At this point, you have probably heard that there was a hack at the credit bureau Equifax, where 143 million American consumers’ sensitive information (SS numbers, birth dates, addresses, driver’s license, etc.) was stolen, along with 209,000 Americans’ credit card information (and finally dispute documents with identifying information for some 183,000 Americans). This was not the largest breach in history (a Yahoo! breach a few years ago took that prize), but this was by far the worst breach in US history given the type of sensitive information that was taken. But many of you may not fully comprehend why it occurred, whether it was your fault (it was not), and precisely what steps you can take to fully protect yourself now that the “cat is out of the bag.” While we have already sent out an email on the matter, we are still getting a great deal of questions about it, so we felt compelled to write an article in order to take a deeper dive into not only the above, but also explain the many mechanisms in action that are already there to protect you.
In the end, the answer to this question does not particularly matter (unless you are Equifax, the government or companies that have sensitive information). Since we fall in the last grouping, we have been following this closely, and we are certain you have some curiosity as to why this occurred (if you do not know already).
On March 8th, a team within the U.S. Department of Homeland Security sent Equifax (among others) a notice of the need to patch a particular vulnerability in certain versions of a software called “Apache Struts,” an open source software that many businesses utilize to create Java web applications, which they used in their online disputes portal (a website where consumers can dispute items on their credit report). While there is a 48 hour patching policy for patching key software within Equifax, their employees failed to patch the software.
However, even if the team with the task of patching such software failed to do so, the Equifax security team runs system scans that should have identified any system vulnerabilities in its applications/software (such as Apache Struts), which they ran less than a week later on March 15th. A full investigation is still ongoing, and as of 10/17, we are unsure as to why the scan did not pick up on the vulnerability in this particular software.
We know that on May 13th, the hackers first gained access to sensitive information utilizing this particular vulnerability, and did so several additional times between such date and the end of July. On July 29th, the company’s security team noticed some suspicious traffic on their online disputes portal, and immediately blocked said traffic. On the 30th, the same suspicious traffic occurred – the security team decided to take the portal offline, and notified the CEO the next day. They then hired the independent cybersecurity forensics company Mandiant, who analyzed data to understand the scope of the issue (I.E. who was affected and how so), how to fix it, and whether the hack was ongoing.
On August 15th, the CEO was told the answers to the above questions. On September 1st, the CEO convened with the board of directors to brief them and how they would deal with the situation, and then notified the FBI. On September 7th, we the public were told what had occurred.
Why You Were Affected: A Brief History of the Credit Agencies
One question we have received is how exactly you could have been breached if you have never dealt with Equifax directly (or, for that matter, do not even know who they are!). Unfortunately, the fact that you do not know Equifax does not change the fact that they know quite a bit about you.
As you are probably aware if you ever bought anything on credit, your credit report (and its resulting score) contains a wealth of knowledge about you. In the horse and buggy days, your family’s word was enough to purchase a variety of things on credit. However, without your family’s honor, it was difficult for people to make purchases on credit – that means that most folks at the turn of the 20th century had to save up enough dollars (or at that time pennies) to buy the things they needed. There was a strong need for trust in a transaction, really from both sides – the American businesses would then be able to offer goods on credit, and that would help businesses sell more goods/help Americans buy the things they needed without having to wait to save up for them.
In 1898, a small Tennessee grocery store began compiling a list of customers he felt were trustworthy – people who always paid for their goods, had solid jobs/businesses, or were well known in the community. This grocery store decided to distribute their list to other businesses, and this idea spread, spurring credit when needed. The grocery store grew and began to open new branches throughout the country; by 1920, there were 37 branch offices around the US – Equifax was born.
Over the next several decades, there were regional credit bureaus (including Equifax which was one of hundreds) that all gathered information for their specific location. As time passed, they gathered more and more information, unbeknownst to the consumer. In the 50s and 60s, this accumulation turned from helpful to sinister for the consumer. These early credit agencies limited their credit reporting efforts to negative or derogatory findings on their subjects (the consumers). Not only would they collect your typical past payment information on consumers, they would gather additional information that was used for unethical and nefarious purposes in credit decisions. For instance, some bureaus scoured newspapers for crimes committed, while others would make note of an individual consumer’s ethnic background or race – many of these consumers were than blackballed from buying things on credit. When Congress got wind of this, they passed the Fair Credit Reporting Act (FCRA).
This new Act set standards for what type of information may be collected, which limited it to verifiable credit related information (ability to pay bills on time, defaults/delinquencies, etc.). As a result of this new Act, many credit bureaus went under or consolidated into the “Big 3” of credit agencies that exist today – Experian, TransUnion, and of course, Equifax.
So what is the process of how they collect information? This process is best explained by way of an example. Several years ago in his youth, Anthony obtained his first credit card at Chase, which was his first foray into the world on credit. Before this point, he had no credit report whatsoever – the credit reporting agency did not have any information on him. He had to fill out an application for the credit card, which had several bits of information on him (his name, DOB, address, and most pertinent – his SS number). This information is sent to the credit reporting agency (per the FCRA), who then helps Chase make a decision on offering up credit. The same goes for information on bills in his name (utilities, cable/internet, etc.). All of this information is compiled by the credit bureaus, and this information is utilized to create your ever important credit score.
Thus, the government (per FCRA) gave the credit reporting agencies the ability to gather all of the pieces of sensitive information on you. As a result, the hack in no way was your fault – so long as you have purchased something on credit or had bills in your name, your information was being sent to the credit bureaus without your express knowledge.
