[This is still a fluid situation with multiple active investigations (including at least one criminal investigation) which will uncover more. This article is based on the reporting at the moment.]

A Quick Comment: This is one of those events that will be with us for a very long time and it will fundamentally change a process that was largely invisible and only required occasional attention into something we all need to keep under constant watch. The best analogy I can come up with is: we moved from a nice safe neighborhood where bad things rarely happened into a high-crime, unstable neighborhood where we always need to have our radar up.

I attempted to keep this as short as possible, but it’s a complicated issue. If you just want to know what to do – skip to the “What To Do” section. Additionally, this is written for an IT security perspective, not a legal or accounting perspective – so please pull in experts in those fields as needed.

Lessons: Here are the lessons re-learned (I say that because we know these lessons already, but Equifax chose to ignore them):

  1. Updates MUST be applied when they are released.
  2. Security MUST be multi-layered.
  3. Security MUST be taken seriously, and that includes having senior IT staff who are experts in the field.
  4. Simple and/or default passwords to access systems are a BAD idea.

What Happened:

  • A security issue was found in a key technology Equifax uses in early March.
  • Equifax didn’t patch the issue.
  • July 29: Equifax discovers intruders have been in their system for some time.
  • August 10: Equifax purchases an identification protection service called ID Watchdog.
  • September 7: Equifax release info on the compromise to the public.
  • September 8: It’s reported that the Equifax site for checking if your compromised is hopelessly broken
  • September 12: Argentinian system added to compromise list (using username: admin, password: admin)
  • September 19: Equifax accidentally sending consumers to phishing site to sign up for protection services

What To Do:

  • DON’T go to the Equifax site to check if you have been compromised (read on to find out why).
  • DON’T use Equifax’s offer for one free year of their credit monitoring service
    1. The legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach.
    2. They have already totally and completely dropped the ball on your data, do you want to trust the same people to protect you moving forward?
    3. After year one, they will charge you for this service (and this is a long-term compromise).
  • Assume you ARE compromised
  • DON’T get fatalistic – this is a problem which needs an active response to protect you, your family and your business.
  • SERIOUSLY consider that your kids were compromised too – “kids under the age of 18 are 51 times more likely to become victims of identity theft than their parents” (see Reference Info #1)
  • SERIOUSLY consider:
    1. Get your current credit report (you can get a FREE Credit report from ALL 3 of the big Credit Report bureaus once a year from https://www.annualcreditreport.com) and start getting them regularly - start a rotation and get one credit report from one bureau every 4 months
    2. Getting credit monitoring (my favorite monitoring service is: LifeLock (and they have an add-on service for kids under 18)), but know the most you can hope for is that credit monitoring services will alert you soon after an ID thief steals your identity. Credit monitoring services are principally useful in helping consumers recover from identity theft.
    3. Place a fraud alert which notifies potential creditors that they should call you (at a number you specify) to confirm your identity BEFORE they open an account/grant credit.
      • This comes in two forms:
        • Fraud Alert – lasts for 90 days and you must renew it every 90 days.
        • Extended Fraud Alert – lasts for 7 years, but you need to have a police report to prove someone has already attempted to compromise your identity.
      • If you file with ONE credit bureau, they will automatically share that alert to the other credit bureaus. The BEST one to use is: https://fraud.transunion.com
    4. Filing a security freeze — also known as a credit freeze — with the four (Experian, Equifax, TransUnion, and Innovis) major credit bureaus. Info on credit freezes:
      • See Reference Info #2 for info for each credit bureau.
      • “Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union. It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.” [From KrebsOnSecurity.com]
      • “…consumers in all states have a right to freeze their credit files, and I would strongly encourage all readers to do this. Yes, it can be a pain, and the bureaus certainly seem to be doing everything they can at the moment to make this process extremely difficult and frustrating for consumers.” [From KrebsOnSecurity.com]
  • Avoid TransUnion’s “TrueIdentity” which includes: the consumer agrees to a class action waiver, a mandatory arbitration clause, and something called ‘targeted marketing’ from TransUnion and their myriad partners.
  • Credit freezes require extra steps on your part every time you apply for credit. This can be more trouble for younger adults (new cars, houses, credit cards, etc.) and it can come up with new jobs and cell phones.
  • Credit freezes/unfreezes can cost money - see Reference Info #3.
  • There have been reports about issues with the unfreeze pins – while these are important and need to be monitored. This tool is too valuable to discount because of these issues and I fully expect the credit bureaus to address these problems in short order.

