Because the horrendous disaster of two malicious hurricanes isn’t enough for people to worry about right now, a few weeks ago a storm of a different sort swept through the United States. Like those assholes Harvey and Irma, this one’s going to be an enormous, life-changing financial burden for millions of people. And like the hurricanes, it could take years to repair the damage.
Yes: it’s time to talk about the Equifax breach.
If you follow us on Tumblr, you’ll know we’ve been getting some panicked messages about Equifax recently. So to dispel panic (or encourage it, as the case may be), I want to break the situation down into tiny morsels of suckitude that can be easily digested.
Dafuq is Equifax?
Equifax is one of three companies that monitor your credit-related activity to generate your credit score from your credit report. The others are TransUnion and Experian.
They have access to a lot of people’s really sensitive information: legal names, addresses, Social Security Numbers, drivers license numbers, dates of birth, regular order at the Chinese food place down the street, etc. Everything you need to carefully and accurately track a person’s credit… or to hack it.
(Is Jurassic Park my only reference for computer hacking? … maybe.)
You don’t get to opt in or out of Equifax. As soon as you start building credit, Equifax, Experian, and TransUnion start tracking it on behalf of you and their clients (businesses and governments from whom you might need a loan). So you don’t really have any control over this situation.
Here’s how the shit hit the Equifax fan
I know jack shit about hacking and really, computer security in general. This is how it works right?
Fortunately, loyal citizen of Bitch Nation Dystopic Cyberpunk happens to work in computer security at a regional bank and was kind enough to fill me in on what this all means.
He explained to me that this kind of breach concerns PII, or personally identifiable information. In the security breach, the hackers captured the PII of millions of people. The Equifax breach is one of the biggest in history, and possibly impacts more than 40% of the U.S. population.
How common is a breach like this?
“In general, major breaches like this are becoming more common, although they don’t always make the mainstream news cycle,” Dystopic Cyberpunk said. “I generally expect to see large-scale password compromises about every three to four months, and significant PII breaches at least twice a year.”
Oh. Twice a year. That’s… comforting.
“As far as how this particular breach occurred, oftentimes those types of details aren’t made public for security purposes. For instance, it may take a long time to patch or replace compromised systems. If the vulnerabilities were advertised now, copy-cat attacks could further compromise Equifax’s systems.”
This explanation makes total sense. But I’m still side-eyeing the whole situation. Like, how the fuck could something this big have happened? Wasn’t anyone at Equifax paying attention?
“This is not the first time Equifax has faced public scrutiny for poor security practices, so it may be that the original source of this problem comes back to some of their previous poor design decisions,” Dystopic Cyberpunk said. “There is also a good chance that Equifax was not encrypting sensitive data.” I KNEW IT.
How does this even happen?
According to our brilliant source, often companies will encrypt critical data like PII so that if files are stolen, attackers can’t use the data. But it looks like Equifax just… didn’t.
“Equifax did say in the initial release that the data was obtained because the attackers ‘exploited a U.S. website application vulnerability to gain access to certain files,'” Dystopic Cyberpunk noted. “This means that some piece of software used by Equifax on their website was vulnerable, possibly because it had not patched in a timely fashion, or because it was a brand-new attack (called a ‘zero-day’). Nobody has confirmed that it was a zero-day, which means it’s more likely that the software had just not been patched since the vulnerability was identified.”
To us dumb-dumb know-nothings, that means they didn’t update their software in a timely fashion.
“There is something called PCI Compliance, which is more of an industry standard, but is enforced by the Payment Card Industry. Think Visa and Mastercard; if you want to be a part of their system, you have to play by their rules. PCI Compliance forces companies to encrypt PII, but it looks like Equifax was probably not PCI-Compliant. We’ll see if that has any legal implications from all of this.”
I can only hope this means the bad guys are going to get their day in court. And that they are, in fact, bad guys, even if their charge is “criminally lazy about changing passwords.” But considering Equifax has a long and shady past when it comes to security problems, I’m settling in for a wrist-slapping to rival Wells Fargo’s.
How the breach hurts you
Let’s say you were one of the millions of people affected by the Equifax security breach. By stealing your identity, the hackers can:
- Open credit cards and lines of credit in your name.
- Get a driver’s license in your name.
- Steal your tax return.
- Steal your Social Security check and other government benefits.
- Frame you for crimes like speeding (and… murder? I guess?).
- Prevent you from getting your prescription medication.
- Drain your bank accounts.
- Drain your investment accounts.
Here’s a gif of Kermit the Frog’s evil doppelganger in a transparent attempt to lighten of the severity of identity theft:
Who got screwed
“Man, this sounds really unfortunate for those poor folks who… wait, this doesn’t affect ME, does it???”
Sorry boo. If you have credit, then there’s a good likelihood you’ve been swept up in the Equifax shitstorm. That means if you have student loans, if you’ve ever used a credit card, if you’ve ever applied for a loan of any kind, or if you pay a recurring bill, you could have a credit report through Equifax. So if you’re a minor, you’re probably ok. Everybody else is at risk… all 143 million of you.
“Golly gee willickers, thank goodness I live in the great white north of Canadialand where everything is safe and wholesome all the time!”
Slow your roll, you moose-riding, maple-syrup-guzzling, uncomfortably polite motherfuckers.
According to Canadian Insurance Top Broker, this affects Equifax’s Canadian branch too. Which means all your excessive “soorrys” can’t save you from credit damnation.
“I say chap, that sounds like a right bollocksed snafolderoo. Good thing I’m a loyal subject of Her Majesty Queen Elizabeth McHats’n’Corgis!”
Yeah, I have no idea how the British speak. But the point is, you limey bastards aren’t safe either. It affects UK residents as well.
