07
Sep 17

Breach at Equifax May Impact 143M Americans

Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.

In a press release today, Equifax [NYSE:EFX] said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing, but that the breach also jeopardized credit card numbers for roughly 209,000 U.S. consumers and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

In addition, the company said it identified unauthorized access to “limited personal information for certain UK and Canadian residents,” and that it would work with regulators in those countries to determine next steps.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer Richard F. Smith in a statement released to the media, along with a video message. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.

Equifax has set up a Web site — https://www.equifaxsecurity2017.com — that anyone concerned can visit to see if they may be impacted by the breach. The site also lets consumers enroll in TrustedID Premier, a 3-bureau credit monitoring service (Equifax, Experian and Trans Union) which also is operated by Equifax.

According to Equifax, when you begin, you will be asked to provide your last name and the last six digits of your Social Security number. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, the company says it will provide everyone the option to enroll in TrustedID Premier. The offer ends Nov. 21, 2017.

ANALYSIS

At time of publication, the Trustedid.com site Equifax is promoting for free credit monitoring services was only intermittently available, likely because of the high volume of traffic following today’s announcement.

As many readers here have shared in the comments already, the site Equifax has available for people to see whether they were impacted by the breach may not actually tell you whether you were affected. When I entered the last six digits of my SSN and my last name, the site threw a “system unavailable” page, asking me to try again later.

equifaxtry

When I tried again later, I received a notice stating my enrollment date for TrustedID Premier is Sept. 13, 2017, but it asked me to return again on or after that date to enroll. The message implied but didn’t say I was impacted.

enrollmentequifax

Maybe Equifax simply isn’t ready to handle everyone in America asking for credit protection all at once, but this could be seen as a ploy by the company assuming that many people simply won’t return again after news of the breach slips off of the front page.

Update, 11:40 p.m. ET: At a reader’s suggestion, I used a made-up last name and the last six digits of my Social Security number: The system returned the same response: Come back on Sept. 13. It’s difficult to tell if the site is just broken or if there is something more sinister going on here.

Also, perhaps because the site is so new and/or because there was a problem with one of the site’s SSL certificates, some browsers may be throwing a cert error when the site tries to load. This is the message that OpenDNS users are seeing right now if they try to visit www.equifaxsecurity2017.com:

opendns-equifax

Original story:

Several readers who have taken my advice and placed security freezes (also called a credit freeze) on their file with Equifax have written in asking whether this intrusion means cybercriminals could also be in possession of the unique PIN code needed to lift the freeze.

So far, the answer seems to be “no.” Equifax was clear that its investigation is ongoing. However, in a FAQ about the breach, Equifax said it has found no evidence to date of any unauthorized activity on the company’s core consumer or commercial credit reporting databases.

I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.

More information on the difference between credit monitoring and a security freeze (and why consumers should take full advantage of both) can be found in this story.

I have made no secret of my disdain for the practice of companies offering credit monitoring in the wake of a data breach — especially in cases where the breach only involves credit card accounts, since credit monitoring services typically only look for new account fraud and do little or nothing to prevent fraud on existing consumer credit accounts.

Credit monitoring services rarely prevent identity thieves from stealing your identity. The most you can hope for from these services is that they will alert you as soon as someone does steal your identity. Also, the services can be useful in helping victims recover from ID theft.

My advice: Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.

The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich. Typically, the way these arrangements work is the credit monitoring is free for a period of time, and then consumers are pitched on purchasing additional protection when their free coverage expires. In the case of this offering, consumers are eligible for the free service for one year.

That the intruders were able to access such a large amount of sensitive consumer data via a vulnerability in the company’s Web site suggests Equifax may have fallen behind in applying security updates to its Internet-facing Web applications. Although the attackers could have exploited an unknown flaw in those applications, I would fully expect Equifax to highlight this fact if it were true — if for no other reason than doing so might make them less culpable and appear as though this was a crime which could have been perpetrated against any company running said Web applications.

This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers. Experian also for several months granted access to its databases to a Vietnamese man posing as a private investigator in the U.S. In reality, the guy was running an identity theft service that let cyber thieves look up personal and financial data on more than 200 million Americans.

My take on this: The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.

In a statement released this evening, Sen. Mark Warner (D-Va.) called the Equifax breach “profoundly troubling.”

“While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach – involving Social Security Numbers, birth dates, addresses, and credit card numbers of nearly half the U.S. population – raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans,” said Warner, who heads the bipartisan Senate Cybersecurity Caucus. “It is no exaggeration to suggest that a breach such as this – exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans.”

It’s unclear why Web applications tied to so much sensitive consumer data were left unpatched, but a lack of security leadership at Equifax may have been a contributing factor. Until very recently, the company was searching for someone to fill the role of vice president of cybersecurity, which according to Equifax is akin to the role of a chief information security officer (CISO).

The company appears to have announced the breach after the close of the stock market on Thursday. Shares of Equifax closed trading on the NSYE at $142.72, up almost one percent over Wednesday’s price.

This is a developing story. Updates will be added as needed.

Further reading:

Are Credit Monitoring Services Really Worth It?

Report: Everyone Should Get a Security Freeze

How I Learned to Stop Worrying and Embrace the Security Freeze

Update: 8:38 p.m. ET: Added description of my experience trying to sign up for Equifax’s credit monitoring offer (it didn’t work and it may be completely broken).

Tags: , ,

262 comments

  1. This feels like a scam more than a breach but maybe both.

  2. My brother has never applied for a credit card, payday loan, a car loan or a mortgage. However, when he goes to rent an apartment or room for rent, they run a credit check on him. Does this mean his SSN and PII are in a credit bureau’s database?

  3. I think Equifax needs to be fined very, very heavily and some Equifax Executives should be fired. If the execs are not made to feel the pain personally, these problems will not go away. Why do breached companies always bring in the outside experts AFTER the breach, not before, to challenge their systems. Geez.

  4. At this point in the Equifax fiasco, is there any benefit to signing up for something like Lifelock, or has the horse left the barn?

    • Lifelock is every bit as effective as it was before the breach, i.e., not at all.

      (That thing in the barn isn’t even a horse.)

  5. Elsie H. Robertson

    This morning I tried to find out whether my husband and I were hacked. I did everything the article had said. I apparently was not involved; my husband has been. When I tried to go further, I got the same enrollment dates etc. It sounds very much like a bait and switch during a very difficult time for people. I also called the number given 866-447-7559, reached a person on a very scratchy line. She said that I had to go back to the original information, follow every “continue” command and I would be given a date on which to call the 866 number. I did that, and got the same old enrollment etc. I have written down the support person’s directions in detail. So what do I do now?? In the past when I have tried to rectify Equifax errors, it has been an exercise in futility.

  6. Even if you put a credit freeze, with the breached information that includes SSN, birth dates etc, what is to prevent the hackers who got the information from removing the credit freeze itself ?

    • >Even if you put a credit freeze, with the breached information that includes SSN, birth dates etc, what is to prevent the hackers who got the information from removing the credit freeze itself ?

      They issue separate credit freeze codes when you freeze your credit. This will protect your credit as long as they hackers don’t steal the codes themselves.

  7. Folks- Credit Freeze your young children.

    (Even if you only monitor yourselves).

    • Out of all of this, the cost of freezing and unfreezing your (or your kids) credit reports should be free. Make it a federal law.

      • I’m on a limited budget and don’t feel it is fair I should have to pay a cent to the very agencies that had horrid lax security practices resulting in my data and that of my family potentially leaked forever onto the global internet.

        These companies should step the hell up and offer this for free. To everyone. Forever. Anything less is just corporate BS.

  8. If you look at the Equifax FAQ, they state that “This incident potentially impacts approximately 143 million U.S. consumers.”
    Further down they state, “Criminals also accessed credit card numbers for approximately 209,000 U.S. consumers.”

    It appears that they believe criminals accessing credit card numbers has no impact on consumers.

    • I just realized that there are 3 less zeros after the credit card numbers vs the number of consumers impacted.
      Nothing to see here… move along.

  9. FYI – I experienced the same issue with Equifax last night on my iPhone in Safari (given TrustedID number but no information on whether or not I was impacted).