What I’m Doing:

  1. I already have LifeLock, my kids are over 18 – so I’m offering them their own LifeLock accounts.
  2. I’m getting a current copy of my credit report (for reference).
  3. I’m setting Fraud Alerts at all the credit bureaus via TransUnion (and setting a 90-day reminder for renewal – which is annoying).
  4. I’m putting in a Credit Freeze at each credit bureau.

Reference Info:

  1. http://jjie.org/2011/11/07/children-at-higher-risk-for-identity-theft-than-adults-study-says/
  2. http://bit.ly/freezecredit
  3. https://www.valuepenguin.com/states-where-freezing-your-credit-will-cost-you-most

The Timeline (from Equifax, Fox Business, Bloomberg, Fortune and KrebsOnSecurity.com):

  • Early March - The United States Computer Emergency Readiness Team detects and discloses a vulnerability in Apache Struts, a widely-used web-application software product.
  • Early March - Equifax learned about a major breach of its computer systems (being reported as the same intruders as the 2nd hack).
  • March 8 – Patch released for the flaw in the Apache Struts framework.
  • Mid-May through July 2017 – This is the time frame in which Equifax says hackers gained unauthorized access to its data.
  • Thursday, July 29 – Equifax discovers the hack and immediately stopped the intrusion.
  • Friday, July 30 – Equifax discovers additional suspicious activity.
  • Tuesday, August 1 & Wednesday, August 2– Three top executives from Equifax sell nearly $2 million worth of company stock.
  • Wednesday, August 2 - Equifax contacted a leading, independent cybersecurity firm, Mandiant, to assist in conducting a privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.
  • Thursday, August 10 – Equifax purchased an identification protection service called ID Watchdog, two weeks after they discovered the data breach but a month before disclosing it publicly.
  • Thursday, September 7 – Equifax officially alerts the public about the cybersecurity incident and provides a dedicated website for consumers to check if they were affected. Later on that night, the company also issues a statement saying the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
    • Data for 143 million Americans: Social Security numbers, birth dates, addresses and some driver’s license numbers.
    • Credit card numbers for roughly 209,000 U.S. consumers.
    • “Certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
  • Thursday, September 7 – Security researcher Kenneth White discovered a link in the source code on the Equifax consumer sign-in page that pointed to Netscape, a web browser that was discontinued in 2008.
  • Friday, September 8 – Shares of Equifax shed more than 13% of their value in trading. Sen. Elizabeth Warren (D-Mass.) tears into the company on social media for trying to push customers to give up their right to sue.
  • Friday, September 8 – Website Equifax setup to check if consumers are compromised is reported as “completely broken at best, and little more than a stalling tactic or sham at worst”. The known problems:
    • If you put in your info from a desktop and mobile – you get different answers.
    • If you try checking several days in a row, you will some ‘yes’ and some ‘no’ responses about your data being compromised.
    • If you put in gibberish names and numbers also produced random ‘yes’ and some ‘no’ responses about the data being compromised.
    • Security experts identify multiple serious security issues with the site.
  • Friday, September 8 – Equifax releases a statement saying that its controversial arbitration language that appears on its emergency website “will not apply to this cybersecurity incident.”
  • Monday, September 11 - Two key US senators ask Equifax Inc. to answer detailed questions about a breach of information affecting up to 143 million Americans, including whether U.S. government agency records were compromised in the hack.
  • Tuesday, September 12 – Argentina added to compromised list as security firms finds Equifax used the word 'admin' for the login and password of a key database.
  • Thursday, September 14 – Report that Visa and MasterCard send out notices saying the “window of exposure” for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017.
  • Friday, September 15 – Equifax announced the retirement of two of its top security executives (CIO & CSO).
  • Friday, September 15 - Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder’s Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax.
  • Tuesday, September 19 – Equifax has been giving out (via Twitter) the wrong website to check if your data was hacked and to get the free year of credit reporting. They are sending people to a phishing site.

Sources Used For This Article:

  • Equifax
  • Fox Business
  • Bloomberg
  • Fortune
  • com
  • Security Now – Podcast #628
  • Know How Podcast - #344 – “EQUIFIX-IT!”