Equifax Just Lost 147 Million Social Security Numbers. Here's What To Do.
Yesterday, Equifax announced a data breach affecting 143 million Americans (later revised to 147 million). That's nearly half the US population. The compromised data includes names, Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers and credit card numbers.
This is the breach we've been dreading. Social Security numbers don't change. Unlike a stolen password or credit card number, you can't simply replace your SSN. This data will be used for identity theft for decades.
How It Happened
Equifax was breached through a known vulnerability in Apache Struts, a web application framework. The specific vulnerability (CVE-2017-5638) was disclosed and patched in March 2017. Equifax didn't apply the patch. Attackers exploited the unpatched vulnerability starting in mid-May and had access to Equifax systems for over two months before the breach was discovered in July.
Let that timeline sink in: a patch was available for two months before the attack began. Equifax didn't apply it. Attackers had access for another two months before detection. And then Equifax waited another month before disclosing.
This is the same story as WannaCry. Available patches, not applied. The scale is different, but the root cause is identical.
What Was Stolen
- 147 million names, Social Security numbers, birth dates, addresses
- 209,000 credit card numbers
- 182,000 dispute documents with personal information
- An unknown number of driver's license numbers
With this combination of data, an attacker can: open credit accounts, file fraudulent tax returns, access existing financial accounts, apply for loans, commit medical identity theft, and more.
What You Should Do Right Now
1. Freeze Your Credit (Do This First)
A credit freeze prevents new accounts from being opened in your name. You need to freeze at all three bureaus:
- Equifax: 1-800-349-9960
- Experian: 1-888-397-3742
- TransUnion: 1-888-909-8872
Yes, it's ironic that one of the bureaus you need to freeze is the one that lost your data. Do it anyway. A freeze costs $5-10 per bureau in most states and can be temporarily lifted when you need to apply for credit.
2. File Your Taxes Early
Tax identity theft, where someone files a fraudulent return using your SSN, is going to spike. File as early as possible next year. Consider requesting an IRS Identity Protection PIN.
3. Monitor Your Accounts
Check your bank accounts, credit cards, and insurance statements weekly. Set up transaction alerts for all financial accounts. Review your credit report at annualcreditreport.com (the only truly free one).
4. Don't Trust Equifax's Website
Equifax set up equifaxsecurity2017.com for consumers to check if they're affected. Security researchers have pointed out that the site itself has security issues and that the "check if you're affected" tool gave random results in testing. Assume you're affected. Act accordingly.
5. Be Skeptical of Calls and Emails
Expect a massive wave of phishing attacks exploiting the Equifax breach. Fake emails claiming to be from Equifax, the IRS, your bank, or credit monitoring services. Equifax will not contact you by email. Your bank will not ask for your SSN by email. If you receive a suspicious communication, ignore it and contact the organization directly through their official website or phone number.
For Practice Owners
Your employees are affected. Consider offering identity theft protection services or at minimum, sharing this information with your team. A staff member dealing with identity theft is a distracted staff member, and the time investment to resolve identity theft is enormous.
Also review your own practice's data handling. If Equifax, a company dedicated to data security, can fail this badly because of an unpatched vulnerability, what vulnerabilities exist in your own systems?
The Equifax breach is a generational event. Its consequences will unfold over years. Start protecting yourself now.