Equifax has not disclosed exactly how many residents of Canada and the UK were exposed by the breach. Which, through pure conjecture, means it was a depressingly large number. Sorry guys.
Here’s what you should do to weather the storm
There are a lot of fearmongers out there telling you to put your money in your mattress and start working a tinfoil hat into your daily fashion choices.
While I’m definitely not denying the situation is serious, I think there are some more practical steps to take.
Check to see if this affects you
Start by taking the Federal Trade Commission’s advice, as they tend not to fuck around. They advise you start by checking to see if your information’s been compromised. You can do this by going to Equifax’s website about the security breach and entering in some personal information to determine where you stand. DO NOT CHECK THE EQUIFAX SITE UNTIL YOU HAVE A SECURE AND PRIVATE INTERNET CONNECTION. So, no checking at the library, your school or workplace, or a cafe or some shit.
Hilariously, at time of publication, this tool was down due to “difficulties with our TrustedID website.” Difficulties indeed!
Monitor your credit yourself
If the Equifax site actually works and confirms you’re part of the hacking shitfuckery, you’re going to need to monitor your finances like a hawk for the next year at least. Check your credit reports from Equifax, Experian, and TransUnion on a regular basis and for free by going to annualcreditreport.com.
Even easier, if you’re a member of Mint (which we love), you can get free monthly credit updates delivered automatically to your dashboard. And Mint didn’t pay us to say that! Though I really wish they did because I have expensive taste in beer and Kitty has two guinea pigs to put through college!
If anything weird happens to your accounts, contact your vendor immediately. Most banks and credit cards offer fraud protection and reimbursement, but you’re going to need to be on top of that shit to get their help.
If you see suspicious activity, freeze
Our boy Debt Free Geek has some good advice for dealing with this kind of identity theft as well. Consider placing a freeze on your files or putting a fraud alert on your accounts.
A freeze will make it harder for someone to open a new account in your name, though they can still fuck with your existing accounts. A fraud alert will warn creditors that you may be a victim of identity theft so they will take extra precautions in vetting anyone who tries to get credit in your name.
File your taxes promptly
Beat the hackers to your tax return by filing your taxes as soon as possible. You don’t want them to get your tax return nor to use your tax information to get a job.
Here’s more of what we know about taxes:
- Taxes: Your Annual Fee for Membership in Civilization
- Go Ahead and File Your Taxes Right Freakin’ Now
- How to File Your Taxes FOR FREE: Simple Instructions for the Stressed-Out Taxpayer
- My Taxes Are a Little, uh, Creative. What’s My Risk of an Audit?
Don’t bother paying for credit monitoring
Nobody cares about your money as much as you do. As such, neither of us feel that this service is really worth paying for when you can do it yourself.
If one of your institutions supports free fraud detection or credit monitoring, by all means, sign up. Just make sure it stays free, of course. Many move to a paid model after a certain number of months.
Equifax is offering a free version of such a service to those affected, which it hilariously calls “TrustedID.” You may have heard that buried in its original terms of service was an arbitration clause that would’ve nearly prevented you from suing them in the future. After getting called on it, Equifax removed this clause. So you can sign up for it, but it’s a good example of how such institutions rarely have your best interests at heart.
Keep calm and carry on
The Equifax breach is kind of huge. Which is worrisome. And I won’t lie and tell you everybody’s going to be ok. But this also shouldn’t cause you anxiety or panic.
We’re just now moving into an age where big data becomes normal and standard. With that comes many conveniences, like rapid access, increasing standardization, and stronger backup systems. But it also comes at a cost. Snatching millions of paper records from a credit bureau’s filing cabinets wasn’t feasible until those records could fit comfortably on a single hard drive. News like this will become more and more common.
And here’s the thing: you are always at risk for identity theft. Security breaches, data hacking, card skimming, and credit scams are happening around you all the time. It just might not be as broad or as publicly discussed as the Equifax breach. Remember that family members and significant others can usually steal identities far more easily than faceless pickpockets or hackers.
There’s no such thing as perfect protection. If someone is truly determined to steal from you, they will. But most thieves would rather go for an easy target. The best you can do is make yourself a hard target. Make it a habit to have good security hygiene.
- Track your purchases closely enough to notice if somebody else is spending your money.
- Check your credit often.
- Keep identity-proving documents locked up.
- Report stolen cards immediately.
- Shred sensitive mail before throwing it away.
- Don’t log into secure sites from unsecured connections.
- Make your passwords hard to guess, and don’t share them.
- Call your financial institution at the first sign of trouble.
- Take advantage of free monitoring if it’s offered, but…
- Never leave the job of protecting your identity exclusively to somebody else.
I am hopeful this incident will spur companies like Equifax to take precautions against security breaches and prioritize anti-hacking measures.
Those fuckers owe us all that much.
As someone who works in the tech/security field, this was a huge cockup on Equifax’s part and you explained in very clear terms. Well articulated and researched article! My only followup would be that people need to keep an eye on their credit for more than just the next year. Most hackers of this kind will sit on the data for a year or two (since the breach has been discovered) and wait until everyone’s forgotten about it to start using/selling the information. Definitely keep a close eye in the short term, but don’t think you’re out of the woods if it’s been a couple of years with no impact.
In fact, the US State Department is currently paying for 7 years worth of ID protection for me and thousands of other people because of the breach on the Office of Personnel Management a few years back. They still send me updates if I apply for a new credit card or move. It’s a bit unnerving to get those emails, but also rather comforting to know that someone is keeping track because that information was stolen.
Thank you so much for sharing your expertise! This is a really good point, and I’m glad you brought it up. CONSTANT VIGILANCE.