What Can I Do to Protect Myself?
The very first thing you need to do is to determine whether or not you have been hacked. You should go to Equifax’s security website at www.equifaxsecurity2017.com, and click on “Am I Impacted?” This will take you to the portal of an identity theft security company, TrustedID.com. At this website, you can put in your last name and the last 6 numbers of your social security number. The website will then tell you whether you were breached or not – if you were in fact breached, Equifax is offering free identity theft protection through Trusted ID through January 31st, 2018.
If you choose to enroll (and we would recommend that you do), you will click on “Enroll.” You will then have to provide additional information about yourself to verify your ID, including a valid email address/cell number. Within a few days, you will receive a link to activate your Trusted ID theft protection – you simply need to click on this link to verify your email once more, and your protection will be activated.
Second, you should be much more mindful about keeping an eye on both your credit report and your credit card/bank/investment statements. You can keep a close eye on your credit report by utilizing one of the many sites online that offers a free credit report (Creditkarma.com, Freecreditreport.com, Annualcreditreport.com). We really like Credit Karma, since your credit reports are updated weekly, and you can pull them as often as you like (the only downside is, they do not have Experian, only TransUnion and Equifax, but that should be sufficient unless you desire all three). Third, you should be looking at your bank/investment/credit card statements at least monthly, if not more often.
However, there is protection that you will receive from each vendor. For your credit cards, each company where you have a card will generally watch out for any unusual charges (charges in a different location than is typical, out of country charges, larger transactions, etc. – the larger institutions have more sophistications than the smaller ones) and notify you of such charges. Regardless, the onus is typically on the vendor where you made a purchase, thus you should not be on the hook for any charges you did not make (there are of course exceptions). For your bank accounts, the institutions typically have a similar form of surveillance of your account to make sure the transactions are actually coming from you. However, even if an identity thief slips through and has made bank transactions on your behalf, you have some federal protection; the Electronic Funds Transfer Act (EFTA) will prevent limit your losses – if you act in time. According to the EFTA, you have limited liability for the losses you incur:
- If the error is reported within two business days, your loss should be limited to $50.
- If the error is reported within 60 days, your loss will be limited to $500.
- If the error is reported past 60 days, you will probably be out the money and any overdraft fees.
Lastly, there is some protection offered by your investment institutions. For instance, if a thief emails us and requests money on your behalf, our protocol is that we must call you to verify that you wanted the withdrawal (which will protect against a thief who has access to your email), and even if a thief calls us and pretends to be you, we must still send a form for you to sign (in most circumstances). Thus, there is protection in place at each of these institutions.
Third, you could consider putting an initial fraud alert on your credit report. You simply need to notify one of the 3 main credit reporting agencies (Equifax, Experian and TransUnion) that you want to place such an alert, and they are obligated to notify the other two agencies. An initial fraud alert can make it harder for an identity thief to open more accounts in your name. When you have an alert on your report, a business must verify your identity before it issues credit, so it may try to contact you. The good news – an initial fraud alert is free to set up, and it allows you to order once free copy of your credit report. The bad news – it only lasts for 3 months at which point you must set it again, and the credit reporting agencies are not the best at checking such alerts (hopefully, this will change given the breach).
Fourth, if a fraud alert does not make you feel protected enough, you can consider a credit freeze. A credit freeze prevents creditors from accessing your credit report (thus, preventing credit, loans and services from being approved in your name without your consent). In doing so, your credit score will not be affected in any way. To place a freeze on your credit reports, you need to call the credit reporting companies. There are three big ones — Equifax, Experian and TransUnion — and one smaller one, Innovis. You thus should freeze your credit at all four. You can conduct the freeze online, although it is much safer to call the numbers below:
- Equifax — 1-800-349-9960
- Experian — 1‑888‑397‑3742
- TransUnion — 1-888-909-8872
- Innovis — 1-800-540-2505
Note that there are a few things to consider with credit freezes. First, if you decide you want to buy something on credit after your credit is frozen, you will need to unfreeze it before you can make the purchase – this can take a few days to complete. Second, there is a cost to do so – it will run you between $3 and $10 to freeze your credit at each bureau, and the same cost to later unfreeze your credit (however, Equifax is waiving this cost given the recent hack). While there are some headaches with doing so, freezing your credit is probably the best form of protection you have against identity theft.
Finally, you could also consider adding an identity theft protector, such as Lifelock, Identity Guard, Credit Sesame, or the company provided by Equifax due to the hack, Trusted ID. As noted above, due to the hack, Equifax is offering credit theft protection through Trusted ID, but this is only for a single year. Thus, you could consider adding identity theft protection if you want an additional layer of protection – we have provided our thoughts on Identity Theft protection in our article entitled “How Do I Protect Myself From Identity Theft?” so we will not belabor the point here.
This recent hack was a very scary development, and we are sure you have plenty of questions/concerns. If you want to discuss any of the above further, feel free to reach out to either of us!
Karen DeRose and Anthony DeRose are registered representatives of Lincoln Financial Advisors.
Securities and advisory services offered through Lincoln Financial Advisors Corp., a broker/dealer (Member SIPC) and registered investment advisor. Insurance offered through Lincoln affiliates and other fine companies. DeRose Financial Planning Group is not an affiliate of Lincoln Financial Advisors.