The Equifax Breach: What to Do Now and What to Watch Out For

Equifax, one of the major credit reporting companies that calculates credit scores for financial institutions and insurance companies, reported a massive security breach on September 7, 2017. The company reportedly lost control of customer data that included the Social Security numbers, birth dates, and home addresses of 143 million people, as well as a number of driver’s license numbers, credit card numbers and dispute documents. Although the number might not be as large as some of the previous mega-breaches, the type of data stolen exposes affected users to a number of risks. The data can be used in identity theft scams, tax fraud, social security fraud and many other serious attacks.

In response to the breach, Equifax has set up a website with information about the event, allowing concerned individuals to check if they are affected by clicking on “Potential Impact” tab. Those who want to check should make sure they're using a secure computer and a secured connection when doing this.  Equifax has also offered a free year of TrustedID, which provides credit monitoring and identity theft protection. Initially, the company’s policy included a clause that customers who signed up for TrustedID could not participate in legal action against Equifax, but that statement has been removed from their site.   

What to Do Now

Here are other steps we recommend you to take if you are affected:       

• Monitor your credit reports carefully. Aside from unusual or unverified transactions, look for incorrect personal information and credit inquiries from companies you’ve never interacted with. These are all signs of credit card fraud.
• Freeze your credit. This means that your credit reports are sealed, and you are given a unique PIN number that can be used to “thaw” your credit when legitimate applications need to be processed. This added layer of authentication makes it difficult for a criminal to open new accounts or generally perform fraudulent actions with your stolen information.
  You can freeze your credit with all three credit reporting agencies; the service costs around $20, but should be worth it:
  
  • Equifax: 1-800-685-1111 (for NY residents 1-800-349-9960)
  • TransUnion: 1-888-909-8872
  • Experian: 1-888-EXPERIAN (1-888-397-3742)
  • Innovis: 1-800-540-2505

• Set a fraud alert – A fraud alert is a free service that notifies you when an account is opened, and creditors should verify your identity before any new activity. Initial fraud alerts last 90 days, while extended alerts last seven years. You can apply through the organizations’ websites:
  • Equifax
  • TransUnion
  • Experian
  • Innovis
• Review your credit reports. Go on the website AnnualCreditReport.com to request a copy. Customers are entitled to a free credit report every twelve months from the three major consumer reporting companies (Equifax, Experian, and TransUnion).
• Check with your employer. Some companies offer credit protection services as part of their insurance coverage, which people may want to avail.

What to Watch Out For

The Equifax breach was reported in early September, but the company suggested the breach could have started as early as May 2017. That means that for more than three months, the data of 143 million people was left exposed and they were unable to take the necessary steps to protect themselves.

It’s not clear what the hackers have done or are planning to do with the data. Historically, we’ve seen this type of data traded in underground markets, where different criminals use them for different purposes. Certain information from the hack (SSN, birthdate, driver’s license) are classified as Personally Identifiable Information (PII), which is highly valuable to cybercriminals because it can be used in many different ways.

Whether you are directly affected by this specific breach or not, here are some threats to watch out for: 

• Stolen identity- PII can be used to validate the identity of someone opening a bank or credit account in another person’s name, or even apply for a loan or mortgage. One increasingly common scam is tax identity theft. Your address, date of birth and other PII can be used to file bogus tax returns and claim tax refunds in your name. Experts are recommending that people file their taxes early to preempt such scams. Freezing your credit can also help.   
• Abuse of Social Security Number (SSN) - A Social Security number is possibly the most important government-issued identification for American citizens. When combined with the name and address of a person, criminals can impact your credit by defrauding banks and government organizations. They can also receive medical care or even steal your Social Security benefits. Having your SSN stolen can impact your life for years, even after the criminal is caught. Changing your SSN is an option, but there are also downsides to having a new number.
• Phishing scams and fake websites. Phishing scams are rampant in the wake of huge events. Cybercriminals try and capitalize on trending news, using social engineered headlines in phishing emails to lure users into opening malicious links. They can also set up fake “support” websites that look very similar to legitimate ones. Offline phishing scams are also used to gain more personal information or even money from users. Some scammers may try voice phishing and masquerade as an Equifax agent or another credit monitoring service.

It is best to err on the side of caution and be watchful of any unusual emails or calls. For phishing attacks, check that the links in the email are legitimate and that the content looks professional. Also, any unsolicited contact is suspicious—you should initiate the contact and receive a reply.    

In the case of fake websites, users should know: the site should be secure (using https), and the domain should be correctly spelled. Sometime scammers will put up sites that look genuine at first glance, but are actually slightly misspelled versions of a legitimate site.

Due to the nature of the data involved, users will have to be proactive and diligent about mitigating attacks and scams. The versatility of the stolen PII allows cybercriminals to get creative with their actions, and users should be prepared.  

Trend Micro offers solutions to combat phishing and fake websites. Trend Micro™ Maximum Security provides multi-device protection so that users can freely and safely go about their business in the digital world. Maximum Security also includes ransomware protection, blocks malicious links in email and IM, and provides anti-spam filters as well as effective anti-phishing features.