How Equifax Can Get Hacked Multiple Times, Lose Over 143 Million Records and Still Make a Profit
September 25, 2017
Equifax has had a busy year. In the span of a few months, they have had three separate data breaches, waited until executives dumped millions in stock before informing the public, and are lobbying to water down the Fair Credit Reporting Act. While millions are at risk of identity theft, Equifax might be the one winner.
Freeze your credit
Before you continue reading about how great things will turn out for Equifax and how bad things might turn out for you, freeze your credit if you have not done so.
Below are links to websites where you can find out about how to freeze your credit for the three largest credit bureaus:
“There is no reason why credit should not be currently frozen across-the-board” says identity theft expert Robert Siciliano. “But we don't have that system in place. We are required to manually freeze our own credit. And there isn't a single consideration as to why someone should not freeze their credit.”
By putting a freeze on your credit, you add an effective stopgap which prevents most forms of using your credit. If you, or someone else, tries to pull a new line of credit with a freeze in place, they will be denied, unless you enter a secret pin which is given to you during the freeze.
You will have to mail in your request to freeze and pay a fee for freezing your credit that varies by state. The fee which can go up to $30 is insignificant compared to the cost and time restoring your name after identity theft. Should you need to access your credit, simply unfreeze it ahead of time.
Take measures to protect yourself
Now that 143 million records containing names, addresses and social security numbers have been leaked, it is a matter of time until that information is sold, bought and then used. Justin Lavelle, Chief Communications Officer of the BeenVerified, gives some tips for how to proactively defend yourself:
- Set up a credit freeze
This stops accounts and loans from being opened in your name unless you lift the freeze. Do this as soon as possible.
- Check your credit on a regular basis
Look for credit card activity on all credit cards, banking, IRA and other financial accounts tied to your social security number. This is as important to do months or a year from now as it is to do right now. Identity thieves often wait to use the information they have stolen until they think that it may no longer be on your radar.
You could use the federally allowed limit of one free credit report at annualcreditreport.com, or you could use a site like creditkarma.com which gives you more frequent checks for free. Equifax, is also, offering credit monitoring services, which they are giving away a free year for those affected.
- Run a background check on yourself
If your name is connected with unknown associates or a number of incorrect relatives, then that could be a sign of a larger problem. If you notice a high number of irregularities, then further research may be needed to ensure no other person is utilizing your details.
- Lockdown your accounts
For every email, bank or broker you have, lock your account. Setup safeguards, such as two-factor authentication. This can help prevent someone with your name, social, mother’s maiden name or other identification from withdrawing funds from bank and broker accounts.
- Do not use LifeLock
After the news about Equifax being the target of a massive data breach, LifeLock has resurfaced into relevance by touting how its services can protect you against situations like this.
LifeLock is probably best known for its CEO Todd Davis announcing his social security number to the world. Naturally, this resulted in his identity being stolen 13 times and eventually his company was slapped with a $12 million dollar fine for deceptive practices (such as falsifying security alerts and not providing the protection they promised).
In 2015, Equifax and LifeLock entered into a partnership, effectively making Equifax the sole service provider behind LifeLock’s services. If you were concerned about the Equifax breach and decided to sign up for LifeLock services, which could range between $10 and $30 per month, you would be continuing to support the company which put your information at risk in the first place.
What we know about the hacks
Little is publicly known about the intrusion on Equifax or even who is responsible. However we do know about three major incidents.
April 2016 - TALX
An Equifax subsidiary TALX, which provides payroll, HR and tax services, was taken over by hackers who guessed employee’s four digit pins and security questions.
This breach was not the first to hit the major credit reporting company, but it changed the narrative that Equifax took cyber security seriously. According to the Fair Credit Reporting Act, consumer reporting agencies are expected to keep accurate and fair records. There are no federal requirements for maintaining specific security measures on customer data.
The W2 information stolen by thieves is instant currency as it does not require any more developing of the information to extract value. With that document alone, they can file a fraudulent tax return on your behalf, bypassing any human interaction and receiving a check directly from the IRS.
May 2017 - 143 Million
The big hack which was originally considered resolved, was revealed to be a independent hack which continued for months, and was recently revealed to the public.
“Part of the problem is that regardless of how careful we may be as individuals in protecting our private personal information and keeping it secure, we are only as safe as places with the weakest security,” says lawyer Steven J.J. Weisman, Esq., who is also a Professor of White Collar Crime at Bentley University.
Weisman, thinks this kind of hack could have easily been prevented.
“In this case Equifax was attacked through a vulnerability in a software program for which a patch had been issued months earlier to fix the vulnerability, but had not been installed in a timely fashion by Equifax," adds Weisman.
After the initial September 7 announcement which declared a data breach had occurred, Equifax claimed the fault was due to CVE-2017-9805, an exploit in Apache Struts that was disclosed on September 4, just three days before. A later announcement on September 13 now determines the cause of the breach to be CVE-2017-5638, an exploit which was patched on March 7, the same day it was announced.
Indeed, the servers were left unpatched for several months which allowed enough time for intruders to make their way in.
September 2017 - Argentina
Following the aftermath of the massive breach of over 143 million records, Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. started investigating other Equifax websites, particularly in the South American region.
Holden quickly discovered a rather serious security hole in the Argentinian employee portal intended to manage all credit complains for the entire country: it was using the login “admin/admin”.
Once inside, records of every fax, phone call or email from everyone in the region who contacted Equifax to dispute their credit report was visible. Over 700 pages spanning the last decade were available in plain text, including DNI’s, the social security number equivalent for Argentina.
The portal also exposed the names and emails of over 100 employees. Passwords for all employees were stored in plaintext (instead of hashed with a secure algorithm) and followed the “first initial last name” pattern.
How Equifax will survive this
Max Kennerly, Esq. is a plantiff-side attorney who has written an incredibly in-depth, and lengthy recap of the Equifax data breach so far.
“The Equifax situation obviously isn't the first time a major company has lost sensitive personal information through hacking.” Kennerly says “about 70 cases like this are filed in federal courts every year, but it does appear to be the largest data breach of personally identifying information,” says Kennerly.
Yet, projections based on a similar case against Anthem, Inc. which is not quite settled yet, it is likely Equifax will receive a hard slap on the wrist and pay around $1 per person in fines.
Kennerly reviewed similar major cases, and the courts appeared to have reached different conclusions about whether or not a consumer can bring a lawsuit based upon the threat of future identity theft. It is hard to connect your stolen identity to specific leaks without concrete evidence.
Considering it was lax security practices that got Equifax in this situation, you can expect they have no intention of correcting that behavior. Senator Elizabeth Warren (D-MA) quickly rolled out the Freedom from Equifax Exploitation Act, which aims to give Americans the ability to freeze and unfreeze their credit for free.
Republican lawmakers unabashedly introduced FCRA Liability Harmonization Act (the same day Equifax announced they were hacked), which caps “actual and statutory damages for class actions involving credit agencies at $500,000, and completely eliminate punitive damages.”
With our current political landscape leaning towards deregulation and more consolidation, it is not hard to imagine Equifax coming out victorious, with a merge possibly in their future.
However, company executives erred on the side of caution by selling off $2 million in stocks one month before the public was notified about the data breaches. A move which has caught the attention of New York Attorney General Eric Schneiderman.
Whatever happens to Equifax, your identity has already been compromised. That stolen data will be stashed away until it becomes safe enough to sell. Soon, someone will end up with enough of your information to open a credit card or register a shell company in your name.
There is no such thing as perfect security, but freezing your accounts, enabling two-factor authentication and actively monitoring for suspicious activity goes a long way to deterring identity thieves.