IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

After Equifax Breach: Hurricanes Overshadow Massive Cybersecurity Storm

As all eyes turned toward the Caribbean and Florida this week in essential preparation for Hurricane Irma, Equifax announced a different kind of unprecedented ‘incident’ that could significantly impact half of the U.S. population. Here’s what you need to know and how to respond to protect your identity and your family.

cyber-security-1805246_1280
Just as conditions started to improve for millions of Texans following Hurricane Harvey, another category 4/5 storm named Hurricane Irma dominated news headlines this week — and rightly so. As of Saturday morning Sept. 9, millions of Floridians have evacuated and/or moved into shelters to prepare for this monster storm with dangerous, destructive power.

Meanwhile, another very significant incident was announced by Equifax that received plenty of media attention, especially by the technology, security and financial communities, but is also being somewhat overshadowed by the extreme, life-threatening weather.

CALL TO ACTION: Despite "too much information" coming at us right now on numerous important media topics, I urge all Americans to still pay attention and take immediate action regarding this Equifax data breach. I list those actions later in this blog.

Without question, the first priority for all those in the path of Hurricane Irma to move to safety — as the Florida governor and so many others are urging. Nevertheless, the rest of us need to take action to protect personal identities and safeguard personal data.

Background on Equifax Incident

Here are some of the major media reports regarding the Equifax incident:

ARS Technica: Equifax website hack exposes data for ~143 million US consumers — “Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.

The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed.”

Wired magazine: The Equifax breach exposes America’s data crisis — “… With Equifax's revelation that 143 million Americans may have had their SSNs stolen (along with other sensitive personal information), security experts are pressing for a fundamental reassessment in how, and why, we identify ourselves. …”

ABC News: What to know about the Equifax data breach — “Among the steps listed given the parameters of the Equifax breach, the FTC suggests placing a credit freeze or fraud alert, to prevent or make it more difficult for a third party to open accounts using personal information; filing your taxes early to keep others from claiming your refund or using your Social Security number to gain employment; and canceling credit and debit cards and requesting new ones.”

Fox News TV Coverage of Hack



The Cost of a Data Breach

There has been plenty of research, discussion and numerous reports on the cost of a data breach over the years. However, the loss in confidence in Equifax after this announcement has led to a 14 percent drop in their stock price, which (at the time of this blog) means more than $2 billion in market cap. One big question is whether this drop is short-lived or not.

Here’s an excerpt from Marketwatch.com:

“Shares of Equifax EFX, -13.66%  finished down nearly 14% at $123.23 Friday, with shares touching an intraday low of $117.25, on volume of more than 16.8 million shares by the close, the highest volume day ever for Equifax stock, according to FactSet data. The average daily trading volume of Equifax shares over the past 52 weeks is just under 681,000 shares. Friday marks the worst one-day percentage drop for the stock since August 1999.

The impact to Equifax will likely be to the company’s business-to-consumer segment, which only accounts for 7% of revenue, said Andrew Steinerman, an analyst with J.P. Morgan who has an overweight rating and a $167 price target on Equifax.”

Another related financial aspect to this story is that Equifax executives sold shares immediately following the time when the data breach details became known.

“Three executives of Equifax sold shares worth nearly $2 million in the company days after a data breach was found to affect 143 million consumers in the United States, filings to the Securities and Exchange Commission showed.”

Another aspect of this Equifax data breach is that regulatory gaps have surfaced, according to the Wall Street Journal.

Several lawmakers and political activists have criticized Equifax and have taken additional steps:

  • NY Attorney General Eric Schneiderman tweeted: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it." He then announced he's launching a formal investigation into Equifax and that his office will be watching closely.
  • John Thune and Bill Nelson sent Equifax a letter: "This announcement raises a number of concerns given the sensitivity of the personal data implicated and, consequently, the severity of risk consumers may face. As one of the three major credit reporting agencies in the United States, Equifax collects highly sensitive information on American consumers."
  • Richard Blumenthal: "There is no excuse for Equifax's failure to strengthen its cyber-systems after suffering several previous breaches. The Federal Trade Commission must investigate this breach to assess whether Equifax did everything it could to secure all its systems given the sensitive nature of the consumer data it holds."
  • Consumer Watchdog Group called for California's AG Becerra "should block Equifax's attempt to push its victims into arbitration and investigate why public notification of the breach was delayed so long."
What Should We Do? Best Advice So Far

I really like the advice and announcements made by the National Cyber Security Alliance and StaySafeOnline.org following the announcement of this data breach. Michael Kaiser’s quotes are excellent. Here’s a copy of the NCSA letter sent out, which points to other websites as well:

Washington, D.C., Sept. 8, 2017 – Equifax announced a major data breach yesterday affecting some 143 million Americans’ personal information. According to the company, the data breach left Social Security numbers, driver’s license numbers and other sensitive information at risk sometime between mid-May and July of this summer.

“Major breaches like this one remind us that it is critical for internet users to remain continually diligent about practicing good cybersecurity habits,” said Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA). “As our connected world grows and vast amounts of information is collected and stored, the scale of data breaches is likely to grow. Businesses and organizations that accumulate data must operate with a deep understanding of the value of that data to cybercriminals and the other risks to their customers, employees and networks. It is essential they employ a comprehensive approach to cybersecurity and be prepared to respond if a breach occurs.” 

Fortunately, Equifax is reporting no evidence of unauthorized access to core consumer or commercial credit reporting databases at this time. Nevertheless, NCSA urges all Equifax users to take action now to secure their accounts. Equifax is offering complimentary identity theft protection and credit file monitoring. Information can be found at equifaxsecurity2017.com/enroll.

Following any breach, everyone can better protect their accounts by following these steps to stay safer and more secure online, including:

  • Lock down your login. Use strong authentication — more than a username and password to access accounts — to protect your most valuable accounts, including email, social media and financial.
  • Keep clean machines: Prevent infections by updating critical software as soon as patches or new operating system versions are available. This includes mobile and other internet-connected devices.
  • Monitor activity on your financial and credit card accounts. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post-breach). For more information, visit the Federal Trade Commission website identitytheft.gov.
  • When in doubt, throw it out. Scammers and others have been known to use data breaches and other incidents to send out emails and posts related to the incident to lure people into providing their information. Delete any suspicious emails or posts, and get information only from legitimate sources.
This data breach happens as the nation prepares for National Cyber Security Awareness Month, an effort co-founded and co-led by NCSA and the U.S. Department of Homeland Security to educate businesses and all digital citizens about staying safer and more secure online. More information is available at staysafeonline.org/ncsam.

Final Thoughts

Last week, I promised to return to the topic of hurricane response and actions following Harvey and Irma. I still plan to do that blog soon. Nevertheless, the unprecedented nature of this credit agency data breach as well as the fact that Irma has not yet made landfall in Florida, caused me to slightly alter my plans.

Some experts claimed that taking advantage of the free monitoring service offered by Equifax may forfeit possible rights in a class action lawsuit, so you need to decide if that is important to you and make your own decision on that specific topic.

But most important, I urge all readers to pay attention to the events related to this massive Equifax incident, and take steps to protect your own identity.

 

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.