Equifax, one of the major credit reporting agencies, released information on September 7, 2017 that a cybersecurity incident may have potentially impacted approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.
Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
Please see the Equifax website for more details and ways to protect yourself.
Although this is not the largest breach that has ever occurred, it is the largest in respect to the severity of personal information taken. It has been reported that 44% of Americans are affected. At this time, it unknown who was behind the breach, if taken by criminals, the potential for the personal information to be sold and resold on the dark web is a real threat.
Here are some practical tips for individuals whose information may be compromised:
- Personal credit reports should be monitored for new applications that were filed on your behalf.
- Monitor all monthly statements for any unauthorized payments.
- Monitor your existing credit card and Credit Union/ bank accounts closely for charges you don’t recognize; such as address or phone number changes.
- Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.
- If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
- File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS. The IRS will only contact you through the mail.
Phishing and Ransomware
Criminals will use an email, telephone messages (vishing) or text messages on cell phones (Short Message Service or SMShing) to trick recipients into disclosing personal and financial data. Some phishing attempts ask e-mail or text recipients to respond with personal information; and others include links to what appear to be familiar Web sites but are really spoofed copies. Once the user clicks on the link to the spoofed site, all future online activity gets funneled through the phisher’s system, giving him or her access to any account numbers and passwords the user enters online. To protect yourself from phishing:
- NEVER respond to an e-mail asking you to verify or update your personal information
- Never click on links in unsolicited e-mail that you receive
- Delete any unsolicited e-mails in your e-mail accounts – don’t even open them!
- Protect your passwords. Never write them down or enter them online unless you initiated the transaction.
- Never give out your personal or financial information on the phone or online unless you initiated contact
- Check your credit report at least once annually or sign-up for weekly or monthly alerts through credit management agencies
- At home, use spam blockers, firewalls, virus protection, and adware & malware destroyers
- Update your Operating System whenever security patches are available
Ransomware attacks have relied on a user’s clicking on a phishing e-mail or infected website or downloading malicious software. The ransomware would infect individual machines and shared resources to which the user had access rendering them useless until a fee is paid. These attacks can focus on individuals, businesses and industries.
The FBI recommends the following:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Enable automated patches for your operating system and web browser.
Credit Unions need to make sure all processes and procedures are followed when opening new accounts, loans, or making changes to accounts. The information accessed in the Equifax breach can result in fraudulent applications, account takeovers and various types of phishing scams.
Visit Identitytheft.gov/databreach to learn more about protecting yourself after a data breach.
By: Mary Anne Colucci, LSC, Director of Fraud & Risk