Everything You Need to Know About the Equifax Data Breach

I run a cybersecurity operation for a multi-billion dollar financial institution. So, as you can guess, I spent a good portion of the last 24 hours researching and understanding the impact this breach had on our customers. I want to share (what I can) the results of that research with you. Most of which was confidential, and not pertinent to you, has been removed.

With that, please take a look and make sure to follow the instructions to check if you are impacted and to sign up for identity theft protection.

As a side note, if you are looking to protect yourself from a popular form of cyber-attack, please check out my other article on ransomware:

Update on Equifax Legal Rumors

Equifax has updated their Terms of Use and ensured consumers that using these services will still be able to take legal action:

To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. We have already removed that language from the Terms of Use on the site www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident. Again, to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.

Highlights of Equifax Breach

Highlights from Rick Smith’s statement, Chairman and CEO of Equifax:

  • Discovered unauthorized access to “certain Equifax data files” on July 29th 
  • Equifax acted immediately to stop the intrusion
  • Equifax engaged a leading cybersecurity firm to investigate and determine scope of intrusion

Conclusions from the Investigation

  • Unauthorized access occurred during Mid-May and July
  • No evidence of unauthorized activity on Equifax’s core credit reporting databases
  • For approx.. 143,000,000 U.S. consumers: Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers
  • For approx.. 209,000 U.S. consumers: Credit card numbers
  • For approx.. 182,000 U.S. consumers: Certain dispute documents with personal identifying information

Equifax Offering Protection

Equifax is offering every US consumer:

  • A comprehensive package of identity theft protection and credit file monitoring
  • Special call center (866-447-7559) and dedicated website (www.equifaxsecurity2017.com) to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection

TrustedID Premier

From the Equifax incident website (www.equifaxsecurity2017.com):

The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of EquifaxExperian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year.

The website also provides additional information on steps consumers can take to protect their personal information.

Equifax recommends that consumers with additional questions visit www.equifaxsecurity2017.com or contact a dedicated call center at 866-447-7559, which the company set up to assist consumers.

The call center is open every day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern time.

How to Check for Impact and Enroll in Protection

Consumers should follow these instructions to check if they have been impacted by the breach as well as to enroll in one year of free identity theft protection and credit card monitoring services.

1.       Go to www.equifaxsecurity2017.com and click Enroll

2.       On the next page, click Begin Enrollment

3.       Enter your last name and the last 6 digits of your Social Security Number, and click Continue

4.       You will be presented with a message indicating whether or not you have been impacted by the breach

5.       Click Enroll again

6.       You will be given an enrollment date for TrustedID Premier. On your assigned date, come back to https://faq.trustedidpremier.com/ or https://www.equifaxsecurity2017.com/enroll/ and click Continue Enrollment to complete the enrollment process.

Other Intel – Spike in Online References to Equifax

  • There have been 17,688 references to Equifax Inc over the past 60 days
  • 17,617 of those references occurred in the last 7 days
  • 16,818 of those references occurred in the last 2 days

This information is mostly comprised of news sources and social media mentions about the breach itself.

Sources: https://www.equifaxsecurity2017.comhttps://www.recordedfuture.com/

My Thoughts

First off, please make sure you follow the instructions listed above (and below) to protect yourself.

Second, it’s not uncommon now-days for most of our information to be well-circulated on the dark web due to various breaches of major organizations.

I think it’s safe to always assume that your information is compromised and to take other precautions, we call them “mitigating controls” in the cybersecurity field.


Freeze Your Credit

Remember that hackers also know about this “free one year of credit monitoring” as well. They can read the news. They can also wait for two or three years before using your data. Happens all the time.

That’s why placing a freeze on your credit is so important (see below for details).

  • Contact each of the credit reporting companies (use the web link or phone number) to place a freeze on your credit. This will prevent new lines of credit from being established in your name:

Equifax – 1-800-349-9960

Experian – 1‑888‑397‑3742

TransUnion – 1-888-909-8872

Change and Protect Your Passwords

  • Change passwords for online financial accounts
  • Use unique user/password combos for your accounts (if one is compromised, an attacker will try other sites to see if those same credentials work)

Yes, this is a difficult feat to accomplish. Welcome to 2017 where password managers have come a long way. I use Dashlane to manage over 200 complex and unique passwords, and love it:

Never forget another password. Download Dashlane Free (PC or Mac)

Using iOS Mobile? Download Dashlane Free

General Security Recommendations

  • Use an up-to-date anti-virus  software on your computer
  • Never use someone else’s computer to log into a sensitive site
  • Never connect someone else’s USB drive  to your computer (or CD/DVD if you can avoid it) – malware can deploy itself from these mediums
  • Never open attachments or click on links from unknown or unexpected email senders

Anything to add? Questions?

Please let me know in the comments. If you found this helpful, definitely share it using those nifty share buttons. Subscribe for more helpful article like this.

8 Replies to “Everything You Need to Know About the Equifax Data Breach”

  1. I think we are living in an age in which this will be more and more common. Almost every other month we hear about the next leak. Understanding what to do when it does happen is key. Thanks for info.

    1. Absolutely. In the Cyber field, we talk about what to do when (not if) we are compromised, and we try to assume that a single (or too few controls) is not enough. A layered defense plan is best.

  2. I set up a security freeze at all three credit bureaus. However, I’m kind of hesitant to sign up for monitoring through the same company that let this breach happen. I’m particularly worried that next year will roll around and they’ll auto-enroll me for another round – but then charge a fee. Thoughts on this?

    1. I’m sure it’s a lot like most free trials, as you’re saying. I’ll check it out and report back. Honestly, their security is likely to get a lot better. Typically, a company becomes much more secure after a breach. Cybersecurity adoption and budgets magically increase.

      Here’s my main thought on credit monitoring: hackers know about the free year of monitoring, and they’ll wait a year or longer before acting, so as to be avoided. That’s why I believe credit freezes on all three reporting companies is a MUST.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.