top of page

Equifax Breach 2017

The Equifax breach of 2017 is one of the largest and most complete corporate breaches that we've seen over the past years. The breach will affect 143 million people and includes social security numbers, drivers license numbers, home addresses, phone numbers, birth dates and even some credit card numbers. This information would allow someone to steal a person's identity to open lines of credit, file taxes, impersonate users to access bank accounts, etc... Equifax, Experian and Transunion store this information about people who have never done any business with them because it is their business to store credit information. That means you could be affected, even if you have never had an Equifax account.

From an IT security standpoint, it is interesting to me how the breach occurred. The breached server appears to have been a web server that was not being updated with the latest security updates. (This is why all of the Windows Updates that we hate doing are so important.) A component called Apache Struts was exploited and the hackers were able to gain admin access to the machine. From there they were able to pull data from the database systems and steal personal information.

Of interest from a legal standpoint...a number of the higher-ups at Equifax sold off more than a million dollars worth of stock a couple of days after the breach was discovered. Equifax waited a couple of months before actually disclosing the breach to anyone else. The SEC is probably going to be asking some tough questions about that.

You can go to the following website, https://www.equifaxsecurity2017.com/, to see if your information is likely to have been stolen in the breach. You will need to put in your last 6 digits of your SSN along with your last name. If your last name has changed in the last few years, you may want to try both last names. If you find that you are a part of the security breach, Equifax will give you the option of signing up for their credit monitoring service and will offer you the option of freezing your credit. The credit monitoring service is kind of an after-the-fact service. It will let you know that someone just stole your identity so you can stop it as quickly as possible. The credit freeze will not allow anyone to pull a credit report on you so that nobody, not even you, can request new lines of credit. This is a blunt tool, but is probably the only real protection you can get in this situation.

Simply freezing your account with Equifax will not be enough, though. You will need to contact Experian and Transunion as well and have them freeze your credit. They will do this for a fee. Once it is done, you will not be able to get a line of credit for any type of loan or credit card unless you first contact the credit agencies and have them remove the freeze. The smart thing to do is to ask the creditor or bank which agency they will use. You can then unfreeze only that agency for that specific creditor and keep the protection on for everything else. It is a pain but is actually a smart way to protect your identity going forward.

Unfortunately, there are things you can do with the information that was stolen that would not require credit agencies' input. Someone could file a false tax return. The federal government does not have a stellar record for handling this type of fraud. There are also other types of loans...payday loans, etc... that can be obtained without a credit agency. Think of all of the advertisements you see that say NO CREDIT CHECK. Once your identity is stolen it can be a massive waste of time trying to get everything corrected. Debt collectors can be relentless and often won't listen to reason in their zeal to recover money for their business.

This likely means a lot of lawsuits against Equifax...and they are already started. It also may mean that regulators take a much closer look at how the credit agencies protect their information. Right now, it is not a very regulated industry. I believe that is going to change in a dramatic way. For more information, you can go to the FTC website here:

https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do

bottom of page