Equifax, one of the 3 largest US-based credit reporting agencies announced today that it was target of a data breach that exposed personal information of 143 million U.S. consumers. This personal information includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Additionally, credit card data of approximately 209,000 consumers has been exposed. Unlike with retailer breaches, victims do not have to have been direct customers of Equifax — anyone who has ever applied for a bank account, credit card or a loan potentially may have been affected.
What happened and when
According to Equifax, the breach occurred via a website vulnerability, but no detailed information is provided at this time. Equifax reports that they learned of the intrusion on July 29, 2017, and they believe the hackers had access to consumer data from mid-May of 2017 through July, or approximately a month and a half.
Consumers should rightfully be concerned that it took Equifax 40 days to report the breach. When paired with the duration of the breach, the criminals had almost 3 months to exploit consumer data without consumers being alerted to the potential risk. In contrast, EU’s General Data Protection Regulation (GDPR) going into effect in May 2018 requires organizations to report breaches within 72 hours.
Remediation
Consumers are advised to check their credit reports for suspicious activity either directly with Experian, TransUnion and Equifax, or through the free Annual Credit Report service.
To help consumers identify risk and monitor their information, Equifax is also offering a 1-year subscription to a credit monitoring service through its subsidiary TrustedID. To sign up, consumers must visit the incident website equifaxsecurity2017.com.
First, customers are asked to validate that their data has been exposed by entering the last name and last six digits of the SSN (ironically, both pieces of this data have been exposed). In our case we received the following confirmation:
Upon clicking Enroll, we received a notification that we will be eligible to enroll in 5 days, and will have to revisit this website at that time to continue.
Consumers have until November 21, 2017 to take advantage of this offer.
To enroll or not?
While some news outlets have reported that by signing up for TrustedID Premier consumers give up the rights to sue on their own behalf or join a class action suit, this appears to be inaccurate. Equifax’s incident website indicates that “The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.” Since the actual sign-up for the services will not take place until September 12, we’ve not seen the terms of use of these products for this incident, but will further validate this once they become available.
Regardless, consumers must decide for themselves whether they want to entrust their personal data all over again with another Equifax company. While we do not have a choice on giving Equifax permission to collect and store our data, we certainly have that choice with TrustedID. It would have been nice for Equifax to offer a 3rd-party service or an allowance for consumers to choose their own, rather than turning this incident into a marketing campaign for one of its subsidiaries.