September 7, 2017

Equifax Data Breach: How to Watch Your Back for Identity Theft


I suppose the biggest hint of how serious this news release is for all of us is the fact that the Big Kahunas at Equifax jumped ship before the hack went public. 

Well, that and the timing of this big story while all of the media spotlights are shining on South Florida in expectation of Hurricane Irma. 

So, you need to assume you’re screwed here and do something.  But what? 



Their Site is Sneaky in How It Lets You Know You’ve Been Compromised

If you go to their site, and follow their steps, you’ll get a request to enter the last six digits of your SSN with your last name.  Then you get a message that you will receive their free Identity Theft coverage for one year … but you’ll have to come back on the date that’s given in order to join up. 

Yes, that’s right.  They want you to input the last six digits of your SSN into a site they’ve just admitted was compromised. 

In South Texas, we say they’ve sure got some big huevos, boy howdy.

And that’s it.  That’s the only tip to you that some of your personal information has been stolen from the site.  They don’t give you any details.  Heck, they don’t even tell you “yes, your information is involved.” All you get is this little invite popping up. 


But right now, their site is still sneaky in how it’s letting you know that you’re a part of the pack that’s been exposed to the Dark Side. 
.

What Can You Do Right Now?

So, what can you do, now that you know your personal information is out there, somewhere? 

1.  Have I Been Pwned

Well, Kim Komando recommends going over to the web site “Have I Been Pwned” – and that’s good advice. 

Be prepared, you’re not going to like what it tells you.  But at least you know, and can take action.

And you can sign up so the site will give you notice in the future if your accounts have been breached at other sites (like LinkedIn, or Adobe, or Dropbox). 

2. Identity Theft Protection or Credit Freeze

Next, you can get yourself some Identity Theft Protection.  That’s the freebie for one year that Equifax is offering you in the sneaky message affirming that your information on their site has been hacked.

Silly me, but I don’t know that I want to trust their Theft Protection service.  Call me paranoid. 

So, I surfed around and discovered advice from Steve Weisman, a law professor and cybercrime expert, who blogs at scamicide.com

In his April 22, 2017, USA Today piece entitled “Is identity theft protection worth it?” Mr. Weisman suggests that maybe it’s not the best course to take.

Instead, he suggests a “credit freeze.”  Go read his article – makes good sense. 

3.  Change Those Passwords

And, of course, you need to go and change those passwords.  Use different ones for each account, too. 

And I’m reading lots of folk suggesting that you do the two-step authentication for added security.  Problem is:  that in and of itself may open you up to being hacked.  Whattha?  Yep. 

Check out the May 2017 article by Joseph Cox in Vice, entitled “We Were Warned About Flaws in the Mobile Data Backbone for Years. Now 2FA Is Screwed.” The key language here (and the scary part):

"Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw," Lieu said in a statement published Wednesday. "I urge the Republican-controlled Congress to hold immediate hearings on this issue."

4. Visit the FTC Site

Finally, you can visit the government site which stores lots of information about identity theft.  Like the following things you need to know because Equifax has been hacked.


What Do Thieves Do With Your Information?
Once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or get medical treatment on your health insurance. An identity thief can file a tax refund in your name and get your refund. In some extreme cases, a thief might even give your name to the police during an arrest.

Clues That Someone Has Stolen Your Information
  • You see withdrawals from your bank account that you can’t explain.
  • You don’t get your bills or other mail.
  • Merchants refuse your checks.
  • Debt collectors call you about debts that aren’t yours.
  • You find unfamiliar accounts or charges on your credit report.
  • Medical providers bill you for services you didn’t use.
  • Your health plan rejects your legitimate medical claim because the records show you’ve reached your benefits limit.
  • A health plan won’t cover you because your medical records show a condition you don’t have.
  • The IRS notifies you that more than one tax return was filed in your name, or that you have income from an employer you don’t work for.
  • You get notice that your information was compromised by a data breach at a company where you do business or have an account
  • If your wallet, Social Security number, or other personal information is lost or stolen, there are steps you can take to help protect yourself from identity theft.  


