Credit-rating company Equifax’s data breach, which involves an estimated 143 million people, isn’t the largest in history. Yahoo, after all, lost billions of emails in various data breaches. But it’s gearing up to be the worst data breach. And Equifax isn’t helping matters out.
The big difference between Equifax and Yahoo is what information Equifax turned over. Yahoo email accounts are, by and large, worthless — a dedicated hacker might be able to socially engineer their way into a bank account or just wreak havoc with your life, but odds are slim. But Equifax, one of the three biggest credit-reporting companies in the U.S., has a lot more info than the log-in you used for Flickr in 2007. It has your Social Security number, your date of birth, you current and former addresses, and — in some cases — driver’s-license numbers. The class-action lawsuits are already being filed less than 24 hours after the information became public.
If any of this stuff sounds familiar, it’s because it’s the same info you provide to a bank to get a credit card, get certain types of jobs, or get a mortgage. This is important information, and nearly half of all Americans were involved.
Curious, I did a quick search through my Gmail, and sure enough, both my girlfriend and I had used Equifax when applying for an apartment in Los Angeles in 2012. The report has a very thorough rundown of our financial situations circa 2012, including detailed bank statements, information about our student loans, and both of our five previous addresses. In a pique of paranoia, I deleted both of the reports from my Gmail account (not that it really mattered, since I had emailed both reports to our landlord at the time).
Equifax has been singularly bad in handling this crisis. They failed to disclose the data breach for weeks. Per Bloomberg, chief financial officer John Gamble sold $946,374 worth of stock, president of U.S. information solutions Joseph Loughran sold $584,099 worth of stock, and Rodolfo Ploder, president of workforce solutions, sold $250,458. These execs allegedly sold the stock before they knew about the data breach, but as an editor once told me, it’s not impropriety but the appearance of impropriety that matters.
And the website they’ve set up to check to see if you were one of the 143 million people involved is, as Dan Goodin at Ars Technica pointed out, a stock installation of WordPress, without any of the security features you would expect out of a website asking you to give your last name and six out of the nine digits of your Social Security number. If you want to be a bit safer about the whole thing, call 866-447-7559. (The number, unsurprisingly, was busy the entire time I was writing this article.)
What to Do
Sadly, there’s not a ton you can do in this case. There’s the standard advice after a data breach: Change passwords if you reuse the same one (and, really, just install a password manager), turn on two-factor authentication when possible, and watch for any suspicious links or emails from Equifax or others.
You can also turn to the other big two credit-reporting agencies in the U.S., Experian and TransUnion, and make sure there haven’t been any recent inquiries made into your credit history. Equifax is giving away a free year of credit monitoring and identity-theft insurance, which you should take advantage of.
Finally, you should spend the next few months keeping a closer eye on your credit-card statements (and, especially, see if you’ve suddenly been signed up for new credit cards). Like most good financial habits, reading your credit-card statements is semi-boring but useful — especially in times like these.
But the bottom line is that a tremendous amount of data is now floating out there, either in the hands of criminals or a nation-state. Your Social Security number will never change, your past addresses will always be your past addresses. The effects of the Equifax breach will be felt for years to come.