It wasn’t that long ago that University of Louisville employees were told their personal information was at risk due to a data breach at Equifax. Now, comes word of another unauthorized attack gaining access to a huge trove of Equifax consumer information from mid-May through July.
Credit reporting agency Equifax on Thursday announced a massive data breach that could impact up to 143 million Americans. Cybercriminals stole consumers’ Social Security numbers, names, birth dates, addresses, and driver’s license numbers.
Visit www.equifaxsecurity2017.com to check if your personal data has been affected. The agency suggests signing up for credit monitoring and identity theft protection; it is opening up its credit protection service, called TrustedID Premier, to anyone free for one year. And to obtain a free copy of your credit report from all three reporting agencies go to annualcreditreport.com.
The credit card account numbers for about 209,000 people and dispute documents that contained personal data for 182,000 people were also leaked.
Hackers also obtained “limited personal information” from British and Canadian citizens.
The Atlanta-based credit bureau discovered the breach on July 29 and said that it immediately started an investigation. The incident was reported to law enforcement.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” says Equifax chairman and CEO Richard F. Smith.
Equifax is one of three U.S. companies that monitors and scores the financial activity of consumers. Along with TransUnion and Experian, Equifax evaluates data related to personal loans and credit card accounts. The agency also stores information on credit limits, utility and rent payments, employer history and child support payments.
Some people affected by the breach may not even know it – Equifax gathers its data from banks, retailers, lenders and credit card companies.
“Unfortunately, in cases like this, there’s not much the user can do outside monitoring their credit reports and using an identity protection service like LifeLock or something similar,” Alex Heid, white hat hacker and chief research officer at SecurityScorecard, said Thursday. “If it’s not from this breach, then their information was exposed in one of the several others in the last few years.”
In May, it was revealed that hackers infiltrated consumers’ W-2 data from April 17, 2016 to March 29, 2017 by exploiting Equifax subsidiary TALX, which offers tax and payroll services. The division was compromised when criminals reset customer employees’ 4-digit PIN numbers and then correctly answered their security questions.
At least five organizations, including the University of Louisville, received letters from Equifax about a series of incidents over the past year, including the military contractor giant Northrop Grumman; staffing firm Allegis Group; Saint-Gobain Corp.; and Erickson Living.
“The basic practice of centralizing sensitive consumer information, still commonplace in large enterprises, is a critical factor that leaves it vulnerable to attack,” said George Avetisov, CEO of HYPR. “If a service provider such as a bank, insurer, payment network, or other enterprise warehouses data that is appealing to hackers, the data will be hacked. It’s not a matter of if, but a matter of when.”
Equifax will also mail notices to anyone whose credit card numbers or dispute documents were included in the breach.
Three Equifax executives sold a combined $1.8 million in stock before news of the hack went public, according to Bloomberg.
The stock sales were carried out in early August by Chief Financial Officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran. Equifax said the timing was a coincidence.
WalletHub offers these five tips to keep your information safe:
- Sign up for 24/7 credit monitoring – This way, you’ll find out immediately if someone tries to open an account in your name. WalletHub, for example, offers free 24/7 monitoring of your TransUnion credit report.
- Enable two-factor authentication – Equifax was hacked, but your cellphone wasn’t. So use it as another layer of protection when logging into your email account and financial websites.
- A freeze is better than an alert – It probably isn’t necessary in this case, but if you really want to protect yourself from fraudulent borrowing, freeze your three major credit reports (Equifax, Experian and TransUnion). This will prevent anyone but you from accessing them, thus making it impossible to take out a loan or line of credit. A fraud alert, in contrast, doesn’t actually do much.
- Suppress fraudulent info – While you can dispute run-of-the-mill credit report inaccuracies, it’s best to use a process called “suppression” / “blocking” to get rid of negative info resulting from identity theft. In short, this makes it so the records in question can’t make reappearance after they’re initially removed.
- Never respond to unsolicited requests for information – Don’t be surprised if you see an uptick in unsolicited calls and emails requesting personal information. Just remember: Never answer if you didn’t ask to be contacted.
Insider Louisville contributed reporting.