Friday, September 8, 2017

What you should do about the huge Equifax data breach

Folks have been emailing me about the Equifax data breach.  Equifax is one of the three largest credit bureaus (along with Experian and TransUnion).  Your credit history is stored there, and is accessed when people do credit checks on you.  It is almost certain that your information is part of what was accessed by hackers who broke into their database.

Quite frankly, this is the worst data breach I've ever seen.  It's not just names, addresses, and credit card numbers - it also includes Social Security Numbers and basically anything that a Bad Guy would need to open up credit in your name.

Add to this is what seems to be a bungled notification:
Equifax had weeks to prepare for its breach notification, so its decision to do so via a basic Wordpress site (oh, err) using a free shared CloudFlare SSL cert is somewhat puzzling. “For some reason Equifax used the 6 weeks to set up a new domain asking for SSN numbers, with anonymous Whois on Cloudflare,” said security consultant Kevin Beaumont. 
The whole approach already seems to have gone awry, with OpenDNS flagging up the site as a potential phishing locale in an apparent false positive. The Register has received emails from concerned readers who believed it may be a phishing site.
So what should you do?  Remember: you aren't Equifax' customer - you're their product.  Don't expect much (or anything) from them.  You're kind of on your own.

Fortunately, there's something that you can do.  You can freeze your credit:
A credit freeze allows you to seal your credit reports and use a personal identification number (PIN) that only you know and can use to temporarily “thaw” your credit when legitimate applications for credit and services need to be processed. The added layer of security means that thieves can’t establish new credit in your name even if they are able to obtain your personal information. 
Freezing your credit files has no impact whatsoever on your existing lines of credit, such as credit cards. You can continue to use them as you regularly would even when your credit is frozen.
If you buy a car, refinance a house, or whatever, you use your PIN to "thaw" your credit report.  Different credit bureaus have different capabilities there, so click through and read the (very informative and useful) article.

I recommend this for everyone - this will make stealing your identity really, really hard.


Anonymous said...

Thanks for the tips. Now for the DOJ to get the hanging platforms ready for hanging some people. We can't keep letting these "white collar" crimes go unpunished. Greed and incompetence are a lethal combination.

LindaG said...

Thank you for this information.

UK Houston said...

Should I find it humorous that both the Kaspersky anti-virus and the Brave browser blocked that "freeze your credit" link?

Borepatch said...

LindaG, I'm glad you find it useful.

UK Houston, yeah it's pretty lame how they set up the response.

Jonathan H said...

Umm, if the credit bureau info is hacked (again), wouldn't that give the hackers your pin also?
I'm with you - I don't see how any personal info hack could be worse; if the attackers got full personal data (and I haven't seen enough info to know what they got), they could know all of your existing card, loan, and bank account info and well as the personal info to create more. This is worse than most breaches because it affects your existing assets as well as possible new ones - getting a new credit card is one thing, but a new bank account and mortgage are a different matter entirely!
I'm glad that a large chunk of my funds are in a bank account that does NOT show up on my credit report; I have no idea why it doesn't, but things like this make me glad it doesn't.

waepnedmann said...

Thank you for putting this out.

I sent info regarding this to multiple family members.
Two of whom work in the banking industry as loan officers.
Only one (not a loan officer) replied and he said Equifax was not able to process his request.
He opined that that is probably due to the high volume of requests.
I recall reading that the Equifax executives used the six week delay in announcing the hack to dump their personal stock holdings.
If that is true LetsPlay's suggestion would have merit, but the whole idea is just another thought problem with big business and big government so thoroughly intertwined.
Torches and pitchforks may be the only answer.
Thank you for putting no this out.

Ruth said...

Do you have any information on TransUnion's True Identity program? It says it allows you to lock and unlock your credit (with Transunion), along with other odds and ends, for free. Cool concept. But it appears to be a phone app? Which strikes me as less than secure (I don't use any banking or financial apps). At any rate I got the other two frozen.