned to Stop Worrying and Embrace the Security Freeze. While the breach of a major CRA affected possibly half the country is just jaw dropping…I believe I’ll be able to sleep tonight.
Thanks again, I’ve been a follower of yours since the Target breach.
+1
They give me free credit monitoring, yay! So let me guess. They lost my personal data and now they want to collect more of it …. Hmm. Let me think about it … NO!!!
PS. Why do we even need SSN and those credit reporting bureaus? It’d be so much better for everyone if they just burned to the ground. I bet no one would even miss them.
Your personal data is supplied to them by banks where you have credit lines.
Am I the only one that finds it disturbing that both of the domains currently used to check if you’re impacted ( equifaxsecurity2017 and trustedidpremier) were registered over a week ago and also both look (in name) like phishing sites?
That and there’s absolutely nothing in the WHOIS information indicating that the domains are registered to equifax ?
I tried to check “Potential Impact” on the site and all I got in return was a date and message to come back to the site on that date and register for Trusted ID premier. Shady??
No message on whether I am a victim or not. WOW!
Monitoring, as you say, is basically useless. I would be calling for removal of all fees on Credit Freezes for life. OPM should have done the same.
It looks like my Social Security number was in the breached database. I enroll on 9/12/2017
For those who don’t want to go full “credit freeze”, there is another alternative called a “fraud alert”.
I can still get a new credit card, but instead of a one week approval, it takes more like a month, after I send the credit card company a copy of my identity documents.
I have a fraud alert through Equifax. It gets automatically renewed every 90 days. I get an email like this…
“Your request to place or renew a 90-day fraud alert on your Equifax credit file was recently processed via the Automatic Fraud Alerts feature. This email serves as confirmation that the request to place or renew a 90-day fraud alert on your Equifax credit file has been completed successfully! We will forward your 90-day fraud alert request to TransUnion and Experian.”
Is there a easy way to request the freeze from the big three?
Not an easy way to do all 3 (4) at once. But, if you go to Brain’s Linked article above (How I learned to Stop Worrying and Embrace the Security Freeze) you will find links to all the sites to complete your security freezes. While some do charge you for placing a freeze, and temporarily lifting it…being able to sleep tonight is well worth that small price.
They are all easy as individual, takes five minutes. Include innovis too as Krebbs pointed out. The only one that is not working now to get into the security freeze portal is EQUIFAX!!!!!!!!!!!! WTF….cannot get into equifax, all others were fine…..
Brian, a mention early in your article incorrectly referenced Experian rather than Equifax in the context of this breach. Can you please update the following:
“At time of publication, the Trustedid.com site Experian is promoting for free credit monitoring services was only intermittently available, likely because of the high volume of traffic following today’s announcement.”
It should read Equifax instead. Thanks,
Mike
This doesn’t look good…
https://www.bloomberg.com/amp/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack
Thanks for being the go-to source for this info Brian! I literally just saw it as breaking news online and checked my email and sure enough this post was waiting for me!
OK so I visited the equifaxsecurity2017.com site and accessed the “potential impact” page. However, after inputting my last name and last six digits of my SS# all it did was give me a date to enroll in their program?!
I was most interested in whether I was “impacted” or not? Did I miss something??
I realize that I more than likely was – I’m already enrolled with Kroll from an earlier breach of LA County medical records, but still…
Have had a credit freeze on my bureau accounts for a couple of years since the OPM breaches. Spouse does not have a freeze at this time, but will shortly!
According to their “potential impact” tool, my data appear to have been included in this Equifax breach since I’m being offered a chance to come back next week & sign up for their BS monitoring. Entry of spouse’s information, OTOH, got the result that there was no evidence that their information had been exposed.
My only concern would be if the breach of my data included the PIN for lifting the freeze.
Brian — thank you for this report & any follow ups that you do.
Now only need to do is offer Equifax fraud protection services for free to all the people that were breached .
Wait! They actually already thought of that. I feel so much better knowing Equifax will protect me from themselves.
The information breached includes all the information needed to successfully file fraudulent tax returns. The drivers licsense number was the failsafe for IRS. This could prove to be the death nail for stolen identity refund fraud.
