SAN FRANCISCO (WATE/AP) — Credit monitoring company Equifax has been hit by a high-tech heist that exposed the Social Security numbers and other sensitive information about 143 million Americans. Now the unwitting victims have to worry about the threat of having their identities stolen.
The Atlanta-based company, one of three major U.S. credit bureaus, said Thursday that “criminals” exploited a U.S. website application to access files between mid-May and July of this year.
The theft obtained consumers’ names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers. The purloined data can be enough for crooks to hijack the identities of people whose credentials were stolen through no fault of their own, potentially wreaking havoc on their lives. Equifax said its core credit-reporting databases don’t appear to have been breached.
“On a scale of one to 10, this is a 10 in terms of potential identity theft,” said Gartner security analyst Avivah Litan. “Credit bureaus keep so much data about us that affects almost everything we do.”
Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are even sometimes done by employers when deciding whom to hire for a job.
Equifax discovered the hack July 29, but waited until Thursday to warn consumers. The Atlanta-based company declined to comment on that delay or anything else beyond its published statement. It’s not unusual for U.S. authorities to ask a company hit in a major hack to delay public notice so that investigators can pursue the perpetrators.
Signing up for Equifax’s help site could mean you’re waiving your right to a class-action lawsuit
Consumers attempting to find out if they are among the 143 million people whose personal information has been compromised in the Equifax hack must first sign away some of their legal rights.
Equifax established a website, https://www.equifaxsecurity2017.com/ , where people can check to see if their personal information may have been stolen. Consumers can also call 866-447-7559 for more information. Experian is also offering free credit monitoring to all U.S. consumers for a year.
Equifax has come under fire for attempting to bind consumers to mandatory arbitration when signing up for the monitoring service — called TrustedID Premier — thereby forcing them to give up their right to join a class-action case. New York’s Attorney General tweeted that the language is unenforceable and has asked the company to remove it.
Equifax has since added a clause to its terms of service allowing people to opt out of being bound by the arbitration provision, although consumers must notify Equifax by mail within 30 days of enrolling in the monitoring service.
How to protect yourself
More than half of the adult population in the United States is impacted by the breach, but their are steps you can take.
Check your credit reports
More than 3 months has passed between the time the breach may have started and now. Consider looking through your credit reports for any suspicious activity. The US government guarantees everyone a free annual credit report from the three major bureaus — yes, including Experian. You can get those reports here.
Look for new accounts you didn’t open, late payments on debts you don’t recognize and any other activity that looks unfamiliar. If you find something.
You are not responsible for fraudulent purchase, but you have to report them in a timely manner. Visit identitytheft.gov to report identity theft.
Freeze your credit
When you freeze your credit, you will be required to un-freeze your account by providing a PIN you got when you froze your credit.
To freeze your credit, contact each of the credit bureaus using these phone numbers:
The process is usually automated and can be completed within a few minutes. Just be sure to write down your PINs in a secure place.
Set a fraud alert
Adrian Sanabria with Savage Security in Knoxville recommends signing up for fraud alerts. He says that forces credit bureaus to get permission before opening any new accounts.
“That makes it a little more difficult for somebody to commit fraud,” said Sanabria. “Then we can do a credit freeze where we lock it down entirely, either permanently or for seven years.”
However, Sanabria says that can be a hassle. You have to lift the credit freeze if you want to get a new line of credit.
“That’s the downside of a freeze,” said Sanabria. “You’re freezing it not just for the bad guys.”
To set a fraud alert, contact just one of the credit card bureaus and ask for an initial fraud alert. Once the alert is set, it will last 90 days. After that, you’ll have to renew it. Here are the appropriate phone numbers for the bureaus (remember, just call one):
Watch out during tax season
It’s still too early to know if the data will be misused, but one major concern is during tax season. Identity thieves may try to use stolen personal information to receive refunds.
Equifax apologizes for breach
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax CEO Richard Smith said in a statement. “I apologize to consumers and our business customers for the concern and frustration this causes.”
This isn’t the biggest data breach in history. That indignity still belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than 1 billion of its users’ accounts throughout the world, but no Social Security numbers or drivers’ license information were disclosed in the Yahoo break-in.
Equifax’s security lapse could be the largest theft involving Social Security numbers, one of the most common methods used to confirm a person’s identity in the U.S. It eclipses a 2015 hack at health insurer Anthem Inc. that involved the Social Security numbers of about 80 million people .
Any data breach threatens to tarnish a company’s reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.
“This really undermines their credibility,” Litan said. It also could undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.
Equifax’s stock dropped 13 percent to $124.10 in extended trading after its announcement of the breach.
Three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered it had been hacked, according to documents filed with securities regulators.
The sales, executed on August 1 and August 2, were made by: John Gamble, Equifax’s chief financial officer; Rodolfo Ploder, Equifax’s president of workforce solutions; and Joseph Loughran, Equifax’s president of U.S. information solutions. Bloomberg News first reported the divestitures.
In a subsequent statement, Equifax said the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
The potential aftershocks of the Equifax breach should make it clear that Social Security numbers are becoming an unreliable way to verify a person’s identity, Nathaniel Gleicher, the former director of cybersecurity policy in the White House during the Obama administration, said in an email statement.
“This breach might just have put the nail in the coffin of the idea that we can use personal identifiers like Social Security numbers as security factors,” wrote Gleicher, who now oversees cybersecurity strategy for computer security firm Illumio.
In addition to the personal information stolen in its breach, Equifax said the credit card numbers for about 209,000 U.S. consumers were also taken, as were “certain dispute documents” containing personal information for approximately 182,000 U.S. individuals.
Equifax warned that hackers also may have some “limited personal information” about British and Canadian residents. The company doesn’t believe that consumers from any other countries were affected.