Equifax Story Roundup: Separating Fact from Fog, how to protect yourself


The “unthinkable” happened when Equifax, one of the three credit reporting agencies in the U.S., announced that attackers had breached its systems and potentially gained access to the files of 143 million consumers. According to Equifax, the culprits made off with names, Social Security numbers, birth dates, addresses, some driver’s license numbers, as well as credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.

That’s quite a haul. Since then there’s been some misinformation, stale information, and unconfirmed rumors circulating. Here’s what we know, and what you need to do to protect yourself.


First, how do I know I was affected?

You don’t, yet. While Equifax setup a site, https://www.equifaxsecurity2017.com, to provide consumers information on whether or not they were affected, the site doesn’t say so definitively. For instance, when I completed the steps to determine if I was affected by the breach personally, the response I received was: “Based on the information provided, we believe that your personal information may have been impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier.”

While it’s helpful that Equifax is providing consumers credit monitoring, they are providing this not to just potential breach victims but all Americans. According to their initial breach announcement, the Equifax will send direct mailings to all consumers they believe were affected.

The safest assumption is to assume that all of your credit information has already been compromised and act accordingly. For what act accordingly means, see the conclusion of this post.


If I use the Equifax consumer information site, do I lose class action lawsuit eligibility.

No. Thanks to the outcries of state attorneys general (links) and others who took issue with the language Equifax initially used in their announcement that appeared to limit consumer class action lawsuit participation options.

Following that outcry, Equifax issued a clarification, “In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”


Equifax was breached by a flaw in Apache Struts.

Yes. This was an issue that initially caused some confusion. The day following the breach announcement, the New York Post reported RW Baird & Co analyst Jeffrey Meuler  said he was told that the breach leveraged a flaw in the widely used Apache Struts. Apache Struts is a free, open-source, extensive framework used to build enterprise Java web apps.

At that time, the Apache Foundation was not aware, either, if the flaw that lead to the breach involved Apache struts.

However, since that time, it has been confirmed that Apache Struts was indeed the point of attack.


The free monitoring Equifax is providing will protect my identity.

Not so. The monitoring service will alert you after the fact that your information has been used by someone else — it won’t prevent that identity theft. What you need is a credit freeze.

To do this you need to contact all three credit bureaus and ask that the credit freeze be placed on your credit file. Do it on at Equifax’s, Experian’s, and TransUnion’s websites. This won’t ding your FICO score, and won’t impact current credit. The only hassle I have experienced doing this is that one must “thaw” the credit freeze when applying for new credit. But the “hassle” is worth the additional security, in my view.

Since none of this is perfect, it’s also a good idea to place a fraud alert on each of your credit files as well. This way, should someone successfully open credit in your name you will be informed ASAP.


Security stories from around the the Web and boulevard on the Equifax Breach:

Bloomberg News is reporting that both CIO and CISO are out at Equifax, following the breach.

Our Lucian Constantin provides latest detail on what we know about Equifax and the Struts vulnerability in Equifax Confirms Hackers Broke In Through Apache Struts Flaw.

For weeks prior to the breach, a security vendor report indicated Equifax was starting to slip when it came to its cybersecurity efforts in my exclusive story Equifax Rated ‘F’ in Application Security Before Breach.

Mark Stockley on Equifax: woeful PINs put frozen credit files at risk.

Jeff Peters provides his analysis and takes at peek at what the Equifax breach may mean in the months ahead in his post Impact of Massive Equifax Breach Will Likely Ripple Into the Future.

Malwarebytes provides excellent inside and additional steps to protect yourself from scams that may surface in Equifax aftermath: How to protect against identity theft.

Independent security analyst Adrian Sanabria provides some “savage” (but fair) analysis on the breach in his post Equifax breached, no eyebrows raised.





George V. Hulme

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Sponsorships Available Unlike ... Read More
Security Boulevard

2 thoughts on “Equifax Story Roundup: Separating Fact from Fog, how to protect yourself

Comments are closed.