On Thursday, Equifax, one of the largest credit reporting agencies in the USA disclosed that it is investigating a data breach that may have impacted approximately 143 million Americans.
According to the company's statement, the hack took place in late July. The following information was accessed:
- Social Security Numbers
- Birth Dates
There were also some instances where credit card numbers, driver's license numbers and other personally identifiable data was accessed.
Equifax appears to have been targeted initially because the company keeps on file millions of active cards, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud.
Active credit card numbers can fetch higher prices on the dark web than even those other types of more revealing personal data, because they are usable immediately and without much additional work.
Equifax is one of the three biggest credit-reporting companies, a super-powerful entity that generated $3.1 billion in revenue last year operating behind the scenes helping banks, insurers and employers assess people's creditworthiness for loans, jobs and credit cards.
On Thursday evening, a proposed class-action lawsuit was filed in Portland, Oregon, federal court, alleging Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.
The company set up a website, www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It's also offering free credit-file monitoring and identity-theft protection.
Criminals took advantage of a "U.S. website application vulnerability to gain access to certain files" from mid-May through July of this year, Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.
The Federal Bureau of Investigation said in a statement that it was aware of the hacking incident and was "tracking the situation as appropriate."
The attack reported Thursday is the most high-profile cybersecurity breach since online portal Yahoo announced two separate incidents. Last year, Yahoo, whose web assets were acquired by Verizon Communications Inc. earlier this year, disclosed a 2014 breach that affected at least 500 million customer accounts. A few months later, the company said a 2013 hack siphoned email addresses, scrambled account passwords and dates of birth of as many as 1 billion users.
The financial industry has rolled out tools to prevent thieves from abusing troves of stolen credit-card numbers. A few years ago, banks in the U.S. began embedding computer chips on cards to prevent criminals from forging their own with much simpler magnetic stripes.
The technology generates new codes for each transaction. The codes on stripes are static, making them susceptible to duplication. Still, stolen card numbers can be useful at cash registers that don't accept chips or for shopping online.
What to do
It could be wise for consumers to take even more extreme measures to lock down their information, outside of the routine advice like checking your credit reports regularly and seeing if there are any abnormal transactions on your bank accounts and credit cards.
The strongest possible option a person can take immediately is placing what's known as a credit freeze on their credit files with the major credit bureaus - Equifax, TransUnion and Experian. A credit freeze locks down a person's information, making it impossible to open new accounts and bank cards in their name. But locking your credit also locks you out from opening new accounts as well.
Consumers will need to be even more diligent about checking their credit reports. U.S. law gives every American the right to pull their credit reports for free once a year from the major credit bureaus. It's best to spread those requests out over the year - do one every four months, experts say.
People can also request to change their Social Security number with the Social Security Administration if they have repeatedly been a victim of identity fraud under their original number.