Hello everyone. As lots of us know, there has been a recent breach, and this one has me really worried. This has nothing to do with the recent ransomware attacks that have plagued the news, but more stolen data from social security numbers, credit card numbers, potential driver license numbers, and a staggering number I just don’t know what to say about.
The first time I heard about this was at one of my volunteer sites. This was on a Friday, and I just had to do a double take. Of course, when I had a moment after I was done there, the first article I see is from none other than Brian Krebs from a site called Krebs On Security. The article is entitled "Breach at Equifax May Impact 143M Americans September 7, 2017" and this really opened my eyes to what the real impact was. The date attached to these articles including that one is when it was posted to the net. I read this article, and I just couldn’t imagine what I was reading. Here is a little bit of that article to give you a timeline.
“Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.In a press release today, Equifax [NYSE:EFX] said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing, but that the breach also jeopardized credit card numbers for roughly 209,000 U.S. consumers and 'certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.'”
This is just staggering! In another article that was posted from Krebs, we later learn that this goes bigger than this particular number. "Equifax Breach Response Turns Dumpster Fire Sep 8, 2017" is the article in question. This particular article talks about how the website they are telling you to go is giving inaccurate information. When Brian first went to the website linked in the first article and later in this one if I remember them both, he says that it said that there was no data available, or it gave an error saying to try again later. The second article linked here talks about how there are many different flaws in this website, and in my opinion, this can be a bigger problem than the 143 million number that they are telling us.
In other news, LastPass, a password management service, posted on their information on their blog. "What the Equifax Breach Means for You" is the name of this article. In it, LastPass calmly tells users what they know so far, the importance of making sure you use strong passwords, even though the compromise was not taken via a password attack, and what the company is doing to alert you if your information is out there if it matches data they have for you.
When clicking through to the article, it is very important for you to read the four items that you should do. One thing I am not clear on is putting a freeze on your file. For people who don’t make a lot of money, $10 to $15 is quite a bit to spend to freeze your file, and that's per company. I would continue to monitor my bank and credit card for unauthorized transactions and report them as suspicious immediately. If I did make money, I would be happy to freeze my file.
One thing I did was lock my card. As a card holder, I can do that with my credit card company so that if they did get my card number as part of this massive breach, the charge won’t go through. Then, I would get notified of the declined charge, and also sent an email. If I didn’t make the charge when it was declined, I know someone has my card, and I could report it if I felt that it was necessary to do.
There are other articles I have not read as of yet, but scanning briefly "The Equifax Breach: What You Should Know September 11, 2017" says in part that other countries may be impacted. I’m definitely going to tweet and continue to keep up on this one, as this could affect most of the population in some sort or another.
In the good news aspect of things, Trend Micro posted "Equifax Breach – an Example of Good Communications September 8, 2017" which talks about how they set up a site, they’re notifying people, and the page linked to the company’s own information which is updated with information and highlighted within this article.
As you can see, there is some good and some bad within these articles. I’m a little scared that this could turn bigger than we first read, and updates could be happening for awhile. The fact that it took over 30 days for any type of notification should not be surprising.
- The investigation may be taking awhile, and they want to make sure they understand the scope of the problem.
- The company prepares a release, checks it with what they know so far, and publish it.
- In this case, news of their release is continually being updated with new information.
- Word is getting out via various podcasts including Twit's Security Now SN 628 which covers this. I’ve not listened to this yet, but I plan to.
- Companies are getting the memo out to their employees about the breach.
I’m sure that this will be talked about for awhile, but we as citizens need to remember one important thing. We need to be proactive in our own defense of our information. This means that we should:
- Check out our own credit card and other information we can to make sure nothing has been charged or taken out of our respective cards or banks.
- If possible, do check your credit. I know I can’t because it comes in print, and I need it in an alternative format. I should check to see if I can do that.
- We should find ways to verify our information so information like social security numbers are not used to identify us. We can not change that.
- If fraud has occurred, report it to the appropriate party, immediately upon discovery.
- Please don’t wait for any bank or card statements to arrive. By that time, you could be in some serious trouble.
- If applying for a job, only give out the social security number once hired, unless the form requires it such as an online form. I wish this was not the case, where they require it before we even get in to an interview.
If you think of any other aspect that I’m missing, please feel free to write me. My email address is in my profile for you to have. I’m looking forward to your responses on what we as a community can do to stop this vicious behavior. This is the worst I have ever seen. It's only going to get worse. I think it will.
Update: An article called "Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop" has provided further information about Visa and MasterCard's confidential alerts surrounding the hack, as well as information regarding Equifax's statement about how and when exactly the hack occurred.
PhishLabs has also published an article titled "Phishing Implications of the Equifax Data Breach" that goes into detail about how phishing campaigns may pop up as a result of this breach.