I want to talk about the Equifax hack. It’s extremely important because if you’re an American, then there’s more than a 50% chance you’re affected and everything about you is at risk: Your full name, your date of birth, your social security number, your address, and more. This article will dive into more details about what it is, how it happened, and what you can do.
Who is Equifax?
Equifax is a consumer credit reporting company – one of the big 3 including Experia and TransUnion. Anything that happens to you that involves credit such as taking out a loan, applying for a mortgage, opening a credit card, using your bank account, paying (or lack thereof) bills, paying utilities, etc. is reported to these three companies. I won’t go into too much more detail as there are a lot of articles about credit score and how these three companies affect it. Anyways, the key takeaway is that all of your personal information including your social security number (SSN) is kept by Equifax.
So, what happened?
On September 7th, it was announced that Equifax discovered a potential breach where all of this personal data was discovered as far back as July 29th, 2017. Apache, a company known for creating its service of the same name that enables people to host websites, has a product called Apache Struts. Apache Struts is a fantastic product is that enables these servers to support various plugins such as REST, AJAX, and JSON. I won’t go into details if you don’t know what these are, but these plugins provide developers more robust options when writing code. REST, specifically, allows developers to easily send or receive information through the use of API (basically reference sheets for how to send/receive data).
On September 4th, Bas van Shaik discovered a critical security flaw that had been affecting Apache Struts since 2008. He writes, “This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data. The lgtm security team have a simple working exploit for this vulnerability which will not be published at this stage.” More information here.
This is disastrous to say the least. Essentially, if a developer knows how to access to the REST API at Equifax, then they could execute code and potentially pull any data they choose. This is exactly what Equifax is believed to have occurred on July 29th, after the security team patched the vulnerability in September.
What can I do?
Equifax launched a website (https://www.equifaxsecurity2017.com/) to help you discover if you’re affected by the breach. Click on the “Potential Impact” button. Read the information and click on the “Check Potential Impact” again where you can enter the last four digits of your social security number, and your last name. It will tell you whether or not you’re impacted, and automatically sign you up for TrustedID Premier for a year. This company will monitor your credit score and notify you if anything looks suspicious.
You should take additional steps too. Monitor your credit cards and bank statements closely for the next year. If you use a service like Mint like I do, then it will help centralize and monitor your accounts easier. I understand if you don’t feel comfortable providing them that information, but you should absolutely monitor statements regardless.
If you notice any activity that is suspicious, contact your provider immediately. For example, if you have an account at US Bank and see something suspicious, call them immediately! Ask them for more information about it and possibly get your account frozen, or in a worse case scenario, changed.
I heard something about lawsuits, but if I sign up I don’t get anything?
This is misinformation. There is massive class action lawsuit and could reimburse anyone affected up to $500. Of course, once legal fees and taxes take place, you may see very little of it. However, every credit card company and a majority of banks do offer reimbursement for fraudulent activity.
One thing that people have pointed out on social media is that there is terminology on the website above that if you check your impact, you are voiding the class action lawsuit. This is true. Though, it cannot be held up in the court of law as there is a regulation that protects consumer rights for a class action lawsuit. Thus, you can still sign up and be a part of the class action lawsuit. If you’re affected, you should see a class action lawsuit letter come in the mail within in the next 6 months with additional details of how to proceed.