We Live Data Security

Nerd Out On Our Latest Thoughts

What's the Deal With the Equifax Hack?

[fa icon="calendar"] Sep 11, 2017 11:51:38 AM / by Carl Keyser

Equifax_Hack_Jerry.png

Equifax was hacked. 143 million Social Security Numbers were compromised. That’s a just under half the population of the United States. It’s pretty scary.

There aren’t many details regarding what exactly happened. Equifax says the investigation is still ongoing. It’s doubtful we’ll ever “really” know what happened. But we’ve been given a few ideas.

So what do we know?

Here's what we DO know, so far, broken down to fit in a consumable timeline:

  • May 15th - Hackers start attacking Equifax through their website, supposedly via an Apache Struts framework exploit. (Link - NY Times, Link - The Register)
  • July 29th - Hack is discovered by Equifax. (Link - CNN Money)
  • September 7th - Equifax releases a public statement detailing the scope of the hack and what information was stolen. The company establishes a new web page dedicated to helping people find out if they’re affected or not. (Link - EquifaxSecurity2017.com)

(Ironically, registering for this program requires you entering not only your last name, but a huge chunk of your social security number as well. You may not feel comfortable sharing that information with a company that just dumped 143 million S.S.records in to a Hackers lap)

From a news standpoint there isn’t much there to expand on. The only real torrid details to emerge so far are related to the three Equifax executives who sold almost $2 million worth of shares on August 2nd.

It hasn’t been discovered if they knew about the attack or not when they decided to sell their stock options. We're not going to speculate on that.

How long did it take Equifax to discover they’d been hacked?

Two and a half months. That’s how long it took Equifax to discover they’d been hacked. From May 15 (an estimated date. They said Mid-May in their release) to July 28 it was business as usual for the Atlanta based company.How did Equifax figure out they’d been hacked?

We don't know. The hackers might have pinned a note to the data center wall. Only time will tell.

equifax note.jpg(An artistic re-creation of the note.)

What Can be Done to Protect Your Credit/Personal Identifiable Information (PII)?

The Federal Trade Commission (FTC) moved pretty fast and this is what they recommend. We've copied the content on the FTC's website almost verbatim to ensure we convey the correct information. 

Step 1.  Find out if your information was exposed - Click on the “Potential Impact” tab and enter your last name and the last six digits of your Social Security number. Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection any time you enter it. The site will tell you if you’ve been affected by this breach.

Whether or not your information was exposed, U.S. consumers can get a year of free credit monitoring and other services. The site will give you a date when you can come back to enroll. Write down the date and come back to the site and click “Enroll” on that date. You have until November 21, 2017 to enroll.

Step 2. If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.

Step 3. Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could indicate identity theft. Visit IdentityTheft.gov to find out what to do.

Step 4. Place a credit freeze on your files - A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.

How do I place a freeze on my credit reports?

Contact each of the nationwide credit reporting companies:

You'll need to supply your name, address, date of birth, Social Security number and other personal information. Fees vary based on where you live, but commonly range from $5 to $10.

After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

We've personally called all three numbers and can attest that they work. Equifax charges no fee for the credit freeze. Experian and TransUnion will charge you a fee, depending on the state you live in. A majority of people will probably have to pay $10 for both.

TransUnion has the added bonus of trying to up-sell it's services when registering for the freeze by phone and won't let you continue unless you talk to a sales person. We found it's easier to register for the TransUnion freeze on line at https://www.transunion.com/credit-freeze/place-credit-freeze .

Please be mindful that registering for these services entails you giving them your Social Security Number, Credit Card Number and Address. Be considerate of where you are and how secure your surroundings are before you proceed.

How do I lift a freeze?

A freeze remains in place until you ask the credit reporting company to temporarily lift it or remove it altogether. A credit reporting company must lift a freeze no later than three business days after getting your request. The cost to lift a freeze varies by state.

If you opt for a temporary lift because you are applying for credit or a job, and you can find out which credit reporting company the business will contact for your file, you can save some money by lifting the freeze only at that particular company.

Step 5. Monitor your existing credit card and bank accounts closely for charges you don’t recognize.

Step 6. File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

What's Next? 

Oof. That's a toughie. We don't know. Honestly, who can tell at this point? We don't know what the hackers are going to do with this information now that they have it but we're fairly certain it's not good.

Personally we recommend following the steps we mentioned above. That should put you in a relatively good and secure place.

As for a commercial solution? Stay tuned because we'll be talking a bit about that later this week.

Topics: MSSP, Managed Security Services, Hacked, Domain Security