    Tried it again today from a desktop on Chrome, and it worked, telling me I was part of the breach. May be worth trying again.

    • It seems that if it does not say ‘you have not been affected’ your data is hacked. I did the same yesterday and said ‘as of now with the current info we have, you were not affected by the hack’ so that makes me think in the coming weeks that may change.

  10. Mr. Krebs, Isn’t this the 2nd Equifax breach? Very disturbing a company who stores our complete personal and credit info has this happen for a 2nd time. Who would you suggest contacting in order to express my concern and to say perhaps Equifax should not be a company responsible for maintaining my personal and total credit history. My SC Congressman? Is there a way for me as an individual actually “opt” out of having Equifax store my personal data or is this mandated by federal law Equifax has this right and there is nothing I can do about it personally? What would you suggest? How would a credit freeze on your info placed with Equifax actually help in this situation if the freeze is with the company where my data was breached? Just trying to understand this situation. Sherry Ouzts

  11. I would certainly make sure that you read their EULA. By going to the site to see if your info was part of the breach, you are agreeing to arbitration and can’t be part of a later class action.

    • I believe the NY Attorney General made an inquiry about the language in the EULA and Equifax “clarified” that the terms of the agreement applied only to the standard TrustID product and not the cyber security breach. I’m guessing they’ll have to create a new set of terms for this particular incident. I heard through the grapevine that there is also $1M in insurance coverage (case by case not cumulative) for those who are affected.

  12. I have not enrolled yet, but read at least some of the FAQ Equifax offered. Their effort to remediate their breach includes a free subscription to their TrustedID Premier service. That was covered in the very valuable article above and several of the comments, along with equally valuable strong recommendations to make use of credit file security freezes.

    What is not mentioned above but may also be worth noting is that one of the options in TrustedID Premier, the “File Lock” option, is described as being mutually exclusive with a security freeze. From the FAQ:

    “In this situation, am I better off placing a fraud alert, requesting a security freeze, or using the file lock feature in the TrustedID Premier product?

    Please note that you can have either a security freeze or Equifax credit file lock on your Equifax credit report, but not both.”

    So, if you enroll in their Premier service and elect to use the file lock option, that removes your previously paid security freeze?

  13. I want to know whether I was impacted?

  14. I tested and accidentally typo’d my last name. The results said I was not impacted.

    I noticed the typo and ran it again. It said I was may be impacted. It gave me a date of 9/12 to come back and enroll.

    I just don’t want any sort of scammy auto-reenrollment, charge you $99.95 in 3 years after my “free” monitoring expires.

  15. So the identifying details of most ppl who have a credit history are now and forever unreliable (this is half the US population, and likely the working half)

    SSN/dob should be pretty useless as a financial ID going forward right?

    Question is, what takes their place?

  16. I put a fake last name and fake last six into the checker and I got the same results as people who I know have put their legit info in there…it said I may have been impacted.

  17. For better or worse, smart or stupid, I have Equifax credit monitoring, and have for about 10 years. About 3 years ago they alerted me to someone out of state trying to do a hard pull on my credit file at a different credit agency file 2 times in rapid succession, failing both times because while they had everything else right, they were way off on the birth date. This was the confirmation I needed that my identity had been compromised — something I’d already suspected when Old Navy Visa called and asked why I hadn’t activated the card they’d sent to someone using my name and SSN. I froze my credit at the Big 3 and Innovis. I haven’t lifted it once since then, and having it frozen hasn’t mucked about with my life at all. People with whom you already had an existing financial relationship can still run a credit check on you, like your wireless carrier or your credit card company. Debt collectors, law enforcement, the IRS, and other government agencies can check your credit, too. Theoretically, though, no one can open a new line of credit using your name and info. Now, however, I worry about the sanctity and security of my Equifax PIN#, as have others. Time will tell.

  18. “I apologize to consumers and our business customers for the concern and frustration this causes.”

    But not for actually losing the data, no, that I don’t apologize for. Just for the feelings you might be having. Because if I apologize for something we did, that admits wrongdoing, and I never want to admit wrongdoing, even while I’m admitting wrongdoing.

