By now you’ve heard the news of the other storm brewing: the Equifax breach (which occurred six weeks before it was officially revealed) that has left 143 million Americans at risk of identity theft, tax fraud, and other potential financial maliciousness.
That’s almost 44 percent of the American people whose data has its pants down right now – as well as a few unlucky Canadians and Brits. It’s being called the worst data breach in US history. And those numbers are still being counted.
The only reason half the country’s data hasn’t hop scotched onto a Bond villain’s offshore bank account is that the hackers sound like June and Ward Cleaver. “They” demanded 600 bitcoins (which is around $2.5 million) on an onion site – or what’s called a layered proxy network, commonly known as the dark web. It’s impossible to tell if these are the real hackers or not, and indeed, most believe they are not.
So what’s at risk? The things a company like Equifax typically have: drivers license numbers, social security numbers, credit card numbers, addresses, and birth dates. If you’re like most people, you might be wondering how this happened. Let’s break it down by looking it a brief history of Equifax (which doesn’t look good), how the breach happened (which looks even worse), and what you can do to protect yourself (also not good, but not all bad either).
This is not the first time (a brief Equifax History)
We’ve written about credit bureaus before. But to refresh – or inform – a few memories, it works like this. Credit bureaus like Equifax are data brokers.
Their history isn’t exactly spotless. In fact, they’ve been sued for all of the following: delaying phone calls from consumers, refusing to delete dozens of false collections items, and in the bizarre case of Kimberly Haman in 2014 – falsely believing a customer was dead.
The other big issue Equifax has historically dealt with is the very thing they were busted for this past weekend. Equifax uses a software package called Apache Struts. As far back as 2008, it was reported that the software package was vulnerable – easily “hacked with nothing but a browser, an internet connection, and some information about how the bug works,” Quartz Media observed.
Sure enough, the bug that led to the Equifax breach occurred because they didn’t patch (in computerese, a patch refers to software that updates a program’s data to maintain the program’s lifecycle) a two month old software bug.
This isn’t even counting the recent report revealing that Equifax owned a web portal with a username and password combo of “admin/admin”.
So what does that mean for you?
What you might have lost in the breach (and what you don’t know)
According to Equifax, over 200,000 credit card numbers were accessed. Fixing that is simple enough – just enroll in a credit monitoring service, and watch your bank account closely. Equifax has even been nice enough to offer free credit monitoring for a year. You feel better already, huh?
Well, don’t. First off, be careful that you aren’t stuck in a yearly loop. Their service is free for now, but credit monitoring normally costs $16.95 a month. Which is fine, but earlier this year they were found guilty of not “properly disclosing that after a trial of seven to 30 days, individuals would be enrolled in a full-price subscription,”according to a report by the Consumer Financial Protection Bureau.
Equifax was not responsible for the hack – though selling stock before revealing the breach isn’t exactly confidence inspiring. However, given the vulnerability of their system, why suddenly trust them to have a solution?
Equifax is currently providing a website to can find out whether you were impacted by the breach. Doing so requires your last name, and last six digits of your social. It turns out, any last name or six digits will do.
Me: "Smith" and "123456"
Equifax: You're in danger. Sign up for our premium service for a year and then we'll start charging you.
— Justin Soffer (@JustinSoffer) September 8, 2017
For all intents and purposes, the Equifax breach, their subsequent response, the fact that their customer service reps weren’t even notified, compromised websites, and problematic timeline for when they began hiring fraud specialists (spoiler: it wasn’t after the fact) has been nothing less than a dumpster fire. Con artists might even be pretending to be Equifax. And more Equifax site vulnerabilities seem to be popping up every day.
However, with more than just your bank account theoretically out there, there are other ways to protect yourself; filing your taxes early, freezing your credit, or filing for identity theft just to name a few. For important links on exactly where to go, skip to the last section.
Your legal options (such as they are)
I’m not a lawyer, but New York’s Attorney General is.
Users noticed some really funny sounding “legalese” on social media. In a nutshell, the terms of service have what’s called an “arbitration clause” which prevents you from taking legal action when you sign up for Equifax’s emergency monitoring service. In response, the attorney general made like Batman and demanded blood.
— Eric Schneiderman (@AGSchneiderman) September 8, 2017
Equifax actually responded, stating that such legal options were not void relating to the cybersecurity incident. However, as Stephen Carter at Bloomberg noted, the terms of service appear specific to the one year credit monitoring service they’re offering. The language of their terms of service is still weird and complicated even to a professor of contract law. Again, from Carter:
One could read the terms of service to say, in effect, “You don’t have to agree not to sue over our loss of your data in order to find out whether your data was lost. But if you sign up for the free services we’re offering, you give up your right to sue not only if we mess up in monitoring your credit but also over our original loss of your data.” That’s not the most natural reading of the language, but it’s plausible.
In other words, don’t jump for joy at the prospect of suing Equifax all by your lonesome. It may sound like a lot of fun, suing for hot coffee and all, but if your data is compromised, first thing’s first.
Besides, some states are already suing the company. Massachusetts was the first state to sue Equifax over the breach. They won’t be the last.
It’s also worth noting (and not just because this is a story you won’t believe at first) that this past July, a British entrepreneur named Joshua Browder invented a robot that offers free legal counsel. It was intended to take care of parking tickets, but now ‘RoboMatlock’ can actually help you sue Equifax for up to $25,000 without a lawyer. Yes, this is a real story.
This college student is helping people sue Equifax after their massive data breech pic.twitter.com/rovUJSKnT8
— NowThis (@nowthisnews) September 13, 2017
How to protect yourself with or without Equifax’s help
- If you absolutely need to use Equifax, and you like the sound of free credit monitoring for a year, it’s not the worst option in the world. Click here for more info.
- If you need to check your credit because you’re worried about the future, or suspect something is currently amiss, click here.
- You’ve never been BFF’s, but with social security numbers and drivers licenses around, the IRS is a good source for helping with tax-related identity theft. Click here for more info.
- Someone with your bank account, looking to go full Christmas mode on your finances still needs to pull credit. Though it can cost $15 and over, freezing your credit will help in these situations, preventing financial evil-doers from spending. Click here for a full breakdown on where to go, and what a credit freeze does.
- Speaking of freezing your credit, Equifax is actually offering a free credit freeze process for 30 days.
- Set up a fraud alert with one of the credit bureaus, and any new accounts will require identity verification for up to 90 days. Click here for the form, and frequently asked questions.
- The government has a report, recovery, and plan of action for those who have been actively hurt, or victimized by identity theft. Click here to fill out the government form.
Even though Equifax looks and smells like the boogeyman right now, it’s important to remember that cyber security is a global problem. As many in the tech industry have pointed out, the issue has nothing to do with any one company, but a way of life – the problem of centralized data. Too many companies rely on old school methods of security. These days you can watch a hacker do his/her job in real time, accessing your computer with nothing but a bluetooth.
And that’s not even counting how widespread the Equifax breach was beyond American borders.
Be mindful of the places you go, the things you download, the critical difference between credit and debit (buying with credit allows you to dispute fraudulent claims before paying them), and the passwords you use. There are a lot of things companies like Equifax can do, but didn’t. Just like there are a lot of things you can do for yourself, but might not be. Equifax wasn’t the first company to be hacked and they won’t be the last – especially with news that hackers have figured out how to weaponize AI. However, there’s a lot you can do to minimize the chance of becoming a victim of cybercrime.
For our part, The Credit Repairmen offers an identity theft recovery program that is good for 3-5 years. If you are interested in general credit repair, or want to know more about our program call 210-520-0796 or text us at 210-802-7199.