Equifax has announced that it has been hacked, and approximately 143 million US consumers may have had their names, social security numbers, dates of birth, addresses accessed by criminals. In some instances, driver license numbers have also been accessed.
143 million? That’s just under half the population of the United States.
Approximately 209,000 US consumers have also had their credit card numbers exposed, and about 182,000 other US consumers have had other personal identifying information accessed.
An unstated number of UK and Canadian residents have also been put at risk.
Sounds disastrous. What does this Equifax company do?
They’re a giant consumer credit reporting giant. The kind of company that can stop you from getting a loan, or accepted for a mortgage, if you have been careless or unlucky with your finances.
They also offer identity theft protection for a business’s customers and employees after it has suffered a data breach.
Oh, so you’d expect them to know a thing or two about the importance of protecting personal information?
Right. In fact, they’re offering a whitepaper right now where they underline that most consumers want to be notified of a breach promptly:
Almost three quarters (73%) of GB adults online think that companies should tell them that they have experienced a data breach and 63% would expect to be notified of a breach within hours.
Notified within hours? How long did Equifax take to tell their affected customers?
Equifax found out about the breach on July 29th, and told the world on September 7th.
How many hours is that?
By my calculation it’s been 960 hours (40 days) between Equifax finding out about the breach and warning the public.
What is Equifax doing about it?
Well, the CEO has made a video expressing his regret and apologising:
Equifax is offering free credit file monitoring and identity theft protection. Be aware, however, that TechCrunch is reporting that if you sign up for the protection service you may be waiving your rights to sue Equifax.
Hang on. So the company which lost millions and millions of people’s identities is asking me to hand over my information so they can tell me if my details are at risk? Isn’t that, umm, a little screwed-up?
Yeah, and you thought 2016 was a really bad year.
There are numerous reports that a page setup by Equifax to tell users if they might be affected (after entering their surname and last six digits of their social security number) fails to live up to its promise.
EQUIFAX: we may have leaked your SSN
ALSO EQUIFAX: give us your SSN to see if we leaked it
— bletchley punk is a fullmetal engineer (@alicegoldfuss) September 7, 2017
Quite what UK consumers are supposed to do – we don’t have social security numbers over here – is unclear. I guess the fact we don’t have social security numbers is good news in so much as we can’t ever lose them.
Who’s to blame for this?
We don’t know who the hackers are, and obviously they – ultimately – are the ones who committed a crime and are responsible for the breach.
However, many will be watching with interest to see what details Equifax will share about the details of the breach and why it took them so long to warn consumers. There will also, no doubt, be many interested to observe what impact the breach has on Equifax’s brand and reputation.
Data breaches can hit hard at all types of organisation, and there’s no such thing as 100% security. However tempting it is to give Equifax a hard time, we have to remember that they are also victims of a crime.
But if a company that dedicates so much effort into promoting its identity theft monitoring services finds it has itself been hit by a colossal breach, there’s a clear message for all businesses that no-one can afford to be complacent.
It takes years to build your company’s reputation and earn your clients’ trust, but may only take minutes for it to mortally damaged.
Apparently, the punchline for every cybersecurity joke from now on is "Equifax".
At least Sony will be pleased.
— Graham Cluley (@gcluley) September 7, 2017
I think I’m affected. What should I do?
Well, you could try changing your name and date of birth and social security number. What’s that? Oh dear… not so easy is it? This is why it’s so serious when companies lose your personal identifiable information. A password you can change, your personal details are probably going to always be the same – whether you like it or not.
Where can I find out more?
Equifax’s dedicated website to deal with the aftermath of the breach: www.equifaxsecurity2017.com
For more discussion on this topic, be sure to listen to this episode of the “Smashing Security” podcast: