According to Equifax, hackers exploited a weakness in its customer-facing website from mid-May to July 29, 2017 to steal the personal information (including Social Security Number, driver’s license number, and credit-card numbers) of 143 million U.S. citizens. That's the personal information of more than half of the adults in the United States today. The company further stated that the personal information of approximately 10,000 Canadian citizens and 400,000 UK citizens was also taken. And in Argentina, an Equifax data portal was readily accessible using an account with the default user ID and password. This potentially exposed the personal information of 14,000 more people.
If you are an American citizen, it is likely that some or all of your most sensitive personal information is now in the hands of hackers. As bad as this seems you should not panic. Help is on the way and there are simple actions you can take to mitigate any potential damage this hack might do to you.
How Equifax was hacked
Again, according to Equifax, they did not apply a software patch for a website vulnerability identified in March 2017 as CVE-2017-5638.
That's right. Equifax was hacked because they forgot Rule #1 of the 7 Common-Sense Cyber Protections That Really Work:
- Download and apply security "patches" for all of your software regularly. Enable automatic updates when possible so you don't forget to update.
In Argentina, an Equifax portal could be accessed from a user account named "admin" using the password "admin." So that possible hack was enabled by Equifax forgetting Rule #2 of the 7 common-sense protections:
- DO make your passwords complex by using combinations of letters, numbers, and symbols.
Equifax is a painful reminder of what happens when companies do not carry out the necessary actions to protect their business from cyber-attack. With this one attack on Equifax, a majority of American adults are at risk of identity theft, massive banking and credit card fraud, and maybe even having false tax returns filed in their names.
You will read a lot of stories in the news about how bad this hack is (and it is bad), and all the things you need to do today to protect yourself. The truth is that all the stolen personal information has been out in the wild since at least August.
Liron Damri, co-founder of Forter (a fraud prevention service for online retailers) told the New York Times that his company "saw a 15 percent increase in the overall fraud attempts in our system in August, which is an unusual time of year to see such a spike."
So once the hack was discovered by Equifax in late July, the cyber-criminals probably started monetizing the stolen data – starting with credit card fraud.
What should you do?
The good news is that with a hack this big, every bank, every credit card company, every mortgage company, and the U.S. Government will all be on guard against the misuse of stolen personal information. Two proactive measures you can take now are:
- Sign up for a credit monitoring service - Equifax is offering everyone a free year of credit monitoring. Any American citizen
can sign up for it (or sign up for any of the other credit monitoring services you prefer).
- Note If you have a major American credit card, your card company is probably already monitoring your credit information at TransUnion, Experian, or Equifax as part of their fraud monitoring approach. You will most likely be receiving emails from your credit card companies soon about the Equifax hack telling you they are monitoring your credit.
Most importantly: You should check regularly your bank account statements and credit reports for abnormal or unauthorized activity. Call your bank or credit card company at the first sign of anything odd.
Most bank account and credit card fraud hits people who rarely check their account or card activity. Criminals usually make small purchases on your credit card, or small withdrawals or deposits into your bank account, to see if you notice. If you don't dispute these odd events in a timely manner with your credit card company, then your credit card company might assume the small purchases are part of your normal spending patterns—ignoring the criminal purchases as legitimate. That's when your troubles start.
Expect a lot more Phishing, Smishing, and Vishing
Now that all that personal information is floating around, it's going to be used to phish businesses and individuals to try and steal yet more information. In just a short while, phishing messages will feel more authentic because they will appear to come from banks or credit card companies that you really deal with (since hackers now know a lot more about you). You will be phished to steal still more of your business and personal information. You may even get a phishing email claiming to be from Equifax asking you to supply yet more information.
In particular, watch out for phishing, smishing, or vishing that:
- Claim to be from Equifax asking you to open an attachment, follow a link or speak to an agent to verify your personal information
- Claim to be from your bank or credit union and need you to verify your personal information
- Claim there is a problem with one of your bank accounts, credit cards, credit record, or some other kind of personal financial information
The best way to protect yourself against these nascent phishing attacks are to know the signs. Amaxra has written an entire series of helpful blogs on how to identify and defeat phishing:
- Phishing for Corporate Gold with Social Engineering Attacks
- This Is Why You Need To Worry About Smishing
- Is your cell phone calling to ask for your Social Security number? That's Vishing
- We just avoided a Phishing attack (and you can, too)
And since you will likely find yourself needing to change the passwords for your online banking and credit card systems, here are some tips on how to create less-hackable passwords:
Choose Amaxra to help you get secure and stay secure
We can help you with anti-phishing training, securing your business systems, and other protections to make sure you don't get hacked and the personal information of your customers stolen from you.
Contact us at firstname.lastname@example.org or call 425 749 7471 for a no-obligation consultation from one of our optimization experts.