Equifax’s Explanation of What Went Wrong

So, what has happened here, anyway?  Equifax has issued a long news release giving details.   I’ve inserted the full text of their news release, entitled “Consumer Notice” below for your convenience. 

Notice that they are telling you that “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers … [and] credit card numbers for approximately 209,000 consumers and certain dispute documents… have been stolen.


At Equifax, protecting the security of the information in our possession is a responsibility we take very seriously. This is to notify you of a data security incident that may have exposed some of your personal information, including your Social Security number and other identifying information. This
site explains the incident and steps Equifax has undertaken to address it. In addition, we provide guidance below on what you can do to protect your personal information.
I. What Happened
On July 29, 2017, Equifax discovered that criminals exploited a U.S. website application vulnerability to gain access to certain files. Upon discovery, we acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.
II. What Information Was Involved
Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed. In addition to this site, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. We have found no evidence of unauthorized access to Equifax’s core consumer or commercial credit reporting databases.
III. What We Are Doing
Upon learning of this incident, Equifax took steps to stop the intrusion, and engaged an independent cybersecurity firm to forensically investigate and determine the scope. Equifax also engaged the cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.
Equifax is focused on consumer protection and has established a dedicated website, www.equifaxsecurity2017.com to help consumers. We have provided a tool on this site for you to determine if your information was potentially impacted by this incident. To find out if you are potentially impacted, please go to www.equifaxsecurity2017.com, and click on “Potential Impact,” and enter your last name and last 6 digits of your Social Security number.
We are also offering free identity theft protection and credit file monitoring to all U.S. consumers, even if you are not impacted by this incident. This offering, called TrustedID Premier, includes 3-Bureau credit monitoring of your Equifax, Experian and TransUnion credit reports; copies of your Equifax credit report; the ability to lock and unlock your Equifax credit report; identity theft insurance; and Internet scanning for your Social Security number – all complimentary to U.S. consumers for one year. To find out more information on this complimentary offer and to sign up, please click on the tab “Enroll” on this site. You must complete the enrollment process by November 21, 2017.
IV. What You Can Do
In addition to enrolling in identity theft protection and credit file monitoring, please see the “Identity Theft Prevention Tips” below, and the “State Information” tab of this site. This information provides additional steps you can take, including how to obtain a free copy of your credit report and place a fraud alert and/or credit freeze on your credit report. In addition, please monitor your account statements and report any unauthorized charges to your credit card companies and financial institutions.
V. For More Information
Equifax is committed to ensuring that your personal information is protected, and we apologize to our consumers and our business customers for the concern and frustration this incident causes. If you have additional questions, please call our dedicated call center at 866-447-7559, available from 7:00 a.m. to 1:00 a.m. Eastern time, seven days a week.
Identity Theft Prevention Tips
We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit reports. You may obtain a free copy of your credit report from each company listed below once every 12 months by requesting your report online at www.annualcreditreport.com, calling toll-free 1-877-322-8228, or mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report by contacting any of the credit reporting agencies below:
Equifax
PO Box 740241
Atlanta, GA 30374
www.equifax.com
888-766-0008
Experian
PO Box 9554
Allen, TX 75013
www.experian.com
888-397-3742
TransUnion
PO Box 2000
Chester, PA 19016
www.transunion.com
800-680-7289
If you believe you are the victim of identity theft, you should contact the proper law enforcement authorities, including local law enforcement, and you should consider contacting your state attorney general and/or the Federal Trade Commission (“FTC”). You also may contact the FTC to obtain additional information about avoiding identity theft.
Federal Trade Commission, Consumer Response Center
600 Pennsylvania Avenue NW, Washington, DC 20580; 1-877-IDTHEFT (438-4338)
www.ftc.gov/idtheft
State Attorneys General: Information on how to contact your state attorney general may be found at www.naag.org/naag/attorneys-general/whos-my-ag.php.
You may obtain information from the FTC and the credit reporting agencies listed above about placing a fraud alert and/or credit freeze on your credit report. Please also visit the “State Information” tab of this site.


No comments: