Main lesson after Equifax breach: Protect yourself

One year after massive data exposure, self-help is consumers' best protection

Fred O. Williams
Senior Reporter
Expert on consumer credit laws and regulations.

Lock

A year after Equifax revealed one of the worst data breaches in U.S. history, a big mystery remains:

 What are the hackers doing with the data?

"Equifax does not have any evidence that the data stolen during the incident has been used or sold," the credit reporting giant said through a spokesman.

  • On Sept. 7, 2017, Equifax first announced that an online database had been accessed, starting several months earlier.
  • The count of individuals affected was initially put at 143 million in the U.S., a toll that was later raised to 148 million.
  • The data accessed included Social Security numbers, names and addresses, and 209,000 credit card accounts, among other information.

See related: What to know, what to do about Equifax data breach

Too many breaches to track down

That type of data is a valuable trove for thieves intent on hijacking legitimate credit card accounts, or setting up fraudulent ones.

So far, however, the hackers seem to be sitting on it, at least according to the company. But others say that some misuse of the data cannot be ruled out.

"People are self-reporting through surveys ID theft issues," said Eva Velasquez, director of the Identity Theft Resource Center in San Diego. In individual cases of identity theft, with so many breaches on record, "it's impossible to tie that back to a single breach."

There were 1,579 data breaches tracked in 2017, according to the nonprofit center.

See related: 10 things you should know about identify theft

Lesson for consumers: Protect yourself

A year after the breach, the biggest lesson for consumers is to protect themselves from fraud and ID theft, she said, instead of hoping for lawmakers, regulations or harsh penalties to do the job.

"Good companies with robust cybersecurity can still have a breach," Velasquez said. "It's not going to stop happening."

As if to underscore the point, British Airways said that hackers had stolen information on customers who booked flights on its website between Aug. 21 and Sept. 5.

About 380,000 credit and debit card numbers and other card details were exposed, along with their owners' names and addresses, putting them at risk of fraud.

Here's an overview of major developments for consumers since the announcement of the Equifax breach.

"Good companies with robust cybersecurity can still have a breach. It's not going to stop happening"

Protections focus on consumer DIY

Credit freezes become free in all states starting Sept. 21.

  • Under a broad deregulation bill, Congress is requiring the major credit bureaus – Equifax, Experian and TransUnion – to provide a freeze and lift it on request.
  • Currently, costs set by state law are typically $10 each time the freeze is placed or lifted.
  • A credit freeze prevents your credit report from being accessed by lenders, blocking ID thieves who would open accounts in your name.

Initial fraud alerts are increased to one year, from 90 days. Fraud alerts on your credit report require lenders to double-check with you to make sure an application for credit is legitimate.

See related: How credit freezes work

An electronic system to fight synthetic ID theft, also known as child identity theft, was enacted.

  • Using it, lenders can check the Social Security Administration data to verify that a Social Security number given on a loan application belongs to the individual applicant.
  • The current, paper-based verification system is little used because it takes days to return the information.
  • Minors are at risk because the made-up Social Security numbers used in the scheme may be assigned to real people after fraudsters have used them to run up debts and skip out on payment.

See related: How to check your child’s credit report

Accountability on Equifax breach pending

In June, Equifax agreed to stronger cybersecurity measures in a settlement with state banking regulators.

The same month, it received notice from the U.S. Federal Trade Commission and Consumer Financial Protection Bureau that the agencies are considering legal action including injunctions and monetary penalties, according to its second-quarter financial disclosure report to the U.S. Securities and Exchange Commission.

Other investigations are being conducted by 48 state attorneys general plus the District of Columbia, the SEC and U.S. Department of Justice and the U.S. Financial Industry Regulatory Authority, among others.

"This is no happy anniversary. We’re still waiting for Congress to hold Equifax accountable and take action to prevent future breaches."

Payback time long in coming

  • Equifax offered free credit monitoring for a year to victims.
  • Anyone with an Equifax credit report can use a free app called Lock & Alert, which lets you lock and unlock your credit report almost instantly.

On the legal front, class-action lawsuits representing consumers have been consolidated into a case in the U.S. District Court in Atlanta under judge Thomas W. Thrash Jr. Individuals whose information was exposed in the breach are automatically part of the group seeking compensation.

  • When there's a proposed settlement, you should get a chance to accept, or opt out to preserve your individual right to sue.
  • You can still determine if your data was involved by using the lookup function on Equifax's breach information website.

The resolution could be slow in coming, however. Equifax describes the litigation as "in its early stages" in its second-quarter financial disclosure report.

The company has filed a motion to dismiss the consumer lawsuit on the grounds that it doesn't show people were injured as a result of the breach.

Deterrence lacking?

Consumer advocates say the relatively minor consequences for the company reduce incentives for corporations to safeguard people's data.

“This is no happy anniversary," U.S. PIRG consumer campaign director Mike Litt said in a July news release, a year after the initial discovery of the breach. "We’re still waiting for Congress to hold Equifax accountable and take action to prevent future breaches.”

Several measures to heighten standards for data security and raise penalties for lapses have stalled in Washington.

But Velasquez said that simply coming down hard on companies that have suffered a breach would oversimplify the problem.

Instead, it's important to examine whether the company used best practices and rigorous data protection standards, or was negligent.

"This is a very complex problem," she said. "There is a criminal element at work here – hackers and thieves – they're the ones we should be focusing our ire on."


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 09-18-2018