Written by Angela Orebaugh, Statewide Program Director for Cyber Security Management and Information Technology at the School of Continuing and Professional Studies, and Jason Belford, Chief Information Security Officer.
Join Orebaugh, Belford, and McIntire School of Commerce Associate Professor Ryan Wright speak on Paranoia and Trust in the Cyberworld at More Than the Score on November 4, 2017. The event is free with registration.
Details continue to emerge regarding the Equifax credit reporting company cybersecurity incident. What we know thus far is that 143 million records may have been compromised, impacting about 45% of the US population. However, we don’t know all of the information that was actually exposed. Was it your personally identifiable information (PII) such your Social Security number and birthdate? Was your entire credit file exposed? Equifax has stated that potential impacts include names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In addition, some credit card numbers and other PII may have been compromised. Until we have answers from a thorough forensics investigation, we won’t know the incident’s significance or long-term impacts.
Many people are likely wondering how a cybersecurity incident of this magnitude could happen at a company entrusted with such sensitive information. Did someone fall for phishing again? Not this time. This cybersecurity incident was the result of an unpatched vulnerability on a website. The attacker exploited the website application vulnerability to gain access to internal information. Although the patch for the vulnerability was released in March 2017, the vulnerable server was left unpatched and the unauthorized access took place between May 13 and July 30, 2017.
What do we do now to move forward and safeguard our information? First visit the Equifax website dedicated to the latest information regarding the incident. From this website, you can click on Potential Impact to see if you are affected. Whether you are directly affected or not, there are several actions you can take to safeguard your information.
- Monitor your credit. Equifax is offering a year’s worth of credit monitoring and identify theft protection for free. Although this offer assumes that an unauthorized person(s) will attempt to use your information only in the first year, it is still worth taking advantage of the offer. You can also check your credit report annually for free by visiting annualcreditreport.com. If you identify suspicious credit activity visit IdentityTheft.gov.
- Freeze your credit. A credit freeze will put a block on your credit so no one can open new credit accounts in your name. You can easily “thaw” and later re-freeze your credit when you need to open new credit (e.g. a new credit card, home or car loan). While it typically costs a nominal fee to freeze and thaw credit, Equifax is waiving the fee for credit freezes for a limited time.
- Monitor your bank accounts and credit cards. While freezing your credit file will help prevent new fraudulent credit activity, it may not help with other types of identity fraud. Even with a credit freeze in place, you should routinely check your bank, credit card, and other financial (including retirement and investment) statements.
- File your taxes early. Identify thieves will often try to get someone else’s tax refund by filing fraudulent returns under the victim’s name. Make sure you beat them to it by filing early.
We will continue to face identity and PII threats until we have a better system. Social Security numbers were not intended to be a single identifier number. Instead, they are intended to track your Social Security. Yet companies feel compelled to use this number for identification (who you are) and authentication (that you are who you say you are). The Social Security number has become vitally important everywhere. In a time where Social Security numbers are being exposed in countless breaches, there is no easy way to change them. We need to urge the companies we do business with, as well as our elected officials, to put a stop to the process of using the Social Security number for purposes it wasn’t intended.