Saturday, September 9, 2017

Equifax Data Breach

Almost 2 years from the time we all witnessed the Experian Data Breach, we are at the stage where we all are informed about the Equifax Data Breach. Now, with almost half of the US Consumers are probably hit by this breach, Equifax made a statement that not all information was compromised. Well, if Name, SSN, Driving License details (though not in all cases) are compromised and the hackers have those details, what is Equifax trying to convey? More so, with where Equifax stands, does it have any way to explain the attack that was carried out over 2 months (May - June 2017) and Equifax could only uncover it somewhere in July? Doesn't this highlight the level of security measures or the loopholes that exist in the overall system configurations and more so in monitoring the traffic as well as transactions? Didn't Equifax CISO review the Experian Hack and the ways he could have directed the team to act swiftly to ensure that they don't fall in the similar trap? Sad, but true, they indeed fell in that sinkhole that was waiting for them and no one else can be blamed but for their Not So Productive approach.
So, where do we go from here? Should we accept the registration with Equifax's "Trusted ID Premier" service for Next Year "Free"? Would that be enough for them to prove their commitment to protect consumer from any sort of fraud? or wait, isn't this in itself a cony capitalism step by Equifax to exploit the situation from there to charge us $19.95 a months there after until we cancel the service? It is important to note that the hackers wouldn't use that information on immediate basis for they would also know that just like "Experian's Protect My ID" service for free, Equifax may also float that service free (which they indeed did). In most probability, the hackers may sell the database at a premium to the fraudsters and the, the fraudsters at a convenient time exploit the vulnerable. Probably the Theft Protection cover being offered free for one year would be blown away by then. More so, I would not recommend you to sign for Equifax's free service as if you do that you would surrender your right to join a Class Action Suite should that happen. 
Consider the specific situation where the frauds that would happen few months down the line during the tax filing period when the information hacked could actually be used for impersonation and tax filing "AS". That is the type of fraud that an ID Protection service would not be able to prevent and the consumer would be just left in a situation running from pillar to post to get the situation corrected. 

The impact of this breach on consumers can only be estimated at this time. There is no confirmed way to identify the long term impact on any of the consumer with compromised identity; until the compromise makes a landfall on that consumer's account.

This however is not the first breach at Equifax or a group company, thanks to the horses blinds that they have put up assuming that the Data Security is prime for them. If we are horrified with the news that this data breach lasted two months and they uncovered this only after 2 months and waited another 4 to 6 weeks to make the disclosure, please search about the TALX breach that was reported to have started back in April 2016 and continued for almost a year. Quite a number of W2 data was compromised then too. Equifax didn't learn a lesson from that either.

Now, that's a sad story from the Organization that is tasked to store our data, but is not sincere enough to really secure that data. Certainly, the business of the Organization is to compile and store the data to be used for marketing and cross selling purpose. The accessibility of data needs to be maintained by them to be able to make more money than ever. But, shouldn't the federal and state legislators ensure that the organizations or kind are regulated and made responsible for such breach? Shouldn't there be a commitment by the US legislatures to have a regulations in the lines of GDPR and ensure that the requirement to disclose have a stringent deadline (72 hrs in case of GDPR). What most of the US states have is "reasonable time period" or at the max 30 to 90 days. Gracious God that's a lot of time for the hackers to misuse the data leaving hardly any space for the consumer to step up and protect their interest.

From a consumer point of view what can be done? Most of the consumers would think the same and am sure most of them would sign in to the Trusted ID Premier for one year thinking that is the best step forward. But, as mentioned above that would just prove to be another marketing stunt for Equifax rather than a permanent fix. After 1 year (or the time period they offer for...may be 2 years), even if half of who sign in for the service sign out, Equifax would make millions per month charging them the fee. 

Am sure once the news spreads further, most of the consumers would start wondering or what should be done now? I would suggest to visit and consider the following steps that are detailed there - 
  1. Place a Credit Freeze with your Bankers. This will make it hard for the hackers to act as you, but they can still misuse your credit cards
  2. Limit and Monitor your Credit Card statement
  3. Monitor your Credit Scores and reports on a regular basis. There are a few that may provide free service and updates; Evaluate them and make a decision. Alternatively, obtain your 3 bureau credit report from (limited once a year though)
  4. Consider placing a Fraud Alert on your files if you chose not to go for Credit Freeze. This would indicate to the institutions to verify that it indeed is you who is requesting for account opening or for credit services
  5. Ensure that you file your taxes promptly as soon as you get your W2 in hand. You shouldn't delay filing your returns as that may be a costly delay should a fraudster file them as you. And ensure that this step is repeated every year as you never know when your information may be misused.
P.S. - Would Transunion pick a cue from the Experian and Equifax Hacks to ensure that they are up-to the mark with the measures to Secure our Data?