A massive Equifax data breach has resulted in the exposure, and possible theft, of 143 million American’s records, including highly sensitive data such as Social Security numbers. To put that figure into perspective, that’s virtually half the population of the United States.
Hackers gained access to a website database via an unpatched vulnerability in a web application. Security experts are suggesting the vulnerability was in Apache Struts and that a patch had been issued in March, two months before the attack occurred.
In addition to Social Security numbers, the data exposed/stolen included names, addresses, telephone numbers, email addresses, birthdates, and in some cases, driver’s license numbers. Approximately 209,000 individuals also had their credit card numbers stolen, while 182,000 Americans’ dispute documents were compromised. Access to the data was first gained in May, although it was not until July 29 that the Equifax data breach was detected and access to data was blocked. While the majority of individuals affected were from the United States, around 400,000 British citizens were impacted.
A data breach on this scale is bad for any organization, although especially so for Equifax considering the company is a provider of credit monitoring and identity theft protection services. Naturally, those services will be provided to those affected by the breach.
Breaches of sensitive information have major repercussions for consumers and fast action is necessary to mitigate risk, yet it took Equifax around 6 weeks to announce the breach. Consumers should therefore act quickly and sign up for the credit monitoring services as soon as possible. They should also obtain a free credit report and monitor their accounts carefully for any sign of fraudulent activity. Equifax will only be offering 12 months of credit monitoring services free of charge, after that, consumers are on their own.
Lawsuits have already been filed against the company with plaintiffs seeking damages for the exposure of their data. At least 40 state attorneys general have launched investigations and a criminal investigation has been launched into the actions of three executives who sold shares after the breach was discovered, but before it was announced. The timing suggests the possibility of insider trading.
Given the fact that almost one in two Americans has been affected by the Equifax data breach, the company took the decision not to notify all breach victims by mail. Only individuals whose credit card numbers were exposed will be getting a notification letter in the mail. All other Americans will have to visit the Equifax website to find out if they have been affected.
The official site for checking whether you have been affected is https://www.equifaxsecurity2017.com/potential-impact/, which will redirect you to TrustedID Premier site: (trustedidpremier.com). To check whether you have been affected you will be required to enter the last six digits of your Social Security number and your last name.