Risk Topics

the Equifax breach


I've gotten questions from a variety of people about the Equifax breach, and what it means to them in terms of potential ID theft.

In my opinion, it's clear that Equifax—and by extension, one can assume all of the credit bureaus haven't invested in adequately securing the data. I'd like to say I'm surprised, but it's clear that they are incompetents with a parasitic view on society and view their account-holders as a nuisance (more on that below).

Assuming you have not already experienced identity theft, there are two simple precautions you can take.

1) Contact all of the credit bureaus in the country and have them put a "freeze" on your account (here's the Equifax link). This will mean that anyone trying to open credit in your name has to phone you. This isn't the default behavior at the credit bureaus because it slows down the shower of free money that is the credit bureau business model.

2) Open an account with a small company called Credit Karma to get alerts when something shady happens on your account. It's free. As a bonus, you get to see your "Beacon" score. They use the credit system of TransUnion. They can offer free services because they have advertisements for things like credit cards directly inside the reports they offer.

3) Check your credit report at each of the credit bureaus. You'll almost certainly find some mistakes (it's on us to clean these up) and this security mess just makes it more necessary.

It's a shame that securing this data is beyond Equifax and its ilk, but this incident has laid bare what monsters these people really are. The vulnerability that allowed this breach was published by researches in March, and Equifax did nothing. The breach occurred in May, but Equifax didn't notice until the end of July.

Equifax then delayed advising its US cattle I mean "clients" for six weeks following the breach, apparently so that their executives could sell stock in advance of the inevitable hit to the stock price. In Canada, the Equifax website currently says "We will be proactively contacting impacted customers by mail"—a funny use of the term "proactive", given it's been two months, and a funny use of the slowest possible medium of sharing news.

They initially tied the "free" credit alerting service they flog to waiving the right to join a class action suit (attracting the attention of the attorney general's office). They've now dropped it, but they're still flogging a $20/month monitoring and alerting service that does the same things as the free service from Credit Karma.

When they were through with securities fraud and their summer vacations, Equifax set up a site so that people could determine if they'd been impacted, but sent people to a bogus site set up by a well-intentioned individual (who I suspect will just get himself sued). Why a new site? I guess it's the sort of thing that happens when you've fired your CISO.

I've been ignoring writing about this mess, but the questions have kept coming, so I thought I'd write something. All of this was gleaned from public sources. Mistakes and ill-temper are my own.

© 2013 - 2019 werneburg information risk management inc.