You’ve been robbed. Don’t reach for your wallet or your car keys; they are not missing. But all the information in your wallet and the information about how you finance your car has been stolen.
The data breach — aka hack — of the credit agency Equifax resulted in millions of people’s personal information, including yours, being stolen. These thieves infiltrated the Equifax system because of a flaw in a software program known as Apache Struts, which is used to build web applications. Equifax was aware of the flaw and how to fix it but did nothing for months.
Apparently, the reason for the delay was because the fix was both labor intensive and costly. It required Equifax employees to download the newest version of Struts and then rebuild all the older versions. So, the fix was put on the back burner. The company knew that a hacker could easily get your information, but decided to take the risk.
Of course, hackers then stole all the personal information Equifax had on you and 145.5 million other Americans. Essentially they took the personal information for everyone with a Social Security number.
So, maybe you believe every company can or will be hacked. But how did those thieves decrypt the code protecting all your information? When asked about it at a congressional hearing, Richard Smith, the former president of Equifax, who had announced his sudden retirement just a week before he was to testify before the Senate Banking Committee, admitted, “To be very specific, this data was not encrypted.”
After failing to protect us, Equifax then directed anyone who contacted them to external websites that were supposed to inform people as to whether or not their records were stolen. However, many of these websites turned out to be scam sites, created to steal more of your information.
Before they told anyone about the data breach, a number of Equifax executives sold company stock, raising questions from federal regulators whether they had committed some form of insider trading. Smith claimed in his testimony that the executives were unaware of the breach at the time they sold their stock, but the delay in telling the public raises real questions.
These hackers have stolen your name, your mother’s maiden name, Social Security number, driver’s license information, birth date, past and present addresses, and of course credit-card information. Equifax basically made it easy for them. ”They only had to hack one unprotected company to get all of your personal information,” said John Sriro, CIPP/US, an expert on cyber law at Jaffe Raitt Heuer & Weiss, who recently blogged about this situation.
Sriro continued, “While you can cancel a credit card fairly easily your personal information is perpetually valuable. You can’t change your birthdate or Social Security number; they will always be the same. In that vein Sriro said that everyone over the age of 62 needs to go to https://www.ssa.gov/myaccount/ and open a my Social Security Account. According to Sriro even if an individual is not planning to take Social Security when they turn 62, they need to open the account to prevent whoever the hackers sells your information to from opening an account in your name and selling your hard earned Social Security money.
Sriro also suggests that everyone download a current version of their credit history and give it a careful review.
Also, he suggests that everyone consider freezing their credit. That way, if anyone tries to use your personal information to take out a loan, credit or services in your name, the creditor will be unable to pull your credit report, thereby creating a significant hurdle for creditors to extend credit in your name.Sriro says you need to monitor your bank records, credit card charges and other bills carefully and if you notice something out the ordinary contact the respective company immediately.
More Investigations Needed
The way Equifax has handled this breach calls for multiple investigations, and not just Congress. Federal and state prosecutors and the Bureau of Consumer Protection need to take a close look at what happened.
Moreover, we need to demand that Congress end to the free-for-all sharing of consumers’ financial information.
Also, the use of our Social Security numbers as the lynch pin of credit reporting must end. Consumers must be given free access to their credit report at any time and notified of any changes that are made to their credit history.
Credit reports should be “frozen by default” and should only be partly or widely disseminated with an individual’s blessing. Finally, we need to end the current culture that puts the interests of credit reporting agencies above our privacy.
This blog posting was first published in .