Credit report giant Equifax confirms a “cybersecurity incident” may have compromised the data of 143 million U.S. customers.
Criminals gained access to Social Security numbers, dates of birth, addresses, credit card numbers and more between mid-May and July of this year. It’s one of the biggest and most worrisome data breaches in history.
Here’s what to do if you’re one of the customers affected.
Equifax discovered that hackers gained access to certain files by exploiting an application vulnerability in its website. It stopped the intrusion upon discovering it July 29. However, plenty of data could have been stolen by then.
“The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers,” the company said. “In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.”
Equifax also found evidence of unauthorized access to personal information for certain U.K. and Canadian customers. However, the company says there is no sign of criminal activity on its core consumer or commercial credit reporting databases.
Equifax has now enlisted the help of a “leading, independent cybersecurity firm” to conduct a forensic review. That should determine the severity of the intrusion, including the specific data the criminals accessed. The company also reported the hack to law enforcement agencies.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Equifax CEO Richard F. Smith. ” I apologize to consumers and our business customers for the concern and frustration this causes.”
Why Equifax cyberattack is a really big deal
This isn’t the biggest cyberattack by any means. Those on Yahoo in 2013 and 2014 affected a significantly larger number of people. However, the sensitivity of the data involved makes it one of the most severe.
Equifax faces a ton of criticism for the way it handled the hack.
Not only did it take the company five weeks to disclose the problem, but Bloomberg discovered that three Equifax executives offloaded more than $1.8 million worth of stock in the days following the discovery of the breach.
Critics see Equifax’s steps to appease customers as an insult, too. The website it set up to notify people of the breach is “highly problematic for a variety of reasons,” according to a report from Ars Technica.
“It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number,” Ars reported.
What’s more, the website’s Transport Layer Security certificate doesn’t perform proper revocation checks, and the domain itself — www.equifaxsecurity2017.com — isn’t registered to Equifax. Open DNS actually blocked access to the site, believing it to be a phishing threat.
What to do if Equifax hack affected you
So, what do you do if you’re worried you might be one of the millions affected by the Equifax hack?
For now, experts advise avoiding the website Equifax set up. While designed to determine if criminals might have compromised your data, you should skip it — at least until Equifax makes it more secure. Instead, it’s safer to assume you probably have been impacted if you’re an Equifax customer in the United States.
With that in mind, you should vigilantly review all account statements and credit reports to identify anything that looks suspicious. If you find anything out of the ordinary, report it immediately to the correct financial institution.
Equifax recommends that you monitor the Federal Trade Commission’s identity theft website, where you’ll find information on steps you can take to better protect yourself against identity theft. The site also provides information about fraud alerts.
Equifax offers free identity theft protection
Equifax is offering customers in the U.S. free identity theft protection and credit file monitoring for one year — even if they aren’t impacted by the incident — through a service called TrustedID Premier.
- Three-bureau credit monitoring of your Equifax, Experian and TransUnion credit reports
- Copies of your Equifax credit report
- The ability to lock and unlock your Equifax credit report
- Identity theft insurance
- Internet scanning for your Social Security number
We’ll update you on any developments as the full ramifications of the Equifax hack become known.