Equifax, one of the major credit reporting companies that calculates credit scores for financial institutions and insurance companies, reported a massive security breach on September 7, 2017. The company reportedly lost control of customer data that included the Social Security numbers, birth dates, and home addresses of 145.5 million US citizens, including a number of driver’s license numbers, credit card numbers and dispute documents. In the UK, Equifax reported that 15.2 million records were targeted. Although the number might not be as large as some of the previous mega-breaches, the type of data stolen exposes affected users to a number of risks. The data can be used in identity theft scams, tax fraud, social security fraud and many other serious attacks.
In response to the breach, Equifax has set up a website with information about the event, allowing concerned individuals to check if they are affected by clicking on “Potential Impact” tab. Those who want to check should make sure they're using a secure computer and a secured connection when doing this. Equifax has also offered a free year of TrustedID, which provides credit monitoring and identity theft protection. Initially, the company’s policy included a clause that customers who signed up for TrustedID could not participate in legal action against Equifax, but that statement has been removed from their site.
What to Do Now
Here are other steps we recommend you to take if you are affected:
What to Watch Out For
The Equifax breach was reported in early September, but the company suggested the breach could have started as early as May 2017. That means that for more than three months, the data of 143 million people was left exposed and they were unable to take the necessary steps to protect themselves.
It’s not clear what the hackers have done or are planning to do with the data. Historically, we’ve seen this type of data traded in underground markets, where different criminals use them for different purposes. Certain information from the hack (SSN, birthdate, driver’s license) are classified as Personally Identifiable Information (PII), which is highly valuable to cybercriminals because it can be used in many different ways.
Whether you are directly affected by this specific breach or not, here are some threats to watch out for:
It is best to err on the side of caution and be watchful of any unusual emails or calls. For phishing attacks, check that the links in the email are legitimate and that the content looks professional. Also, any unsolicited contact is suspicious—you should initiate the contact and receive a reply.
In the case of fake websites, users should know: the site should be secure (using https), and the domain should be correctly spelled. Sometime scammers will put up sites that look genuine at first glance, but are actually slightly misspelled versions of a legitimate site.
Due to the nature of the data involved, users will have to be proactive and diligent about mitigating attacks and scams. The versatility of the stolen PII allows cybercriminals to get creative with their actions, and users should be prepared.
Trend Micro offers solutions to combat phishing and fake websites. Trend Micro™ Maximum Security provides multi-device protection so that users can freely and safely go about their business in the digital world. Maximum Security also includes ransomware protection, blocks malicious links in email and IM, and provides anti-spam filters as well as effective anti-phishing features.
Updated October 11, 2017
Updated with new data from Equifax investigation regarding the number of records targeted.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.