The Wall Street Journal just reported that Credit-reporting company Equifax Inc. disclosed Thursday that hackers gained access to some of its systems, compromising the personal information of about 143 million U.S. consumers. OUCH.
The difference with this one is that a big-three credit bureau like Equifax tracks so much personal and sometimes confidential information like social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.
It can be the difference between being able to buy a house or sometimes even get a job or not. This breach and the way they handled it, including the announcement, was what Brian Krebs rightfully called a dumpster fire.
"Equifax said an internal investigation revealed hackers exploited a vulnerability in a U.S. website application to gain unauthorized access to files from mid-May through July. The company, however, said it hasn’t found any indication that its “core consumer or commercial credit reporting databases” had been comprised.
"The company, which offers also offers credit-monitoring and identity-theft protection products to guard consumers’ personal information, said it discovered the breach on July 29. Equifax said it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review."
Implications of the breach
The problem is that with this much personal information in the hands of the bad guys, highly targeted social engineering attacks with credit-card related themes can be expected, and a variety of other related crime like full-on identity theft on a much larger scale. These records are first going to be sold on the dark web to organized crime for premium prices, for immediate exploitation, sometimes by local gangs on the street. Shame on Equifax for this epic fail. They will be sued for billions of dollars for this web-app vulnerability.
Even more fun about this. The monitoring company they’re offering services from they own, their terms were updated on Sept 6th, and it includes a forfeiture of your rights to sue Equifax. Never mind that it took them 3 months to disclose the breach and their execs are under fire for selling off stock 3 days after the company found out about it.
What to watch out for
At this point you have to assume that the bad guys have highly personal information that they can use to trick you. You need to watch out for the following things:
- Phishing emails that claim to be from Equifax where you can check if your data was compromised.
- Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
- Calls from scammers that claim they are from your bank or credit union
- Fraudulent charges on any credit card because your identity was stolen
Here are 5 things you can do to prevent identity theft:
- First sign up for credit monitoring (there are many companies providing that service including Equifax but we cannot recommend that)
- Next freeze your credit files at the three major credit bureaus Equifax, Experian and TransUnion. Remember that generally it is not possible to sign up for credit monitoring services after a freeze is in place. Advice for how to file a freeze is available here on a state-by-state basis: http://consumersunion.org/research/security-freeze/
- Check your credit reports via the free annualcreditreport.com
- Check your bank and credit card statements for any unauthorized activity
- If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself: www.idtheftcenter.org. You can also call the center’s toll-free number (888-400-5530) for advice on how to resolve identify-theft issues. All of the center’s services are free.
For existing customers we have a fresh phishing template we recommend you send your users to inoculate them against coming attacks. You can find it here: Phishing->Email Templates->System Templates->Current events (sort by Last Updated): Equifax: Official Data Breach Notification (Link)
We suggest you share this document with your users so they have a constant reminder if social engineering red flags. It's a great resource for them to keep near their computer!