I’m not surprised by today’s news…we’ve been trying to get Equifax to conduct/provide a SSAE 16 SOC report or other independent validation of internal IT controls for years…to no avail. Agree with B’s suggestion of limited regulatory oversight.
Great reporting as always.
An SSAE16 (SSAE18 now) SOC1 wouldn’t have covered this aspect at all, since the SOC1 only addresses ICFR controls. You would have needed a SOC2 Type2 AT Section 801 on Trust Principles to assess the controls this breach rode in on. And even then, Equifax wouldn’t provide that. Been assessing them for years as well, they never got past inadequate by Vendor Management. The 2017 review had them claiming (unsigned document of course) that they followed PCI DSS Guidelines. Obviously not. Although we have business units demanding to use them, always shot Equifax down as a non-transparent vendor.
Typo paragraph 8.
I looked at the source of the page and it looks like there are 3 options:
1) “message-deferred”: “Thank You — Your enrollment date for TrustedID Premier is: xxxxxx Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.”
2) “message-success”: “Thank You — Based on the information provided, we believe that your personal information may have been impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier.”
3) “message-not-impacted”: “Thank You — Based on the information provided, we believe that your personal information was not impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier”
I got the “deferred” message, which I guess means I can come back later to see if I should panic or not.
Good job, Kyle. It makes sense they’d have that text hardcoded into a page only to be revealed by the status of the query.
Personally, I got a “message-not-impacted”, though my wife got a “message-deferred”. Good to know there’s a third option that actually states the account was impacted.
Kyle, upon entering my last name & last six digits of ss number, I got no message except the date to enroll in Equifax’s premier offer. Thus the fourth type of message is no message
Kyle, thanks very much for this info. I, too, got message number 1 and was puzzled about whether my info had been stolen because all there was the “future” enrollment date and no other info.
Thanks for clearing it up. Now, I know I’m in Limbo — so, will just assume the worst. 🙁
Lately EquiFax has been asking its business partners very weird questions, practically performing impromptu “audits” on business partners/customers.
Please remove Experian name next to trusted id website info. That is Equifax service.
Brian, my family all followed your advice two years ago and put a credit freeze on our accounts with the four credit reporting bureaus. It is heartening to know that the credit freeze cannot be lifted by hackers using information acquired from this latest breach, but we would appreciate knowing if this situation changes in the future. Once again, thanks for your advice on credit issues. It has been extremely valuable..
I think that one year of credit monitoring and identity theft protection is woefully inadequate. It should be at least 10 years of credit monitoring and lifetime ID theft protection. Criminals smart enough to hack into Equifax’s most sensitive DB’s are smart enough to save some of their treasure trove for use in a couple of years. Most of the stolen data won’t change over time – your name, SSN, birth date. So someone could steal your identity for the indefinite future.
Where are the laws and regulators when we need them? Stiff fines that exceed the cost of hardening security might motivate companies. Otherwise, they simply won’t spend the necessary money.
If I never have to deal with any of these credit report agencies again it will be too soon. I had to get a background check for a subcontracting job, and they put me through hell. I was in a circular CF for three weeks and finally gave up– and the gig. Because I had used my middle initial sometimes/sometimes not, and the suffix Jr. and sometimes not. But my SSN and birthdate and were always the same. I was sent to call center hell too many times speaking to people who I couldn’t understand over the phone and who I had to start for square one each time.
Said I was included in breach. Wondered why I have to enter my SS#, DOB, and all personal info to receive the trusted ID coverage. Wouldn’t they have all of that info? How do you know it’s not an additional hack?
I finally managed to get through to the breach call center and the representative told me that if after inputting last name etc, the message returned by system was enrollment date only – that meant (in her experience) that you have been impacted.
It’s interesting they had (wanted?) to setup a fully-blown WordPress install just to announce this. Of course, without proper error handling [via custom documents] and some info disclosure:
https://www.equifaxsecurity2017.com/readme.html
Also, their API endpoints (called by that site) are playing “nice” with anyone interested in more digging:
https://trustedidpremier.com/eligibility/rest/2.0/
Something is not right if, by design, you can freely access REST APIs without a simple check…
I plan to keep a close on on my accounts with CreditKarma.com.