Each day, the news regarding the Equifax breach, where upwards of 143 million account records were exposed through a flaw in a web service, keeps getting worse. On September 20th, we learned that apparently, the initial breach occurred sometime prior to March 2017 when Equifax hired an outside security company to review their systems but then, nearly four months went by before Equifax cyber-security personnel discovered it extent. And then it was nearly two months later before the general public was told about it. It will likely be months or years till the full details and extent of the breach is fully understood.
There have been many other hacks and breaches over the past several years. Many, like the Yahoo email address breach were much larger, exposing several times more user information. In the Yahoo hack, over a half billion email accounts and passwords were possibly exposed. So why is the Equifax breach far more serious? Because of the amount of personal data that’s stored by Equifax in one set of records. Nearly all important information about individuals including social security numbers, dates of birth, employment information, banking, loans, mortgages, and credit card information is right there. For the “bad-guys”, it’s a treasure trove.
What exactly was exposed? From what we are learning, Equifax isn’t entirely sure. If a hack is done well, and it appears that this one was, it can be very difficult to tell exactly what was viewed or taken. Equifax has reported that they have identified about 200,000 accounts where credit card numbers were stolen.
Before we get into what an individual can do to better protect themselves, here’s what not to do or rely upon:
- All the state and federal governments “going after” Equifax. Most of that is political noise that will likely not result in much. The best that can hoped for will be more individual control of our credit information (something that exists in Europe today) or possibly an insurance pool or something for those who can prove damages due to the breach that would be funded by Equifax.
- For now (and this could change), we’re not recommending signing up for Equifax’s “free” credit monitoring. There’s an arbitration clause in there that could limit your rights later-on. Additionally, their TrustedID Premier service is only being offered for a year. Consumer Union and others have demanded the arbitration clauses be removed and credit monitoring be free for life. In addition, the way in which Equifax has instructed how individuals see whether their data has been exposed has its own set of problems potentially exposing social security numbers yet again.
What should individuals do now?
- Sign up for independent credit reporting information. We use and like Credit Karma. https://www.creditkarma.com/. It works well, is independent of nearly everyone, and it’s free. There are also several others including fee-based subscription programs like Lifelock. These companies and virtually all the others regularly get beat-up by reviewers. From reading these reviews, the most typical issues seem to be around customer service and people expecting services that are not offered. Before signing up, do your homework and adjust your expectations to meet the actual services being provided.
- Consider putting “Two Factor Authentication” on your bank and other accounts where it’s offered. Two factor authentication relies on something you have and something you know. For instance, our bank uses a system whereby for every transaction over a specified amount, as well as changes to passwords, authorized users, etc., we’re required to “authorize” the transaction by entering a random number that is texted to a specified cellphone. If the correct number is not re-entered online within 3 minutes the transaction is denied. We “know” the account password and we “have” the cellphone to enter the random number. It takes both to complete the transaction. Is it more work? Yes, but it keeps a lot of the “bad guys” at bay. We expect to see more use of these techniques to protect credit cards and other accounts.
Freeze your Credit. Unfortunately, this is poor choice of words. Frozen credit means that you need to contact each of the three rating agencies via a PIN Number to add new credit – like to apply for a new mortgage or credit card or to have others look at your credit report. Use of your existing credit is unaffected. The major advantage of this technique is that no one other than you can apply for credit or make changes to any of your accounts in your name. However, freezing your credit takes effort, doesn’t work very well for business people that work with their credit facilities extensively and is currently not free. For individuals that don’t add or change their loans, credit cards, etc. very often, this is a very good solution.
The Equifax hack is getting a lot of attention and unlike other breaches, this one directly affects the pocketbooks and wallets of the majority of Americans. There will be plenty of news stories, both accurate and not and various dire predictions by some, but in the end, I think some improvement will occur in our systems to better protect our credit information.