40 days after discovering data leak, Equifax warns that 143 million US consumers could be at risk

Unknown number of UK and Canadian consumers also at risk.

62 days after discovering data leak, Equifax warns that 143 million US consumers could be at risk

What's happened?

Equifax has announced that it has been hacked, and approximately 143 million US consumers may have had their names, social security numbers, dates of birth, addresses accessed by criminals. In some instances, driver license numbers have also been accessed.

143 million? That's just under half the population of the United States.

Approximately 209,000 US consumers have also had their credit card numbers exposed, and about 182,000 other US consumers have had other personal identifying information accessed.

An unstated number of UK and Canadian residents have also been put at risk.

Sounds disastrous. What does this Equifax company do?

They're a giant consumer credit reporting giant. The kind of company that can stop you from getting a loan, or accepted for a mortgage, if you have been careless or unlucky with your finances.

They also offer identity theft protection for a business's customers and employees after it has suffered a data breach.

Oh, so you'd expect them to know a thing or two about the importance of protecting personal information?

Right. In fact, they're offering a whitepaper right now where they underline that most consumers want to be notified of a breach promptly:

Almost three quarters (73%) of GB adults online think that companies should tell them that they have experienced a data breach and 63% would expect to be notified of a breach within hours.

Equifax paper 1

Notified within hours? How long did Equifax take to tell their affected customers?

Equifax found out about the breach on July 29th, and told the world on September 7th.

How many hours is that?

By my calculation it's been 960 hours (40 days) between Equifax finding out about the breach and warning the public.

What is Equifax doing about it?

Well, the CEO has made a video expressing his regret and apologising:

Equifax is offering free credit file monitoring and identity theft protection. Be aware, however, that TechCrunch is reporting that if you sign up for the protection service you may be waiving your rights to sue Equifax.

Hang on. So the company which lost millions and millions of people's identities is asking me to hand over my information so they can tell me if my details are at risk? Isn't that, umm, a little screwed-up?

Yeah, and you thought 2016 was a really bad year.

There are numerous reports that a page setup by Equifax to tell users if they might be affected (after entering their surname and last six digits of their social security number) fails to live up to its promise.

Quite what UK consumers are supposed to do - we don't have social security numbers over here - is unclear. I guess the fact we don't have social security numbers is good news in so much as we can't ever lose them.

Who's to blame for this?

We don't know who the hackers are, and obviously they - ultimately - are the ones who committed a crime and are responsible for the breach.

However, many will be watching with interest to see what details Equifax will share about the details of the breach and why it took them so long to warn consumers. There will also, no doubt, be many interested to observe what impact the breach has on Equifax's brand and reputation.

Data breaches can hit hard at all types of organisation, and there's no such thing as 100% security. However tempting it is to give Equifax a hard time, we have to remember that they are also victims of a crime.

But if a company that dedicates so much effort into promoting its identity theft monitoring services finds it has itself been hit by a colossal breach, there's a clear message for all businesses that no-one can afford to be complacent.

It takes years to build your company's reputation and earn your clients' trust, but may only take minutes for it to mortally damaged.

I think I'm affected. What should I do?

Well, you could try changing your name and date of birth and social security number. What's that? Oh dear... not so easy is it? This is why it's so serious when companies lose your personal identifiable information. A password you can change, your personal details are probably going to always be the same - whether you like it or not.

Where can I find out more?

Equifax's dedicated website to deal with the aftermath of the breach: www.equifaxsecurity2017.com

For more discussion on BlueBorne, be sure to listen to this episode of the "Smashing Security" podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

11 Responses

  1. tom joad

    September 8, 2017 at 4:59 am #

    You left out the part where the top three a-holes at Equifax SOLD MILLIONS IN THEIR STOCK just before the public release of their incompetence. Of course, in Trumpistan, they won't even get their wrists slapped FOR BEING CRIMINALS.

    • Mike in reply to tom joad.

      September 8, 2017 at 10:40 am #

      Can I ask what you mean by Trumpistan?

      • Techno in reply to Mike.

        September 8, 2017 at 11:06 am #

        It's midway between Obamaville and Clintonania.

    • Tom Smith in reply to tom joad.

      September 8, 2017 at 12:28 pm #

      Insider trading is insider trading no matter who runs the white House. If what you say about insiders trading in advance of the public announcement is accurate there is little chance it will not be investigated. The facts, not politics will drive the outcome.

      Try to get over your state of disbelief. America seems to be doing fine in the reign of Trump. We survived every administration before and will this one, too, no matter your politics.

      Put another way, Nancy, get over yourself.

  2. Mark H

    September 8, 2017 at 9:39 am #

    29th July to 7th September isn't 62 days. More like 40?

    • Graham Cluley in reply to Mark H.

      September 8, 2017 at 9:55 am #

      Thanks Mark. Yes, that was quite a horrendous error by me wasn't it? Not sure how it happened.

      I expect my credibility rating will suffer now.

      • Mike in reply to Graham Cluley.

        September 8, 2017 at 10:39 am #

        So long as it isn't your credit rating hey.

  3. Mark Jacobs

    September 8, 2017 at 12:18 pm #

    I am in utter shock! Social security numbers? Driver's licence numbers? Names, addresses phone numbers? It sounds just like the time the UK government sent a courier with millions of child benefit claimants' details stored in plain text on removable media, and the media got lost!

    • Mark Jacobs in reply to Mark Jacobs.

      September 8, 2017 at 12:20 pm #

      Shortly after that happened, I received 5 separate credit card forms to return, which I'd never applied for, and my current account was hacked and transactions started to appear from Asia on my statement, despite me never having left the country!

  4. David L

    September 8, 2017 at 4:26 pm #

    Hi Graham,

    You left out a warning about Phishing? This seems ripe for abuse. I've warned several about not opening email links concerning this breach.

  5. Michael Ponzani

    September 8, 2017 at 5:10 pm #

    Notified within hours? Watch what they do in combination with what they say.

Leave a Reply