A couple of weeks ago, as I was planning this month’s Data Dump column, I thought about doing a fun write up on the “Magic Power” of rebooting devices that somehow fixes most common problems. Then IT happened and IT must be addressed. And I am not referring to the new Stephen King movie. IT is the 5th largest data hack in U.S. history according to a report in the USA Today. IT, of course, is the Equifax data breach disclosed to the public on September 7, affecting over 143 million Americans. So, if you read this, you’re probably affected.
Equifax is the oldest of the three major credit bureaus. A breach of their web servers lasted from mid-May thru July 29th. The data that was stolen is referred to as PII (Personally Identifiable Information). This data includes names, social security numbers, birth dates, addresses, and more. The apparent cause of the breach was web servers that were not sufficiently patched. The vulnerability was first reported in March 2017. Unfortunately, it took Equifax over a month to report the data loss.
Equifax has not only been hit with this data breach in the United States. It has been revealed, that the Argentina branch of Equifax had its website username and password setup as Admin/Admin. Logging in with information, granted full administrator privileges to add and remove employees and view their PII data. Are you kidding me?!
Why does this keep happening and what should you do?
There is absolutely no excuse for a mega-large corporation that houses financial data to skimp on proper tools and procedures. Specific details are still coming to light, but it will be interesting to see if this was human error with lack of processes in place to properly patch equipment or did Equifax get stingy on security monitoring tools to allow a data leak lasting for 6 weeks before detection, or some combination of both?
For many small and medium businesses ROI (return on investment) is a major driving factor where to invest more limited budgets and other resources. Cybersecurity and backup/disaster recovery tools only have a ROI if you have a problem. I can speak from first-hand experience when warning a potential client to invest more in security precautions, only to be told, “Oh we’ve never had a problem”. In this hyper connected age, it’s not a matter of if, but when you will experience an accidental breach or data loss. In addition, if you don’t have the appropriate tools in place, you wouldn’t know if you had a problem to start with.
There is a trust placed upon you if you run a doctor’s office, insurance, school, bank, or other entity that requires significant PII. Customers know that sensitive data is needed at these institutions, but clients expect that it is inherently safe. This applies to all businesses, from a small 2-person company to a 50,000 employee, multinational organization. Inc. reports that 60% of U.S. businesses with less than $10 million in revenue fail in 6 months of a cyber-attack.
In light of the Equifax breach, what should you do? At a minimum, you will want to setup fraud alerts on your credit report. You can contact any of the 3 credit monitoring services to setup fraud alerts. The 3rd party service Credit Karma is offering free credit monitoring as part of its free products.
If you know you will not be applying for new credits or loans, you should consider freezing your credit. This will prevent any unauthorized individual from attempting to use your PII to open new lines of credit, but they can still attempt to use existing lines of credit. There is typically a small fee associated with it and it will be necessary to freeze your credit reports at all 3 major bureaus directly. The U.S. Senate is working on a bill making all credit freezes free, expanding fraud alerts, and forcing Equifax to refund fees to people that paid for freezes after the breach disclosure.
- Equifax — 1-800-349-9960 or online
- Experian — 1-888-397-3742 or online
- TransUnion — 1-888-909-8872 or online