From May to July this year, criminal hackers broke into the computer servers of Equifax, one of three major credit reporting bureaus that keeps every American’s credit information, including names, addresses, social security numbers, credit histories, and more. On September 7th, Equifax announced that the attack took place and affected 44 percent of the US population, or virtually every adult with a credit history.
Anyone who is actively working to build or fix their credit is likely already familiar with Equifax, but many Americans have never heard of this company that was holding their most valued financial information. If you want to better understand who Equifax is, how over 140 million Americans’ personal data was leaked, and what you can do about it, follow along with this guide.
Who is Equifax?
In the United States, three large companies hold all of our credit data. These companies, also called the credit reporting bureaus, are Experian, Equifax, and TransUnion. Even though we never hired or picked these companies, we are all their customer in some form.
These companies track and hold all of the information for our credit reports and credit scores. In fact, the information they hold is so important that the United States government requires them each to give you a free copy of your credit report annually. You can get your government mandated credit reports for free at annualcreditreport.com from all three bureaus.
Equifax is a public for-profit company. They claim to hold financial information on 800 million individuals and 88 million businesses worldwide. Headquartered in Atlanta, the company has nearly 10,000 employees. The company earns over $3 billion per year in revenue and made nearly half a billion in profits in 2016. It goes without saying: this is a big, influential company.
Each time you apply for a credit product or open a new credit account, Equifax keeps track. Every month when you make on-time or late payments on your credit cards, mortgages, lines of credit, personal loans, and other borrowing products, Equifax keeps track. They supply this information to banks and lenders in the form of credit reports and credit scores, which are used to approve you for new credit products.
Whether we like it or not, we rely heavily on Equifax and its two major competitors. They had all of our information locked away in their computers for years, but this year some bad guys got in and stole our data.
How did hackers steal data from 143 million Americans?
Big companies use various software to maintain large databases of user information. One such tool, used to maintain website servers and correctly direct logins and user experiences, is called Apache Struts. Equifax and many other companies, and even many government organizations, use Apache Struts in their web experiences.
In March, the Department of Homeland Security found a major flaw in Apache Struts and shared this vulnerability with other users so they could fix the problem before bad guys used it to steal data. Many companies patched the issue. Equifax apparently did not.
Using the Apache Struts vulnerability, hackers broke into Equifax servers starting on May 13. Equifax noticed the problem on July 29th and shut down the application the following day. By that time, however, the damage had already been done. And Equifax waited more than a month to tell the public what happened.
The head of security for Equifax was fired after the breach. When she was fired, we found out some maddening information: she has no background in digital security. She was a music major in college. The Equifax CEO was also fired, and took home a $90 million severance.
What this means for each of us
Chances are, if you have ever had a credit card or other loan in the United States, at least in the last seven to ten years, your information was leaked. Equifax created a website to help you lookup whether you were affected, but the site itself does not pass many visitors’ sniff tests. Even if you don’t visit the page, you can assume your data was leaked.
The leaked data includes everything needed to open a new credit card or loan in your name. While we always have to be conscious of the potential for identity theft, we are all at a high risk of identity theft now. Even if you follow best practices for managing your personal information, if it is floating around on the internet, you can’t do anything to un-share it from the web.
Equifax offered a year of credit monitoring for free, which is also very frustrating. This implies that after a year, we should pay Equifax to monitor our credit! They caused the problem, and now they want us to pay for a solution! Lucky for us, we have some better options than going back to Equifax for help.
How you can respond to prevent fraud and identity theft
Depending on your level of worry about identity theft and fraud, you have a few options to keep your data safe. While there is only one major preventative step to take, which is both a hassle and has a cost, you have some free tools at your disposal as well.
Check your credit report now – Start by checking your credit report to make sure no damage has been done since the breach. Even before Equifax leaked our data, there was a risk of identity theft. Further, about 20 percent of credit reports have an error, so it is a good idea to take a look anyway. You can get your free annual credit report by law at annualcreditreport.com or other free credit reporting web sites. Just don’t enter a credit card number. That’s a sign it is not really free.
Sign up for free credit monitoring – Sites like Credit Karma, Credit Sesame, and Nav all offer free credit monitoring products. Learn more about free credit monitoring options and how to sign up here.
Put your credit on lockdown – The strongest action you can take to protect your credit is to lock your credit. You can do this through any of the three credit bureaus. My wife was a victim of identity theft in the past, and has kept her credit locked since to ensure the bad guy doesn’t get her again. Locking your credit prevents opening any new credit accounts under your name unless you first unlock your credit, which you can do for a period of about 48 hours at a time for a fee.
While Equifax is offering some of this for free for a year, you might as well sign up for something that is free indefinitely that is not provided by the company that caused the problem in the first place.
If you do find fraud or errors on your credit, file a dispute right away and lock your credit to prevent further damage. But for now, waiting and hoping nothing bad happens is the best strategy for some while a full credit lock is best for others.
Whatever you do, don’t ignore your credit. We are all at high risk of identity theft, so pay attention and be ready to react if something suspicious happens. Being prepare is the best response after this massive breach and puts you far ahead of most people.