Update: Equifax’s website (we link it in the article below) to check if your data were compromised in the breach was, at least for a while, returning positive results even for fake names and numbers. The tool was complete bullshit, in other words—much like the company’s security and ethics in general—probably slapped together in a hurry to make it look like Equifax was actually doing something useful. It appears now that some steps may have been taken toward turning it into a non-bullshit tool (I just tried some fake names and didn’t get a positive result), but who even knows at this point?—Chris Livingston
Original story: As you might have already read, the private data of 143 million Americans was compromised in a data breach that occurred at Equifax, one of three major credit reporting agencies in the United States. The breach took place between mid-May through July, with Equifax discovering the the unauthorized access on July 29. Now more than a month later, it is letting everyone know.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U. consumers, regardless of whether they were impacted by this incident.”
Smith is right in that this is “clearly a disappointing event,” but that is not the only emotion floating around at the moment. Anger and frustration are two more that are held by many, especially as there seems to be more questions than answers.
Let’s start with the breach itself. Equifax maintains there is no evidence of unauthorized activity on its core consumer or commercial credit reporting databases. However, that is hardly comforting, considering that 143 million people are affected by this. Last year’s Yahoo breach was bigger, with up to 1 billion customer accounts being compromised, but the data revealed here is more serious. Much more.
Equifax says hackers primarily made off with names, Social Security numbers, birth dates, addresses, and in some cases, drivers license numbers. On top of all that, the breach exposed credit card numbers belonging to around 209,000 US consumers, and also dispute documents with personal identifying information for around 182,000 people.
While the US was hit the hardest, “limited personal information” belonging to UK and Canadian residents was also exposed, Equifax says. The company did not provide specifics.
How to check if you’re affected
In the aftermath of all this, Equifax has set up a special website related to the breach, along with an online tool to check if you have been affected. It asks for your last name and last six digits of your Social Security number, and there’s a reCAPTCHA box.
After doing so, here is what you don’t want to see, but very well might:
As a mea culpa gesture, Equifax is extending free credit monitoring provided by TrustID to customers affected by the breach. Before you enroll, be aware that there is a pretty big string attached. If you read the fine print, enrolling in TrustID (which Equifax owns, by the way) waives your right to participate in any class action lawsuit against Equifax. Any disputes must be settled through arbitration.
That sounds pretty outrageous given that Equifax dropped the ball in a big way. The good news is you might still be able to participate in a class action suit over the original hack, even if you sign up. Alex Southwell, a privacy lawyer at Gibson Dunn and a former federal prosecutor in New York, told CNN that the original rules still left room for people to sue Equifax over the data breach, even if they can’t sue over the credit monitoring.
Still, things are not entirely clear on that front. To make matters worse, even if you decide it is in your best interest to enroll, you will have to wait. Many users (and I’ve confirmed this myself) are being told to come back to the site at a specified later date. Furthermore, Equifax says the onus is on you to remember that date, because it will not be sending any reminders.
In my case (and many others), Equifx will not offer credit monitoring services until next week at the earliest. Boo, hiss!
The plot thickens
As if all this were not bad enough, Bloomberg reports that three Equifax senior executives sold shares worth nearly $1.8 million just days after the company discovered the security breach. That’s a bad image for Equifax, though the agency is claiming the trio had no knowledge of the breach when they sold their shares.
“I don’t know how the board will allow these executives to continue in their positions,” Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP, who advises boards on matters including corporate compliance and enforcement challenges, told Bloomberg. “Yes, they should have a careful investigation and have an independent law firm interview the executives and review their emails and determine what they knew and when, but the end result is likely clear.”
Even if true, Equifax’s claim that senior executives did not know the company had been breached days after it was discovered is troubling.
How does this affect me?
Obviously this does not have anything to do with gaming directly. However, given the number of people affected and the data that was compromised, we felt it was worth covering.
TechCrunch believes it’s a foregone conclusion that you’re going to be hacked as a result of this (assuming you’re affected). There are numerous ways this could happen, such as attempting to open a credit card in your name or even spoofing your SIM card.
“Once your personally identifiable information has been stolen, people can use that information to basically impersonate you. They can create fake loans and fake bank accounts. And the names will be posted on lists that become available to future hackers,” Fleming Shi, a senior vice president for Barracuda cybersecurity company, told The Washington Post.
One thing you can do is set up fraud alerts with all three credit monitor services. You can do that online at Equifax here, at Experian here, and at TransUnion here. After doing so, you will receive a notification whenever someone attempts to access your credit report. These fraud alerts are good for 90 days, after which you can renew.—Paul Lilly