IMPORTANT UPDATES: A massive cyber security incident at one of the largest credit reporting agencies in the United States, Equifax, exposed private information belonging to 143 million, that’s almost half of the U.S. population. If you’re not worried about the hack, you should be. Here’s what you need to know and how to take action.
The breach, which was discovered July 29, includes sensitive information such as social security numbers, birthdays, addresses and in some instances, driver’s license numbers. The agency said 209,000 credit card numbers were exposed in the breach, which includes customers in Canada and the United Kingdom.
Adding to the scandal, three of the company’s top executives sold Equifax shares just days after the breach was discovered. The breach was not publicly disclosed until Thursday, more than six weeks later.
John Gamble, chief financial officer; Jospeh Loughran, president of U.S. information security and Rodolfo Ploder, president of workforce solutions solutions sold shares days after the company was aware of the breach, according to SEC filings. Bloomberg, which first reported this, estimated the total value of shares sold to be $1.8 million.
The FBI is actively investigating the cyber incident and Equifax has been cooperating, law enforcement sources told NBC News. Equifax did not immediately respond to NBC News’ request for comment regarding the stock sales.
The irony: Equifax is the agency many people use to guard against identity theft and one that businesses turn to when verifying a person is who they say they are. Now, with the private information in the hands of cyber thieves, customers are being placed in a difficult position.
“Equifax is tasked with actually protecting this information in the form of identity theft protection and here we are with almost half of the country’s population being affected,” Robert Siciliano, CEO of IDTheftSecurity.com told NBC News.
Richard Smith, chairman and CEO of Equifax, apologized to “consumers and our business customers for the concern and frustration this causes.”
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Smith.
In a statement, Equifax said the cyber security breach was discovered on July 29. Since then, the company has been working with an independent security firm to understand what happened and how they can better protect themselves in the future.
Even if you don’t think you’re a customer of Equifax, there’s a strong possibility they still have your data. As a credit reporting agency, Equifax gets information from credit card companies, banks, lenders and retailers to help it determine a person’s credit score.
Want to see if you might be affected? Equifax will let you check your potential impact by typing in your last name and the last six digits of your Social Security number. All U.S. customers will also be given a date when they can sign up for TrustedID Premier, which includes identity theft insurance, credit reports and a service that crawls the internet and alerts you if your Social Security number is posted somewhere online.
Equifax has set up a dedicated website and phone number for concerned customers to call with questions. In addition, the company said it will mail notices to people who may have had their credit card numbers or personally identifying information exposed on dispute documents.
The bottom line here, Siciliano said, is to pay close attention to your credit card statements.With more than 200,000 credit card numbers exposed, he said extra vigilance is vital.
“The best thing a consumer can do in response is to engage in what’s called a credit freeze,” he said. “This essentially locks down your Social Security number on your credit report preventing criminals from opening new lines of credit under your name.”
We recommend calling the three major credit reporting agencies to ask for a freeze. Source
What is the impact to you?
The hackers made off with the most crucial tools that identity thieves need to impersonate you. The worst-case scenario is a very real threat to millions of Americans.
If the stolen information from Equifax gets into the wrong hands, experts say data thieves can open bank accounts, lines of credit, new credit cards and even drivers’ licenses in your name. They can saddle you with speeding tickets, steal your tax refund, swipe your Social Security check and prevent you from getting prescription drugs.
Recovering from identity theft could take months or even years. And no one is responsible for cleaning up your own mess but you.
Equifax estimates that the hack impacts 143 million Americans. The thieves stole names, Social Security numbers, birth dates, addresses and an yet-to-be-determined number of driver’s license numbers.
The hackers also made off with 209,000 credit card numbers and 182,000 documents containing personally identifying information.
The data stolen in the Equifax hack is extremely valuable to cyberthieves. All that information packaged together sells for upwards of $30 per identity on online black markets, according to Mark Nunnikhoven, head of cloud research for cybersecurity firm Trend Micro.
“That’s the foundational identification information for U.S. consumers,” said Nunnikhoven. “It’s enough to allow cyberthieves to take over you online.”
If a cybercriminal maxed out a credit card in your name, you’ll have a very difficult time passing a credit check. Good luck getting a new cell phone, a student loan, a car or a mortgage.
If a data thief took out a prescription using your identity, that goes on your medical record. That could seriously screw up your ability to get treatment at a hospital or from your pharmacy, particularly if the fraudster obtained medicine that counteracts with yours.
“This is a unique situation because of the quality of data that was stolen along with the scale of the breach.”
–Eva Velasquez, Identity Theft Resource Center
More sinister cybercriminals could use that data to pin crimes on you, according to Eva Velasquez, CEO of the Identity Theft Resource Center, a nonprofit that assists fraud victims.
If someone gets a driver’s license in your name and runs a red light or gets a speeding ticket, you’re on the hook. The criminal’s not going to pay it — and soon enough there could be a warrant out for your arrest.
“This is not hypothetical,” said Velasquez, who notes her organization annually helps thousands of victims of some truly complex identity fraud. In a few extreme cases, Velasquez’s organization dealt with fraud victims who discovered prisoners were serving sentences in their names.
Of the roughly 17 million reported cases of identity theft last year, about 4 percent was of the “criminal” variety (assigning speeding tickets, warrants and other violations to fraud victims). It’s a small, but not insignificant number. And that was before the massive Equifax hack.
“Data breaches involving Social Security numbers are not rare, but this is the largest ever recorded,” said Velasquez. “This is a unique situation because of the quality of data that was stolen along with the scale of the breach.”
This kind of identity fraud is serious. It can potentially ruin your finances, destroy your reputation or prevent you from getting necessary medication.
Recovering from identity theft isn’t easy. You’ll have to disprove to your bank, doctor or the government, everything that a criminal did in your name using the same documentation the cyberthief used. You’ll also have to prove that you weren’t at the place at the time when the fraud was committed.
“It becomes a game of ‘he said, she said,'” said Nunnikhoven. “The good news is you know all of your own history, and this breach is so well known and far reaching that if you are a victim, it should be easier than usual to fight.”
Action potential victims can take now
Experts say the single most effective action potential victims can take now is to freeze their credit. It can be a pain in the neck, because you’ll have to unfreeze it every time someone needs to run a credit check on you, but it should prevent most forms of identity theft spelled out in this report.
To Freeze Credit
Freezes can be done online at the websites of the three credit reporting agencies:
- Equifax: www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
- Experian: www.experian.com/freeze/center.html
- TransUnion: www.transunion.com/credit-freeze/place-credit-freeze
Each company will give you a code that you’ll need again in order to lift the freeze. When you plan to apply for a credit card, mortgage, or other loan you’ll need to go back to each site and lift the freeze.
The credit reporting agencies may charge a fee, usually under $10, depending on which state you live in.
Regular credit monitoring is also painful but important. And online resources, including the Identity Theft Resource Center, provide excellent tools to discover how to defend yourself against identity theft. The ITRC is funded by credit protection companies, such as Experian and LifeLock, but also by the U.S. Justice Department.
The truth may be on victims’ sides, but it can take a very long time and hard work for victims to clear their names.
“For most of respondents, their incidents are not yet cleared when we talk to them a year later,” said Velasquez.
The earlier the better
The earlier you get a jump on cleaning up the mess the better. But most people don’t find out about fraud until it becomes a roadblock for them, according to Velasquez. That means you could have to provide months or years of information to clear your name.
Equifax already waited six weeks to tell the world about the hack. That gave hackers a six-week jump on all of us, Nunnikhoven noted.