How secure is your credit data with consumer credit reporting agencies?

How secure is your credit data with consumer credit reporting agencies?

First let’s get all the facts. On Sept 7th, 2017 Equifax launched the site https://www.equifaxsecurity2017.com/ and announced that they have encountered “Cybersecurity incident” that potentially impacts 143,000,000 U.S. consumers. “Criminals” exploited a website application vulnerability to gain access to certain files. Based on an internal investigation the attack took place from mid-May to June 29th.

The information that was accessed in this attack were:

  • Names
  • Social Security Numbers
  • Birth dates
  • Addresses
  • Some Drivers license numbers
  • Credit Card number for approx. 209,000 customers
  • Dispute documents with Personal Identifying Information (PII) for approx. 182,000 customers
  • Limited PII for some UK and Canadian residents

Once Equifax discovered the unauthorized access they closed the vulnerability in their web application. Then they called in a “…leading, independent cybersecurity firm” that has been doing a forensic review to find what data has been compromised and how much of that data did the “criminals” get.  Equifax has also called in law enforcement and is still working with authorities.

Equifax has taken steps to help consumers find out if they are now at risk or could have been impacted by the attack and to sign up for free credit monitoring and identity theft protection with TrustedID Premier through Equifax. The monitoring includes:

  • 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports
  • Copies of Equifax credit reports
  • The ability to lock and unlock Equifax credit reports
  • Identity theft insurance of 1 million dollars
  • Internet scanning for Social Security numbers

Equifax recommend that anyone with additional questions visit their website www.equifaxsecurity2017.com or call their call center at 866-447-7559. The call center is open from 7:00 a.m. to 1:00 a.m. Eastern Time. They are also going to send mail notices to anyone who’s dispute documents with PII on it or credit card numbers were impacted. They have started to reach out to State and Federal regulators and they have sent written notices to all state attorney general’s that includes Equifax contact information for regulator inquiries.

“Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.”

The last statement that Equifax makes about the incident on their site is the quote above the rest is an about Equifax, Forward-Looking Statements, and contact for Ines Gutzmer who’s in Corporate Communications.

This points out that they didn’t see a need to protect their company and other peoples PII enough to pay someone to double check their cybersecurity work. This also brings forward why did it take so long for them not to notice a breach the size of nearly HALF of all American citizens. We depend heavily on the credit reporting agencies to fully protect our data since good credit is so vital in today society.

It is true that the scope of this is pales in comparison to the Yahoo breach of 2014 but the major difference is that the Yahoo breach while inconvenient didn’t necessarily give away PII to all 1 billion accounts or for that matter most accounts.

This attack is going to put nearly 44% of the US population at a higher risk of fraud and Identity theft. It could very well lead to ruining people’s lives and lively hoods since some jobs do credit checks, getting a loan or a mortgage requires a credit check, and sometimes even renting a car can require a credit check. This is the sort of leak that we never want to happen.

Then let’s look at the overall response to the attack. I took nearly five weeks to let consumers know that their PII could have been leaked. The site www.equifaxsecurity2017.com uses a stock WordPress install which is a problem because on that site to sign up forEquifax’s ID theft protection you must enter nearly all of you Social Security number minus the first 3 digits and your last name. A stock WordPress install doesn’t provide the needed site security for that sort of information. The site wasn’t initially registered to Equifax.  Cisco OpenDNS was blocking this site and was warning that it was a suspected phishing threat. Meanwhile the main Equifax site after the discloser was displaying debug codes, which for many reasons should never happen on a production server.

So, with the lack luster start, middle and finish to Equifax’s security the question come to mind what should be done and what could be done now to fix these issues not only at Equifax but at the other credit reporting agencies who, by my best guess, have the same level of cyber security Equifax did. I say did in the hope of them taking the advice of the cybersecurity firm they hired, which they probably won’t, and will have a much higher level of cybersecurity going into the future.

Source:

https://www.equifaxsecurity2017.com/

https://twitter.com/kennwhite/status/905988701670531072

https://whois.domaintools.com/equifaxsecurity2017.com

https://twitter.com/SwiftOnSecurity/status/906005134529966080

https://www.equifax.com/cs7/faces/jspx/login.jspx