The Equifax Breach: What Happened, and What's Next?

What happened?

Last week, credit reporting agency Equifax announced what is certain to be one of the worst security breaches in the history of cyber-security. During the period between mid-May and the end of July, an unidentified intruder siphoned off the personal information of 143 million Americans, as well as a smattering of individuals from the U.K. and Canada. The attacker(s) exploited a vulnerability in the company's website to gain access to names, addresses, and social security numbers, as well as some customer credit card numbers.

You may or may not know much about who Equifax is, but if you've ever had a bank account, credit card, house or car loan, then they definitely know about you. Equifax is one the the three major credit reporting agencies (in addition to Experian, and TransUnion) that aggregate personal and financial information on virtually everyone, information they use to synthesize your all-important credit score. These agencies gather and store names, addresses, phone numbers, social security numbers, bank account information and loan payment histories. This makes them extensive repositories of some of our most sensitive private information, and by extension, some of the most tempting attack targets.

What happens now?

This breach was exceptional for both it's breadth, and its depth. While by raw numbers, it isn't the largest breach ever recorded, (that ignominious honor goes to Yahoo with a combined total of 1.5 billion compromised accounts between its two breaches) its 143 million count still puts it among the largest breaches ever discovered. And unlike past breaches like Yahoo, et al. the effects of this breach are likely to be long lived. Mitigating this compromise will not be as simple as issuing new credit card numbers, or resetting users passwords. Much of the stolen data is difficult or impossible to change, and sensitive enough that much of it is used to verify identity for other resets. With the stolen information, malicious actors could apply for loans, open new accounts or take over existing accounts, file fraudulent tax returns, and much more. 

What should I do?

• Find out if you're affected: If you don't know if you're included in the breach, Equifax setup a site at https://www.equifaxsecurity2017.com for you to check (Please note, there have been reports of both false positives and false negatives from the tool, but it's still the best tool available).
• Setup credit monitoring: Equifax is offering a year of credit monitoring to all affected customers. (it's been reported that the service being offered will automatically bill anyone who signs up at the end of the 1 year period, unless the customer deliberately cancels the service. Equifax released a statement clarifying that this is not the case, and users will not be billed automatically after the first year.)
• Verify your credit report: You can request you credit report once a year gratis from each of the three agencies. Look for any discrepancies; accounts you don't recognize, balances that don't look right. Report any discrepancies to the reporting agency.
• File your taxes early: Among the risks to affected customers, is the possibility of tax return fraud. There is ample information in the compromised data to fill out fraudulent tax returns for nearly half the U.S. population. Unfortunately, there's only so much that can be done to combat this fraud, as most common methods of identity verification depend on the compromised data. The best way to mitigate this risk is to get your return in first.
• Request a Security Freeze: Each of the reporting agencies allows you to request a "security freeze" for you report. This prevents anyone from requesting your credit report for establishing a new account. Depending on your locale, there may be a nominal fee (usually $5 to $10) to establish a security freeze. Once you've established a security freeze, you will have to proactively lift it prior to requesting any new accounts or lines of credit.
• Keep you eye on your credit: This breach is destined to have long lived effects, and it's impossible to know how and when this data may be used. Because of the durability of the compromised data, it could be months, years, or longer before it is exploited, and it could be just as detrimental.

What's next?

It's too soon to know what the long term fallout of this particular breach will be. But it does serve as a reminder that more and more of our most confidential information is moving online, and is being shared among companies and across industries. It means that even if we don't personally do business with a company, we may still be relying on them for the safety of our data without even knowing it.