The second rule of data breaches should be (the first being don’t have one) to stop doing harm. On this account, Experian failed considerably.
First up, as covered by independent security blogger Brian Krebs in his post, Equifax breach response turns dumpster fire, the website Equifax put up functioned poorly (to put it mildly). When I visited the site, my experience was much the same as Krebs’. After I entered my data to request insight on my breach status, I was first shown a page that didn’t indicate whether or not I was directly impacted by the breach. I was given notice that I would be enrolled into the “complementary” credit reporting service they are offering. What did this actually mean? Did it mean I was compromised and was getting access to the credit monitoring? Or did it mean I wasn’t compromised? A few hours later I tried again, and I was informed that I “may” have been compromised. Not very definitive. Not very reassuring.
Another not very reassuring aspect, for me, of Equifax’s response is that it appeared that those who wanted to go through the process to see if they were a breach victim must waive their rights to take part in a class action lawsuit.
That struck me (and a lot of others) as ridiculous. Initially, while Equifax did have language in the process that required people to forgo class action options, the company – after widespread criticism – issued a statement clarifying that those using their site to determine if they were breach victims wouldn’t be exempted from any class action taken.
As if all of that wasn’t enough, it turned out that the PINs Equifax is providing customers who choose to freeze their credit aren’t randomized — but instead a timestamp — and relative to a randomized password are easier to guess. Not good.
I’ve been writing about information security and data breaches for twenty years and I don’t recall a public breach disclosure having been this botched.
Taking all of this into consideration, I still don’t trust the veracity of the information coming from Equifax. In addition to the user PINs not being random, others have reported that simply entering gibberish into the online form kicked back the same response as entering legitimate information. If true, it shows that the site was just tossed up and inputs were not being properly validated. I guess when one thinks about it, unchecked inputs aren’t so surprising after all.
According to the information provided to me by the Equifax breach information site, my monitoring starts on 9/12; I’ll report back how well the process works from there. But in the meantime, I’m not trusting Equifax and taking more action to protect myself. I think you should consider doing so, too.
Equifax has proven itself to be in over its head with this breach. They seem to have no data breach response plan for this event, and they have executed poorly accordingly. The communications to the public have been horrendous, and there’s been a good loss of trust as a result. It’ll take a long time for me to trust Equifax again, if ever.
So, with most adults in the US impacted by this breach, what should you do about it?
Well, you should certainly take advantage of Equifax’s free year of credit monitoring. You don’t have to have been part of this breach to get this, although you probably are part of this breach – the free monitoring is available to every American. It’s rather pathetic that Equifax is only offering this monitoring for a year. After all, it’s common for bad guys to hold onto identity information after a breach for a long time before acting on that data, reportedly until after all of the breach monitoring services and response have expired and people are less watchful.
The next step is the most important step you can take to protect your identity and that’s to contact all three credit bureaus and have a credit freeze placed on your credit at each. What this means is that no one will be (should be) able to open new credit in your name. This won’t affect your credit score and it won’t affect your relationships with existing creditors. You can do it at Equifax’s, Experian’s, and TransUnion’s websites.
Each credit reporting agency will provide you with a PIN that you will use to open your credit if you need to apply for new credit yourself (such as a car loan or a spanking new fancy leather couch). It doesn’t take too long. The last time I did it I think it took under an hour.
In addition to a credit freeze, you want to have each agency place a fraud alert on your credit file so that if anyone does try to open new credit they won’t just be blocked; you will also be alerted.
This is something I would do forever now, not just as a one-off thing as a result of this breach. It’s time we all consider our credit files, history, FICO scores, and social security numbers to be public knowledge. And it’s time we all take the proactive steps to ensure our data on ourselves is protected from crooks. After all, history has proven the credit agencies certainly won’t – or can’t – do so.