Earlier this month, consumer credit reporting agency Equifax reported a cyber attack affecting the data of approximately 143 million Americans. The scope of the data breach combined with the character of the data stolen amounts to an unprecedented cyber theft – here’s more information and tips on how to keep your data safe:
According to Equifax, a vulnerability in a website application called Apache Struts CVE-2017-5638 was exploited by hackers to gain access to the 143 million credit files, 209,000 credit card numbers, and 182,000 credit dispute documents. Apache Foundation, which oversees the widely-used open source software said “The Equifax data compromise was due to failure to install the security updates in a timely manner.” The vulnerability was announced and patched by Apache on March 7, 2017 and modifications were completed by March 10, 2017. The Equifax data breach occurred from mid-May through July.
The five-week delay from discovery of the breach on July 29, 2017 to the September 7, 2017 public announcement is understandable given that Equifax hired a cyber security company to perform an assessment to determine how and when the information was compromised. However, the company’s chief financial officer, presumably someone on the short list of executives to be notified of a cyber security disaster, sold more than 13 percent of his Equifax stock on August 1, 2017, a transaction generating proceeds of $946,374. The company stated that CFO John Gamble and two other high-level employees who sold stock on August 1 and 2 were unaware of the data breach at the time of their stock transactions. Equifax stock closed at $146.26 on August 1 and $98.99 on September 13, a loss of one-third of its value post-disclosure.
What you can do
To see if you have been affected, go to www.EquifaxSecurity2017.com – there are consumer updates posted to this page along with a link at the bottom of the page called “Potential Impact.” Click this link and then click “Check Potential Impact.”
Keep in mind that there are three major credit reporting bureaus: Equifax, Experian, and TransUnion. Each company retains information on consumers’ credit transactions, loans, payments, FICO scores, etc. The information stolen from Equifax could be used to open credit cards and apply for loans where the lending institution might have a business arrangement with one of the other credit bureaus; therefore, it is not sufficient to isolate your attempts to block fraudulent use of your data with Equifax. If you plan to file a fraud alert or freeze your credit file, make sure you do this with all three credit reporting bureaus.
A fraud alert can be filed which puts the credit bureau on notice that your personal information has been compromised. This should result in the bureau taking additional steps to ensure that changes in your account, including inquiries related to opening new credit cards and loans, are being done by you or with your permission.
A credit file freeze blocks attempts to review your account for new credit cards and loans. Keep in mind, however, that access to your credit files is granted more often than you might imagine, and generally for legitimate purposes. For example, buying furniture over two years with no interest requires the financing company to access your credit file to determine your credit worthiness. E-signing a tax return, something that is gaining acceptance in my own CPA practice, requires the signer to confirm information that is contained in their credit file.
Fraud alerts, freezing accounts, and monitoring credit files is not free. Although the monitoring program for affected Equifax customers is free for a year, you must consider the cost of the additional steps not only with Equifax but with Experian and TransUnion as well.
You have had the ability to acquire one free credit file report per year from all three bureaus for many years. Looking at these reports is essential to identifying potential fraudulent transactions. Go to www.annualcreditreport.com or call 877-322-8228 to request your free credit report which includes information from all three bureaus. Do not call the bureaus individually or get tricked into visiting one of the many “free credit score” websites that are, in the end, not free.
Finally, the information breach may well be used to e-file fraudulent tax returns, both Federal and state, in an effort to claim a refund. These fraudsters file early in the tax season hoping to get their version of your tax return through before you file your legitimate return. This activity has netted billions of dollars of refunds that vanished into temporary bank accounts and pre-loaded debit cards. Legitimate taxpayers have waited to have their tax returns processed, some having refunds of thousands of dollars held up for months.
Currently, the IRS only provides security PINs to taxpayers who have had fraudulent returns filed using their social security numbers. The 6-digit PIN is then required for all future tax return filings. Unfortunately, this “take action after the fact” approach does nothing to protect taxpayers from potential fraudulent returns being filed using the Equifax information.
For more information about the IRS’ program, go to https://www.irs.gov/identity-theft-frau…/identity-protection.
The Massachusetts DOR has information at: http://www.mass.gov/…/individua…/identity-theft-information/.
Attorney General’s actions
Massachusetts Attorney General Maura Healy announced that her office is filing suit against Equifax: http://www.mass.gov/ago/news-and-updates/press-releases/2017/2017-09-12-intent-to-sue-equifax.html
Take this situation seriously and stay up-to-date regarding further consumer options that are sure to become available as we progress through the aftermath of this unprecedented cyber theft. My office will continue to communicate new information as we are made aware.