To understand how bad the data breach at Equifax is, consider this: the US has a population of approximately 324m people. The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.
The company said in a statement that cybercriminals “exploited a US website application vulnerability” to access certain files:
Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
What kinds of customer data did the culprits access? Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to Equifax chairman and CEO Richard Smith. In addition, he said, credit card numbers for approximately 209,000 US consumers and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.
And there’s more. Smith said:
As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.
There are a lot of questions surrounding this breach:
Free home computer security software for all the family
Bloomberg reports that three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach – but before Thursday’s disclosure. That’s bound to fuel anger from customers who will want to know why.
Equifax will also have to explain what it means by a “website application vulnerability”. Security experts chewed on that question on Twitter Thursday, with ZDNet security editor Zack Whittaker asking why the company would store a bunch of sensitive databases on a webserver.
Speculation also abounds that the compromised data was stored in plain text, though at the time of writing it remained unclear if that was the case.
Details of what exactly happened will become clearer in the coming days and weeks. For now, customers need to know what they can do to protect themselves. To that end, we suggest the following:
- Equifax says people can click a link on its website to see if they’ve potentially been impacted by submitting their last name and the last six digits of their Social Security number. Go there now. Furthermore, those affected will be given a date to enroll in free ID theft protection and credit monitoring services.
- Change your Equifax password and security questions immediately, especially if you use them on multiple accounts. As a rule of thumb, don’t use the same security questions and answers for all of your accounts. Equifax is the latest to suffer a breach, but they certainly won’t be the last. Changing your credentials and varying them from one site to the next will allow for some protection.
To that end:
- Make all new passwords different and difficult to guess. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
- Include upper- and lower-case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos How to Pick a Proper Password video for creating stronger passwords.
- Be careful with your security questions: information such as your mother’s real maiden name is easy to track down. You don’t have to give the actual answer to the question: “what’s your favorite food?” – you only have to give an answer that you will remember.
- Use two-factor authentication wherever possible.
We’ll update this article as more details become available.