One of the biggest problems with all of the media attention given to corporate hacking is that after a while it almost becomes blasé. We become so used to hearing about yet another online invasion that has left customer data in jeopardy that we almost start to think the problem isn’t as serious as it really is. But when that happens, it seems like a massive breach is announced that is so staggering that it shocks people back into reality.
This was the case with Equifax, the credit-monitoring company, who was recently the victim of such a hack. The revelation has already had far-reaching repercussions and is a reminder that corporate Internet security is not to be taken lightly.
Equifax has been hacked
On September 7, Equifax revealed that it had been hacked and their client data had been potentially compromised. Unfortunately, that means the personal information for almost half of the country is at risk. Equifax had data on 143 million U.S. citizens as part of its credit-monitoring service. By the start of October, a forensic investigation of the hack had revealed that the number was actually 145.5 million.
How am I affected?
What this means is there is a very good chance that your Social Security number, driver’s license number, address, and birthday are in the hands of cybercriminals. Any of this information could be sold on the Internet and then used to commit identity fraud, opening bank and credit card accounts in your name. This information, such as your birthdate, is also used by many websites to verify your identity, giving these criminals the potential to hack your private accounts as well including your email, credit cards, and online banking. As if that wasn’t bad enough, Equifax also reported that the security questions and answers of some users had been compromised, further allowing hackers to get into your accounts. As with any such hack, the company was deemed vulnerable after the disclosure and a second hack was averted with no data lost.
What you should know
There are a few takeaways from this hack that makes the implications of what happened even greater. One of the first of these is that Equifax actually discovered the hack had occurred six weeks before the September 7 disclosure. This puts the discovery around the end of July. But the hack actually started in May. That means that hackers had approximately two months to mine for personal data, but four months with that data before the customers were informed.
If Equifax had come forward immediately, then consumers could have taken measures to ensure their personal information wasn’t used illegally. In that time, their data could have been bought and sold several times over. To make matters worse, Equifax still has not explained why they delayed in making this information public knowledge.
Equifax executives actions are questionable
Another troubling part of this whole situation is the fact that several Equifax executives sold shares in the company after the breach was discovered but before it was publicly announced. Had they waited until after the disclosure was made public to sell the shares, they would have lost thousands of dollars. Although the company claims they did not know about the security breach, this is actually cold comfort since one of the executives was the Chief Financial Officer. The fact that the CFO was unaware of one of the largest security breaches in history makes many question why all the secrecy, even within the company itself.
Equifax doesn’t seem to get it
Finally, the company has actually surprised and amused the security industry with its brazen attitude following the hack. Once the breach was revealed, the company set up a website so that customers could check to see if their data had been compromised. However, in order to do this, the customer had to enter part of their Social Security Number and their last name. This surprises many because it seems that customers would not trust them with the information after already having their data stolen once before.
They are also offering those who have been compromised a free year of their “TrustedID Premier” service which helps with credit monitoring and identity theft. This service, however, doesn’t offer enough protection for those affected and it could actually make the company money since users will have to resubscribe at the rate of $19.95 per month. Part of the terms of service agreement you have to sign to get this service is that the customer gives up the right to sue Equifax. Essentially, the company is offering a free year of an insufficient service in order to potentially make more money and protect themselves from possible litigation.
What can I do about this?
As far as what can be done about this problem, there are really just two options. For consumers affected by the breach, you can contact credit agencies and put a freeze on your line of credit. This will prevent anyone from taking out a credit card or loan in your name. Unfortunately, there is a fee involved with something like this and it will also mean that you won’t be able to apply for a line of credit either without temporarily removing the freeze. However, this option is better than having your credit history marred by a criminal.
When it comes to major action on this, Congress will have to establish a national law requiring businesses to reveal such security breaches within a set time frame. (In Europe, it is 72 hours.) As it stands right now, less than a dozen states have such laws on the books which does not leave citizens in a very safe environment.
There’s an old meme about social media that says, “If you’re not paying for it, you’re not the customer. You’re the product being sold.” This is probably the biggest takeaway for many customers when it comes to the Equifax situation. The reality is that many companies are now becoming clearinghouses for data with the idea being that the customers’ data can later be sold to other companies for marketing purposes. And when these companies are the victims of a security breach, the results can be cataclysmic because so much of our personal information is available for the taking.