Equifax is facing numerous investigations and hundreds of lawsuits over a massive data breach that compromised the personal information — names, addresses, birth dates and social security numbers — of approximately 145.5 million people.
For those affected by the breach, the path forward is still unclear. While the credit reporting agency announced the breach Sept. 7, the hack was actually discovered July 29, which means sensitive data from about half of the U.S. population had been available to hackers for weeks before consumers could take action to protect themselves. On Oct. 2, the company said that an additional 2.5 million people were affected by the hack.
On Feb. 9, the Wall Street Journal reported that — according to Equifax — the hackers accessed additional, previously undisclosed information, including tax identification numbers, email addresses and other driver’s license information such as dates and states where licenses were issued.
Here’s what you should know, and what actions you can take next.
Why did this happen?
Equifax originally told USA Today in September that the hack was the result of an “Apache Struts” vulnerability. Apache Struts is free, open-source software used to create Java web applications. The credit reporting company said it was unsure of which Apache Struts vulnerability caused the breach.
A week after the breach was announced, the Apache Struts Foundation said that “the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.”
How can I find out if I was affected?
This hack is being called the largest credit-card-data hack in American history, and even if you haven’t seen any foreign charges in your account, experts recommend you check your status on Equifax’s website: Equifaxsecurity2017.com. You’ll be prompted to enter your last name and the last six digits of your social security number.
I’ve heard that if I enter my information in Equifax’s website, I lose my right to sue them later. Is this true?
Initially, Equifax had language in their credit monitoring agreement that would waive customers’ right to sue at a later date. New York Attorney General Eric Schneiderman tweeted Tuesday that “after conversations with my office, Equifax has now made it explicitly clear” that “no one will waive their right to join a class action” lawsuit.
— Eric Schneiderman (@AGSchneiderman) September 12, 2017
“Let me be clear: even if you use the free products by Equifax, you will retain your legal rights,” Schneiderman said in a subsequent tweet.
“They’ve made it very explicit at Equifax that you’re not waiving any legal right by signing up for this,” Nick Clements, co-founder of MagnifyMoney, a financial services organization, told the PBS NewsHour’s William Brangham during a livestream Wednesday.
One year of free bureau monitoring is “a nice way to get something in effect right away to give you some comfort on some of the risks,” Clements says.
What could happen to me if I’ve been hacked?
Clements said that a hack of this kind can lead to two types of fraud: account takeover and full identity takeover.
A case of full identity takeover would be when a criminal uses your social security number, birth date, address and name to open one or more new, false accounts in your name.
An account takeover, which can be just as damaging, is when a criminal assumes control of your existing accounts using some of this stolen information to pretend they are you, the account owner. In other cases, by using so-called “social engineering” (where a criminal masquerades as a representative of your bank or credit card company), criminals can persuade people to reveal pin codes or passwords for their accounts, which can then be used to steal your money.
What do I do?
You have a few options, but you must act now and you must follow up, says Clement. First, consider freezing your credit. Freezing your account will completely halt all access to your credit information — but allows you to maintain your credit score — as well as block hackers who may have stolen your information.
A less drastic response is to take Equifax’s offered one-year of free credit monitoring to know if someone is using your information in fraudulent ways. But, Clements warns, the danger doesn’t disappear as soon as you activate credit monitoring or implement an account freeze.
“Social security numbers don’t expire,” he says on the ability of hackers to steal your identity today, tomorrow or 10 years from now. He urges anyone whose data was compromised to follow up year after year to make sure they’re still secure.
Did Equifax do enough to protect its customers?
“Ultimately every company is responsible for it’s own data security,” Clements says. But he also points out that the “convenience of the digital age” is having your information readily available online for the people you want — and don’t want — to easily access it.
“This is the new normal,” he says. “You have to assume that someone somewhere has stolen your info and is trying to use it against you. We have to become our own best advocates.”
Should my social security number remain my first way to authenticate myself?
One of the most critical pieces of data exposed in the hack is social security numbers. Combined with your name and date of birth, it’s a “perfect storm” for hackers, Clements says.
So what do we do? Clements says we need to find a better way to authenticate. He points to two-factor verification, where you must confirm your ID on two devices before logging in, as a step in the right direction.
What is Congress’ role in all of this?
Former Equifax CEO Richard Smith testified several times before congressional committees late last year. “Equifax was entrusted with Americans’ private data and we let them down,” he said in written testimony to a House energy and commerce subcommittee in October. “To each and every person affected by this breach, I am deeply sorry that this occurred.”
A report from the office of Sen. Elizabeth Warren (D-Mass.) released on Feb. 7 accuses Equifax of not letting consumers know that their passport numbers were also accessed by hackers. In a statement to the Wall Street Journal, an Equifax spokeswoman said an investigation into the hack “showed that passport numbers were not included in the information accessed by the hackers.”
In September, the Senate Finance Committee sent Equifax a long list of questions seeking answers about how the hack occurred.
“Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of the some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers,” the letter said. “If the names, Social Security numbers, birth dates, and other information of 143 million Americans are now in the hands of cybercriminals, this breach will cause irreparable harm to programs within this Committee’s jurisdiction by way of stolen identity refund fraud, healthcare fraud, and entitlement fraud.”
Clements suggests one way to prevent a hack like this from happening again is setting a minimum standard of security protocol, enforceable by the federal government. But it’s a “constant game of cat and mouse” to develop that kind of legislation, he said, because as lawmakers, the tech community and consumers get more savvy in preventing exposure, criminals get better at finding ways around our solutions.
Where else can I go for help?
Clement says that you can pay for resolution services, which means you provide a firm with power of attorney to handle the dispute and legal response in the case of a hack.
Another is to use government resources like Identifytheft.gov. Here, you’ll begin resolution services, going through the multi-step process to resolve financial damages stemming from a hack.