  19. One more thing and then I’ll knock it off: about 2 months ago I received a notification, supposedly from Equifax, that the on-file credit card I was using for the automated payment on my Equifax product was about to expire. I knew that this was absolutely not the case, but checked anyway. The email asked me to click on a button link in order to log in to Equifax and update my info. There was no way I was going to do that, but I did hover the cursor over the button to see where it would have taken me, and based on what I read in the status bar it would not have taken me to an Equifax site. I called Equifax and told them what had happened. After they were sure it was me, they looked up my info and told me that my payment method was indeed good for as long as I knew it to be. The rep I spoke to asked me to submit a written comment to Customer Care, which I did. It took them 8 days to get back to me, but they also told me that my card was good and would be for a few more years. I thought nothing more of it until I received an identical email the next month, supposedly from Equifax, once again warning me that my product would expire unless I updated my payment method. This time I contacted no one, thinking that if they did drop me maybe it was for the best. Still, I was pretty certain that the emails weren’t coming from Equifax. Now I wonder if any of this was connected to what was just revealed, or merely coincidental.

  20. Looks like there are some speculation that Apache Struts might be at play? Any thoughts?

    http://nypost.com/2017/09/08/equifax-blames-giant-breach-on-vendor-software-flaw/

    “Hackers were able to access the info — including Social Security numbers — because there was a flaw in the open-source software created by the Apache Foundation, the company told Jeffrey Meuler, an analyst at RW Baird & Co.”

  21. We now need to patrol the “patrollers” who have now become the “enemy”. There should be a federal law that anyone who gives up (ie., lets) this many emails/soc security/drivers licenses, etc. gets “stolen”, etc. is fined a minimum of $500,000 per month that this or any onngoing recognized (bonafide) infraction continues.

    • Yup, but it’ll NEVER happen — politicians are in the pocket of corporations and the US public accepts and tolerates all that’s done to it.

    • The US public has been apathetic to the out of control exploitation by tech/data and all other corporations. And now when it’s experiencing the worst consequences of it, all of a sudden they ask “why do they do this to us?”.

      They do it, because we let them — accept and tolerate it. The political system will not address this unless and until we revolt against it COLLECTIVELY — not individually whining about it.

      Unfortunately, the US culture is one of atomization — collective action it’s not in the DNA. That is why it is so easy to exploit us.

  22. Perhaps it is time for us to demand that the US enact GDPR-type legislation that will put control of personal information back into the hands of the consumer and significantly penalize corporations for failure to protect personal information.

    “Free credit monitoring” just doesn’t cut it. Equifax should be paying for a credit freeze for all customers to all the credit bureaus.

    • GDPR 4% of there Global net is about $80+ mil. There market cap was at 14+ bol yesterday. So it’ll be interesting if they will be the prime example. We Shall see…

  23. As of this second Equifax.com site does not load.

  24. It appears a class action law suit has already been filed according to this article: http://www.abajournal.com/news/article/class_action_is_filed_over_equifax_data_breach_information_website_has_arbi

    So I went to the Olsen Daines web site and it looks like you may be able to join the class action group for the case against Equifax here:

    http://olsendaines.com/equifax-security-breach/

  25. “At time of publication, the Trustedid.com site Experian is promoting …”

    Experian?

  26. I checked the site for myself, and was told to come back on 9/13 to fill in a form. I told my daughter to check, and the message she received said to fill in this form ‘right now’. There appears to be some prioritization.

  27. Thanks why need CUJO. Happy to have it

  28. Why are we having to pay for a security freeze when Equifax let our information be vulnerable in the first place? As one of the first steps of contrition to customers this should be offered for free. The fact that they haven’t, and waited 40-41 days to let us know added to the fact that company execs were dumping stock after the discovery of the hack does not offer a view of empathy for our information loss and our susceptibility to CC fraud!
    There should be an investigation and possible criminal charges for negligence at the least!

  29. I received same non-descript response as dhown in the article. Then called the phone number: “Why the non-descript response?” Was told they do not know who was compromised and that I would find out on enroll date if I was. 6 weeks after and they don’t know who was compromised?? Incompetence abounds.