Update on the Equifax Hack

Last week we discussed the theft of credit report data and other information affecting at least 143 million Americans from Equifax, one of the nation’s three main credit bureaus. Since last week some important new revelations have come to light and we wanted to share those with you to be sure you are aware of them.

Revelation #1
The cyber attackers that hacked Equifax’s systems utilized a vulnerability a widely used web-application software platform called Apache Struts. The Apache Software Foundation discovered the vulnerability in early March and issued a patch for it, but Equifax neglected to apply the patch until almost two months later. Security experts say that if the patch had been applied promptly, the breach would not have occurred. (Incidentally, this is a perfect example of why you should always keep software on your own computer up to date.) Also, the company took six weeks to notify the public after finding out about the breach.

Revelation #2
The company’s chief security officer, Susan Mauldin, retired in the wake of this scandal. She holds a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. That’s right, music. Archival copies of her LinkedIn profile, which has now been set to private, show no education related to technology or security. There’s also no evidence that she took classes, attended seminars, obtained certifications, etc. related to technology or security during the time she occupied her position with Equifax.

Revelation #3
Equifax is offering free security freezes to consumers through November 21. Unfortunately, security problems exist here too! When a person applies for a security freeze, Equifax generates a PIN associated with that freeze. With the hackers already in possession of names, address, social security numbers, etc. this PIN is all that prevents the hackers from lifting the freeze. Instead of issuing a randomly-generated PIN for each freeze request, Equifax uses a timestamp of when you made the freeze: MMDDYYHHMM. For example, that means if a request was made right now the PIN generated would be 0919171702. That’s not exactly rocket science to crack! Equifax has responded to the concerns about its PIN generation and has issued a statement promising change, saying “We are engaged in a process that will provide consumers a randomly generated PIN.” Given the fact that it took the company two months to patch the security vulnerability that allowed this breach in the first place, and another six weeks to inform the public after it happened, we’re not holding our breath for randomly generated PINs anytime soon.

So, what should consumers do in light of this new information?

Don’t Panic
With everyone on high alert in the wake of the data breach, it would be foolish of the hackers to use the stolen information right away. It’s far more likely that they will wait months or even years to attempt identity theft. While still remaining vigilant, realize that you do have some time to act.

Watch Your Accounts
If you haven’t already, now is a great time to start keeping a close eye on your accounts. Check your bank, debit and credit card statements for suspicious activity at least once a month. If your credit cards offer you the ability to receive text message alerts any time a purchase is made using the card, sign up for them.

Request Fraud Alerts
Another thing you can do if you haven’t already is request fraud alerts from each of the three credit bureaus (Equifax, Experian and TransUnion). While a fraud alert is in effect, the credit bureau must contact you any time someone (whether it’s you or a scammer) attempts to open a new line of credit in your name. Remember that fraud alerts may not prevent the misuse of your existing accounts, so you should still monitor all your existing accounts for fraudulent transactions.

Freeze Your Reports
We suggest waiting to apply for a security freeze through Equifax until they implement truly random PINs, but you should not have reservations about requesting security freezes through the other two credit bureaus. You will have to pay a small fee ($10 per bureau if you live in Michigan; the fee varies for other states) but it is a one-time fee unless you need to lift the freeze temporarily. In our opinion, utilizing a security freeze is a more cost-effective option than paying a monthly fee for a credit monitoring service.

Contact Your Congresspeople
Senator Elizabeth Warren announced last week Friday that her office is introducing a bill that would give consumers the power to freeze their credit reports for free. “Credit reporting agencies like Equifax make billions of dollars collecting and selling personal data about consumers without their consent, and then make consumers pay if they want to stop the sharing of their own data,” said Warren in a prepared statement. The proposed legislation, which is being co-introduced by Senator Brian Schatz, would give consumers more control. Unfortunately, this legislation is expected to face stiff competition in the Republican-controlled House and Senate. If you agree with Senators Warren and Schatz that we as consumers should be able to do more to protect our credit information without having to pay, contact your Representatives and Senators and ask them to support this bill.

Comments are closed.