The Equifax Data Breach — Dispelling the Myths.

How You Can Protect Yourself.

(The 5 Universally Accepted Best Practices.)

Close to 50% of All Americans were impacted by the Equifax Breach.

You don’t have to be an Equifax Customer to be impacted.

Were You Impacted?

143 million people’s sensitive information was obtained including their addresses, dates of birth, Social Security numbers and more.  Anyone who has used any form of credit could be affected—You don’t need to be an Equifax customer.  If you were an Equifax customer, you could also be one of the 209,000 people whose credit card information was stolen. 

Equifax set up a website that you can visit to see if you’ve been impacted by the breach:  https://www.equifaxsecurity2017.com

How Does This Work?

When you go to borrow money from a lender, they send a request for information about your credit to Equifax, Experian or TransUnion. Your data is entered into a formula owned by Fair Isaac Corp. to calculate your FICO score, which is used by lenders to help determine who to lend to.

Consumers not seeking a loan can tell credit-reporting agencies like Equifax to freeze their credit report.

So, What Exactly Happened?

Here’s the timeline:

• March 8, 2017: Cisco engineers discovered a security vulnerability, and the software vendor released a patch for the vulnerability.
• March 10: Homeland Security sent a notice about the risk and the fix.
• Spring: Equifax supposedly addressed this vulnerability.
• Mid-May: Hackers gained entry (unknown at the time).
• July 29: Equifax security personnel discovered suspicious activity.
• August 2: Equifax called in FireEye (a security investigation firm) for help.
• August 2: Three Equifax Executives sold $1.8 million worth of stock according to the Wall Street Journal.
• September 7: The findings were released to the public.

The technical sides of this for those who want to know:

• Apache Struts is a widely used piece of open-source software used for interactive websites (where/how users enter data into a form on a web page). Equifax used Apache Struts on their web page for users to dispute errors in their credit reports.
• The flaw: When you entered data, it would hit the servers and open a hole for the entrance.
• Cisco found this vulnerability and alerted Apache in March.
• Apache immediately released a patch.
• Equifax claimed they were aware and applied this patch, but somehow it missed this particular server. (They’ve been extremely quiet about what really happened.)
• Not until the end of July did an engineer at Equifax notice any suspicious activity.

Who Did It?

We don’t really know. Firms that monitor the “Dark Web” haven’t seen a large scale of data there yet.  Most agree that it was an extremely sophisticated attack.  Some experts believe that it was a state-sponsored hack, but it’s really too early to tell.

Here’s What’s Really Important—How to Protect Yourself.

There are lots of opinions, and misinformation circulating—So, it’s not surprising that folks are confused. We’ve tried to consolidate and confirm information from reputable sources to provide you an unbiased opinion.

Here’s Our List of the 5 Universally Accepted Best Practices:

1. Set up Fraud Alerts with all your banks, credit companies (all three) and credit card companies.
2. Regularly check your credit report (annually). Every American gets one free credit report per year. Go to annualcreditreport.com. Do it now to establish a baseline.  This is easy to do and free.  There are no downsides to doing this.
3. Regularly monitor all your accounts (even the small transactions).
4. Freeze your credit. This has a high impact, but it’s worth the trouble.  It locks your credit files. However, companies that you already do business with will have access to them.  When applying for a loan, you’ll need to “thaw” your reports. There’s a small cost to do this (it varies by state).  It’s free in North Carolina.

Equifax is offering this for free, and unlike some reports you’ve heard, it won’t waive your right to join a class-action suit.  You must do this with all three providers.  In North Carolina go to http://www.ncdoj.gov/getdoc/e265b0c0-6a9c-4fef-a0a9-dce26b74227e/Free-Security-Freeze.aspx

This is a great way to prevent fraudulent use of your credit (opening new accounts, etc.) It limits the three big players from profiting on your data, and it won’t impact your credit, or ability to use existing credit cards.  There is the hassle of “thawing” your report, but we think it’s worth it.

5. Enroll in Credit Protection / Monitoring Services.

• This is an online solution that monitors and provides updates on your credit automatically.
• It looks at all three of the credit agencies.
• It’s being offered for free by Equifax if you sign up by November 21, 2017.
• It doesn’t prevent you from joining any future class-action lawsuits.
• Go to: https://www.equifaxsecurity2017.com/

This is a solid tool to keep an eye on your credit. The only negative: Do you really want to trust the group who’s already failed you once?  Note: Other companies typically charge anywhere from $10 to $20 per month for this service.

Some Frequently Asked Questions

There’s lots of confusion and misinformation due to Equifax limiting information. We’ll try to answer some FAQs for you here.

• “If I leverage a free service from Equifax, am I foregoing my right to be a part of a class-action lawsuit?”  No. You can take part in class-action lawsuits even if you sign up for their free service.
• “Are the other two companies providing similar offers?” No. Only Equifax offers this.
• “Equifax’s website is slow, and I can’t get through on the phone.”  What should I do?”  Equifax is addressing this, and it seems to be improving.  Keep trying.
• “I’ve gone to the website to set up my credit freeze, but I can’t get a PIN.  What’s wrong?”  Equifax said this is a browser issue, and if it’s not working on your first browser, try another.  Also, try calling them.
• “Equifax is refunding people who paid for a credit freeze before they decided to offer it for free.  Is this automatic?”  Yes, you’ll be refunded automatically.
• “Is this the final word?  Should I assume everything will remain the same?” No, this is a fluid situation and things are changing.  Stay vigilant and keep checking in for updates.

We hope this cleared up any confusion you might have had over the Equifax breach.  If you have any other questions, please feel free to contact us. We’re always ready to help.  (919) 424-2000 info@cspinc.com