As you know from the copious news coverage (including our own post this morning) the credit monitoring bureau Equifax was hit with a security breach which has given thieves access to the data of 143 million people—mostly customers from the U.S., plus a handful from the UK and Canada. The data stolen includes names, social security numbers, birth dates, addresses, and the numbers of some driver's licenses and credit cards.
Indications are that this breach occurred between mid-May and July, and it was discovered by Equifax on July 29. As this has potentially affected almost halfof all adults in the U.S., you may be wondering how to identify or mitigate problems caused by this breach. Here are a few steps you can take now:
1. Check your account for suspicious activity
The first, and most important thing you can do, is to check the transactions on all your financial accounts and credit history. As the breach was only recently reported, it’s likely that more information about the specifics of who and what was stolen will become available in the coming days and weeks.
If you see activity that you do not recognize, it is important that you notify the bank or credit agency immediately.
Keep in mind that the thieves may not use or sell all of the stolen data right away. You will need to be vigilant with your accounts for a while.
2. Consider a credit freeze
While freezing your credit does introduce a hurdle in allowing someone to access your credit report (such as when applying for a new bank card, loan, apartment or job), it also makes it more difficult for thieves to create new accounts using your information. Laws differ from one state to another regarding who may request a freeze and how much they will be charged. For most states that do charge, if you’ve not yet had fraud committed as the result of a data breach, you may be charged around $10 to place the freeze. It’s important to contact all three credit reporting agencies.
If your information was included in this breach, and you decide against a credit freeze, you may wish to place a fraud alert on your files instead. A fraud alert warns creditors that you may be a victim of identity theft and that they should take additional steps to verify that anyone seeking credit in your name is really you.
An initial fraud alert lasts 90 days, which won't be very helpful in this case as criminals can and most likely will be (mis)using permanent credentials like social security numbers for years to come. To file an extended fraud alert that lasts for seven years, you must have a police report that describes identity theft-related fraud that has already been perpetrated against you.
3. File your taxes promptly
While thieves may use stolen information to create fraudulent bank accounts, they may also use it to file fraudulent tax returns. File your taxes as soon as you have the tax information you need and respond promptly to letters sent to you by the IRS. Note that the IRS will never communicate with you via email, so watch out for this type of fraud and don’t open emails purporting to be from the IRS.
4. Improve your login security
With all the information that is now available to thieves, they may try to couple it with attacks on other online accounts and services. If you’re an IT pro, you know that employees often share passwords, so now's a good time to implement two-factor authentication and data encryption if you haven't already. Watch this on-demand webinar to learn more about both.
5. Beware of scams
Criminals are aware that people will be feeling especially anxious about their security and privacy as a result of this incident. This could lead to other scams. Some people may, ironically, be more apt to fall for social engineering tactics and phishing schemes that prey on this fear. Never click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. Instead, you should type the expected URLs into your browser directly to contact companies.
And, be sure you’ve implemented a reliable antivirus product that includes anti-phishing (and take our phishing quiz).
In conclusion: Keep following this story
At the time of writing, Equifax is having a number of technical difficulties with existing contact methods, probably as a result of unusually high traffic volumes.
We advise that you do what you can to protect yourself using other methods, including those outlined above, while waiting for that traffic to slow down. Calling Equifax directly seems to be ineffective right now, and the Equifax breach-info site is having a variety of problems which seem to indicate that the rush to provide information may lead to further problems.
The Equifax breach notification site runs on a stock installation of WordPress. This is cause for concern as it appears to have insufficient security for a site that asks people to provide their last name plus six out of nine digits of their Social Security number. If this information was stolen, it would be more than enough fodder for criminals to perpetrate additional fraud.
But this isn’t the only cause for concern: Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat due to irregularities in its functionality. For example, the SSL/TLS certificatedoesn't perform proper revocation checks, which may cause browsers to display an error message. There are also indications that the information coming out of the site’s checking mechanism may be incomplete or inaccurate.
And the domain name is registered to a site that is not clearly labeled as belonging to Equifax.
There are plenty of things you can do to protect yourself without needing to contact Equifax right now. Equifax will contact affected consumers directly by mail, so for now, keep an eye on the news as more information comes to light.
Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.