Equifax breach affects almost half of adults in U.S.

Next story

4 October 2017

The credit monitoring bureau Equifax was hit with a security breach that has given thieves access to the data of 143 million people—mostly customers from the U.S., plus a handful from the UK and Canada.

The data stolen includes names, social security numbers, birth dates, addresses, and the numbers of some driver's licenses and credit cards.

Indications are that this breach occurred between mid-May and July, and it was discovered by Equifax on July 29. As this has potentially affected almost half of all adults in the U.S., you may be wondering how to identify or mitigate problems caused by this breach if you're affected, or if something similar were to occur in Australia. Here are a few steps you can take:

1. Check your account for suspicious activity

The first, and most important thing you can do, is to check the transactions on all your financial accounts and credit history. As the breach was only recently reported, it’s likely that more information about the specifics of who and what was stolen will become available in the coming days and weeks.

If you see activity that you do not recognize, it is important that you notify the bank or credit agency immediately.

Keep in mind that the thieves may not use or sell all of the stolen data right away. You will need to be vigilant with your accounts for a while.

2. Consider a credit freeze

While freezing your credit does introduce a hurdle in allowing someone to access your credit report (such as when applying for a new bank card, loan, apartment or job), it also makes it more difficult for thieves to create new accounts using your information.

Laws differ from one country to another, and within the US from one state to another regarding who may request a freeze and how much they will be charged. For most US states that do charge, if you’ve not yet had fraud committed as the result of a data breach, you may be charged around US$10 to place the freeze. It’s important to contact all three credit reporting agencies.

If your information was included in this breach, and you decide against a credit freeze, you may wish to place a fraud alert on your files instead. A fraud alert warns creditors that you may be a victim of identity theft and that they should take additional steps to verify that anyone seeking credit in your name is really you.

In the US an initial fraud alert lasts 90 days, which won't be very helpful in this case as criminals can and most likely will be (mis)using permanent credentials like social security numbers for years to come. To file an extended fraud alert that lasts for seven years, you must have a police report that describes identity theft-related fraud that has already been perpetrated against you.

For Australians, information on credit freezing can be found at The Office of the Australian Information Commissioner (OAIC) and in Privacy Fact Sheet 37

3. File your taxes promptly

While thieves may use stolen information to create fraudulent bank accounts, they may also use it to file fraudulent tax returns. File your taxes as soon as you have the tax information you need and respond promptly to letters sent to you by the IRS. Note that the IRS will never communicate with you via email, so watch out for this type of fraud and don’t open emails purporting to be from the IRS.

4. Improve your login security

With all the information that is now available to thieves, they may try to couple it with attacks on other online accounts and services. If you’re an IT pro, you know that employees often share passwords, so now's a good time to implement two-factor authentication and data encryption if you haven't already.

5. Beware of scams

Criminals are aware that people will be feeling especially anxious about their security and privacy as a result of this incident. This could lead to other scams. Some people may, ironically, be more apt to fall for social engineering tactics and phishing schemes that prey on this fear.

Never click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. Instead, you should type the expected URLs into your browser directly to contact companies.

And, be sure you’ve implemented a reliable antivirus product that includes anti-phishing.

What can Businesses do?

There are plenty of things businesses can do to protect themselves and their clients data. in fact, The Australian Privacy Act (1988) regulates how businesses and their employees handle private data. This means SMEs should have suitable policies for safe handling of data In place, and software to enforce that.

Examples of this are ESET's Deslock, which provides simple and powerful data encryption, and SafetIca Data Loss Prevention, which monitors and prevents unauthorized copying and removal of important data and files.

When it comes to managing security vulnerabilities on endpoints, businesses should respond and patch any security exploits as soon as possible. Flexera makes managing and executing patch management across multiple platforms, fast and easy.

In conclusion:

At the time of writing, Equifax is having a number of technical difficulties with existing contact methods, probably as a result of unusually high traffic volumes. We advise that you do what you can to protect yourself using the points outlined above while waiting for traffic to slow down.