Equifax data breach
What happened, what does it mean and what can you do?
By now you are likely aware of the recently announced Equifax data breach, wherein Social Security numbers, credit card numbers, driver’s license details and other types of sensitive information were compromised by hackers. Over the course of several months, the attackers obtained unencrypted full identities for potentially 143 million Americans, nearly two-thirds of the adult population in the United States. Now, the majority of individuals and organizations feel the need to do something in response, but we believe the reality is you would be much better served by sticking to the basics.
First, let’s clarify what actions should be avoided at this stage. For now, RSM does NOT recommend that individuals use the website provided by Equifax to determine if they were affected by this issue.
In the last few days a variety of media, law firms and security researchers have published articles on questionable results being returned from the site, potential security issues within the website, and potential legal ramifications from the user agreements which were attached to the Equifax TrustedID service. While RSM does not take a position on any of these points, they are a concern. We suggest simply waiting for the points to be resolved or clarified. Equifax is legally required to notify affected individuals by mail, so you will know in the near future through standard means whether your data was compromised.
Second, you should be aware that this breach has caused a surge in phishing attacks related to the event. Within hours of the incident being made public, individuals began to receive emails purporting to be from Equifax, law firms, law enforcement and a random assortment of other entities. These emails are attempts to trick individuals into providing their information to the attackers via email responses or by luring potential victims to so-called look-alike pages that resemble the Equifax website.
Simply put, do not interact with anyone claiming to be involved in this incident. If you want to proactively work with a third party (e.g., your bank, a credit-monitoring group, etc.) then contact them through their known web pages and published email accounts. Do not reply to emails or phone calls attempting to contact you directly.
Third, with a few exceptions, do not be enticed by the avalanche of communications coming from security vendors and consultants regarding the appliances, software, solutions and services that you should purchase because of this issue.
Back to basics
Describing what you should be doing will strike many of you as frustratingly generic. Other recent cyberattacks such as WannCry, Petya, Heartbleed, Shellshock, and any number of high-profile security events allowed for potential victims to perform some action to offset their risk: deploy a patch, upgrade a system, alter a configuration setting or some other tactical response.
Unfortunately, the Equifax issue does not allow any such tactic to be brought to bear. For most individuals and organizations, the only useful recommendation will be to get back to basics.
Individuals – Follow the standard practices to protect your identity:
- Contact a credit-monitoring agency and have your credit locked
- Consider purchasing a subscription with one of the various identity protection vendors
The IRS provides an extensive overview of such activities on its website.
Losing your full identity can result in a thief taking out loans or credit cards in your name. A variety of fraud alerts will usually detect such activity, and the methods to correct such problems have become well known and efficient. However, individuals with a high net worth may wish to take additional steps.
High net worth individuals often have accounts with significant amounts of liquid assets such as cash or stocks that can be quickly sold. Having access to your full identity could allow an attacker to attempt to convince a financial institution to move funds or execute trades on your behalf. Consider contacting those institutions and discussing what additional protections can be put in place. This often includes storing offline contact information for you that would allow the entity to contact you for verbal approvals, additional contacts (lawyers, wealth managers, etc.) that must be contacted to acquire multiple approvals, challenge/response methods, and other such techniques.
Businesses – Business must also contend with this situation. The most obvious risk will be attackers attempting to use the stolen identities to gain access to user or customer accounts. Many organizations have password reset methods that require information such as a full name, address and last few digits of a Social Security number, all types of information which may be in the hands of attackers. Organizations that feel that they are at risk to such attacks should consider the few products or services that are the exception to the prior comment about unscrupulously hawked technologies, software and services.
The following may be particularly effective in offsetting the risk of this specific incident:
- Products that would allow you to deploy two-factor authentication to employees and customers
- Services that would assist you in rebuilding your account management processes to use information other than possibly exposed sensitive data
- Behavioral modeling tools that can detect when a user or employee is acting in an abnormal manner (e.g., odd login times or locations)