On September 7 Equifax, one of the three national major credit reporting agencies, announced that a huge security breach exposed sensitive information, such as Social Security numbers, birth dates, addresses, and other personal identifying information, of as many as 143 million people in the United States, to hackers (and in 209,000 cases credit card numbers.) We can all agree that this is a big number – almost half of the total United States population! Was it the biggest hack ever? No; Yahoo recently reported two separate hacks of 1 billion and 500 million accounts that took place in 2013 and 2014, MySpace reported 360 million accounts hacked in 2013, and LinkedIn 165 million accounts in 2012, but the Equifax hack is among the worst because of the sensitive information that was exposed.
Unless you regularly review your credit reports at Equifax you may not even have thought of yourself as a customer of Equifax. In fact, the three major credit reporting agencies – Experian and TransUnion as well as Equifax - get data from a wide range of credit card companies, banks, retailers, and lenders, on a huge number of consumers so that they can track and rate their financial histories. Equifax in particular, the oldest of the three agencies (founded in 1899,) collects data on more than 800 million consumers and approximately 90 million businesses.
According to Equifax, the data breach happened between May and July, and it discovered the hack on July 29, although it did not inform the public until September 7. There are now ongoing investigations into the hack not only by Equifax itself but also, among others, the New York State Attorney General, the House of Representatives Financial Services Committee, the Consumer Financial Protection Bureau, and the Federal Trade Commission.
How did the hack happen? According to the technology publication “Wired,” the hackers exploited a vulnerability in the Apache enterprise platform software used by Equifax that was disclosed by Apache in March, when the company also provided instructions on how to remedy the problem. Unfortunately, Equifax may have delayed taking the necessary measures, leaving itself and at least 143 million consumers vulnerable.
What can be done? Equifax has set up a website – www.equifaxsecurity2017.com – for consumers to address the hack. The agency suggests clicking on the “Potential Impact” tab to be advised whether you may have been affected. Whether or not you “may” have (in Equifax’s determination,) a link enables you to sign up for a year of free credit monitoring and other services. The site gives you a date when you can enroll. You have until November 21, 2017, to do so.
You should make it a regular practice to obtain free copies of your credit reports from each of the credit reporting agencies through www.annualcreditreport.com, a special website set up by the three agencies. (You can also call 877-322-8228.) The website was created by the agencies in order to comply with their obligations under the Fair and Accurate Credit Transactions Act of 2003 to provide a mechanism for American consumers to receive up to three free credit reports per year. Under the law you are entitled to one free report each year from each agency. A good strategy is to order one from each of the agencies every four months on a rotating basis. Look for activities you don’t recognize that could indicate identity theft. Visit the Federal Trade Commission’s website www.identitytheft.gov for advice on what to do in the event of identity theft.
It’s also good to monitor your credit score. It is much quicker than pulling one’s credit report, can be done regularly, and can be like a canary in a coal mine letting you know quickly when there is a credit problem. Many major credit card companies have begun to provide credit scores for all their customers on a monthly basis. The score is usually listed on your monthly statement, or can be found by logging in to your account online. There are a few commercial websites that will provide your credit score for free but be careful that you are not signing up with one that is just offering a free trial period and will begin charging a monthly fee. Otherwise you can purchase your score from one of the credit monitoring agencies.
You should monitor your existing credit card and bank accounts regularly for any charges or transactions you don’t recognize, and immediately report those you don’t.
Consider placing a credit freeze on your files. A credit freeze restricts access to your credit report, making it harder for someone to open a new account in your name, though it won’t prevent making charges to existing accounts. If you decide to place a freeze, you should request one from each of the credit reporting agencies:
Equifax: 1-800-349-9960 or www.equifax.com
Experian: 1-888-397-3742 or www.experian.com
TransUnion: 1-888-909-8872 or www.transunion.com
If you wish to open a new account, apply for a job, rent an apartment, or buy insurance, you will need to lift the freeze so that your credit report can be obtained. You can lift it fully or have it lifted for a specific time period or for a specific party.
You can also place a fraud alert, which requires an entity to verify the identity of someone opening a new credit account in order to obtain a copy of their credit report. Fraud alerts can prevent someone from opening a new account in your name, but not from making charges to existing accounts, so again it is important to monitor all existing accounts.
As previously noted, the Commission’s identity theft website maintains a section with useful information in the event that your personal information was exposed in a data breach, or you lost your wallet, or learn that an online account was hacked, at www.identitytheft.gov/databreach.
Bottom line: we live in an era where data breaches/hacks are no longer uncommon. Criminals can and do have computer skills. It’s unfortunate that in the case of Equifax their tech staff did not follow up as they should have on a timely basis to correct a problem in the basic software they use, but not altogether surprising, even though data is their primary business. Website security programming is a complex and constantly evolving field. For every measure taken to prevent hacks there are clever people inventing ways of evading those measures so that they can access website data for nefarious purposes. The IRS has been hacked, the Pentagon has been hacked, as have banks, media companies, insurance providers, political organizations, and many other types of entities. Hacks will continue to happen.
The most important protective strategy is to continuously monitor for any fraudulent activities on your accounts, and immediately follow up to notify the account holder. Keep abreast of your credit reports with all three credit monitoring agencies, and if necessary also institute credit freezes and fraud alerts. It’s a shame we have to do this, but it is, unfortunately, necessary.
This article is not intended as individualized legal or investment advice. Past returns do not guarantee future returns.