Eric Schneiderman for Attorney General

“PBS News: Affected by the Equifax Hack? Here’s What to do Now”

September 14, 2017

As published by PBS News, on September 13, 2017.

Equifax is facing nearly two dozen class-action lawsuits, along with a separate suit from the state of Massachusetts, over a massive data breach that compromised the personal information — names, addresses, birth dates and social security numbers — of more than 143 million people.

For those affected by the breach, the path forward is still unclear. While the credit reporting agency announced the breach last week, the breach actually occurred July 29, which means sensitive data from about half of the U.S. population has been available to hackers for weeks.

Here’s what you should know, and what actions you can take next.

Why did this happen? 

No one person is completely positive. Equifax told USA Today the hack was the result of an “Apache Struts” vulnerability. Apache Struts is free, open-source software used to create Java web applications. The credit reporting company is unsure of which Apache Struts vulnerability caused the breach.

A hack of this nature is known as a “zero-day,” meaning that this is the first occurrence of a vulnerability in a commonly used program — like Java — and doesn’t have a fix yet. Zero-day exploits are often trafficked to other hackers willing to pay upwards of $20,000 to gain access to the programming.

How can I find out if I was affected? 

This hack is being called the largest credit-card-data hack in American history, and even if you haven’t seen any foreign charges in your account, experts recommend you check your status on Equifax’s website: Equifaxsecurity2017.com. You’ll be prompted to enter your last name and the last six digits of your social security number.

I’ve heard that if I enter my information in Equifax’s website, I lose my right to sue them later. Is this true?

Initially, Equifax had language in their credit monitoring agreement that would waive customers’ right to sue at a later date. New York Attorney General Eric Schneiderman tweeted Tuesday that “after conversations with my office, Equifax has now made it explicitly clear” that “no one will waive their right to join a class action” lawsuit.

“Let me be clear: even if you use the free products by Equifax, you will retain your legal rights,” Schneiderman said in a subsequent tweet.

“They’ve made it very explicit at Equifax that you’re not waiving any legal right by signing up for this,” Nick Clements, co-founder of MagnifyMoney, a financial services organization, told the PBS NewsHour’s William Brangham during a livestream Wednesday.

One year of free bureau monitoring is “a nice way to get something in effect right away to give you some comfort on some of the risks,” Clements says.

What could happen to me if I’ve been hacked?

Clements said that a hack of this kind can lead to two types of fraud: account takeover and full identity takeover.

A case of full identity takeover would be when a criminal uses your social security number, birth date, address and name to open one or more new, false accounts in your name.

An account takeover, which can be just as damaging, is when a criminal assumes control of your existing accounts using some of this stolen information to pretend they are you, the account owner. In other cases, by using so-called “social engineering” (where a criminal masquerades as a representative of your bank or credit card company), criminals can persuade people to reveal pin codes or passwords for their accounts, which can then be used to steal your money.

What do I do?

You have a few options, but you must act now and you must follow up, says Clement. First, consider freezing your credit. Freezing your account will completely halt all access to your credit information — but allows you to maintain your credit score — as well as block hackers who may have stolen your information.

A less drastic response is to take Equifax’s offered one-year of free credit monitoring to know if someone is using your information in fraudulent ways. But, Clements warns, the danger doesn’t disappear as soon as you activate credit monitoring or implement an account freeze.

“Social security numbers don’t expire,” he says on the ability of hackers to steal your identity today, tomorrow or 10 years from now. He urges anyone whose data was compromised to follow up year after year to make sure they’re still secure.

Did Equifax do enough to protect its customers?

“Ultimately every company is responsible for it’s own data security,” Clements says. But he also points out that the “convenience of the digital age” is having your information readily available online for the people you want — and don’t want — to easily access it.

“This is the new normal,” he says. “You have to assume that someone somewhere has stolen your info and is trying to use it against you. We have to become our own best advocates.”

Should my social security number remain my first way to authenticate myself?

One of the most critical pieces of data exposed in the hack is social security numbers. Combined with your name and date of birth, it’s a “perfect storm” for hackers, Clements says.

So what do we do? Clements says we need to find a better way to authenticate. He points to two-factor verification, where you must confirm your ID on two devices before logging in, as a step in the right direction.

What is Congress’ role in all of this?

On Monday, the Senate Finance Committee sent Equifax a long list of questions seeking answers about how the hack occurred.

“Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of the some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers,” the letter said. “If the names, Social Security numbers, birth dates, and other information of 143 million Americans are now in the hands of cybercriminals, this breach will cause irreparable harm to programs within this Committee’s jurisdiction by way of stolen identity refund fraud, healthcare fraud, and entitlement fraud.”

Clements suggests one way to prevent a hack like this from happening again is setting a minimum standard of security protocol, enforceable by the federal government. But it’s a “constant game of cat and mouse” to develop that kind of legislation, he said, because as lawmakers, the tech community and consumers get more savvy in preventing exposure, criminals get better at finding ways around our solutions.

Where else can I go for help? 

Clement says that you can pay for resolution services, which means you provide a firm with power of attorney to handle the dispute and legal response in the case of a hack.

Another is to use government resources like Identifytheft.gov. Here, you’ll begin resolution services, going through the multi-step process to resolve financial damages stemming from a hack.