Credit reporting agencies have access to basically all of our most sensitive financial information, and we pretty much all have our records collected and collated by them whether we want to or not. So that makes it a particularly big problem when one of the big three credit agencies in the country has to announce a data breach affecting all its customers, because that basically means all of us… and this one is bad.
What was the breach?
Equifax announced today that it discovered “unauthorized access” to their systems — i.e. a data breach — on July 29.
Whoever got into their systems had access from mid-May through the end of July, so about two-and-a-half months.
Equifax says it has “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases,” but plenty of Equifax systems were accessed, and data purloined. The company adds the standard adage about reporting the incident to law enforcement and working with both independent forensic investigators as well as the relevant authorities to sort out who’s responsible.
Bloomberg also reports that three Equifax senior executives, including the Chief Financial Officer, sold a total $1.8 million worth of company stock between the time the breach was discovered and the time it as announced.
What was stolen?
This one is bad. The illicitly accessed data includes:
- Dates of birth
- Social Security numbers
- Driver’s license numbers
That is, of course, basically the identity theft jackpot. Every account that needs verification that you’re you asks for that exact set of data, so now anyone can be you.
Additionally, Equifax adds, another 209,000 customers had their credit card numbers stolen, and another 182,000 customers had “personal identifying information” listed from dispute documents.
Am I affected?
The breach may impact as many as 143 million people. That’s approximately 45% of the entire U.S. population, so if you have a credit card or loan anywhere, odds are really quite high that yes, this means you.
What can I do about it?
Equifax is, as you would expect, offering to enroll people in complimentary identity theft protection service for a year — specifically, with TrustedID which is, of course, an Equifax company.
Equifax lets you fill in a form here to find out if you personally have been affected, though its results are less than clear. Filling out that form and clicking submit also automatically puts you in the queue to enroll in TrustedID Premier, whether or not you meant to do that. It also warns you that it won’t email or contact you to tell you when your enrollment date was, so you should “mark your calendar.”
For actually protecting yourself, best bet is probably going to be to proactively read, and then bookmark, the FTC’s identity theft guide at IdentityTheft.gov for the foreseeable future, and to — as usual — make sure you’re going over all of your account statements with a fine-toothed comb pretty regularly.
Consumer advocates say that Equifax’s offer doesn’t go nearly far enough. “Equifax should alert all affected people to the benefits of credit freezes and offer them to all Americans for free of charge with all three major national credit bureaus,” U.S. PIRG’s Mike Litt said in a statement.
“Credit freezes help prevent new account identity theft because they keep potential creditors from seeing consumer credit history, without which new accounts are typically not opened,” Litt added. “The firm should be held fully accountable by the Consumer Financial Protection Bureau.”
Editor's Note: This article originally appeared on Consumerist.