September 2018 marks the first anniversary of Equifax’s massive breach, which prompted calls for tougher security. Continuing hacks, however, prove that breaches won’t cease.
Editor’s note: This article was updated Oct. 2, 2018 to include new information about credit freezes.
A year after Equifax revealed one of the worst data breaches in U.S. history, a big mystery remains:
What are the hackers doing with the data?
“Equifax does not have any evidence that the data stolen during the incident has been used or sold,” the credit reporting giant said through a spokesman.
- On Sept. 7, 2017, Equifax first announced that an online database had been accessed, starting several months earlier.
- The count of individuals affected was initially put at 143 million in the U.S., a toll that was later raised to 148 million.
- The data accessed included Social Security numbers, names and addresses, and 209,000 credit card accounts, among other information.
See related: What to know, what to do about Equifax data breach
Too many breaches to track down
That type of data is a valuable trove for thieves intent on hijacking legitimate credit card accounts, or setting up fraudulent ones.
So far, however, the hackers seem to be sitting on it, at least according to the company. But others say that some misuse of the data cannot be ruled out.
“People are self-reporting through surveys ID theft issues,” said Eva Velasquez, director of the Identity Theft Resource Center in San Diego. In individual cases of identity theft, with so many breaches on record, “it’s impossible to tie that back to a single breach.”
There were 1,579 data breaches tracked in 2017, according to the nonprofit center.
See related: 10 things you should know about identify theft
Lesson for consumers: Protect yourself
A year after the breach, the biggest lesson for consumers is to protect themselves from fraud and ID theft, she said, instead of hoping for lawmakers, regulations or harsh penalties to do the job.
“Good companies with robust cybersecurity can still have a breach,” Velasquez said. “It’s not going to stop happening.”
As if to underscore the point, British Airways said that hackers had stolen information on customers who booked flights on its website between Aug. 21 and Sept. 5.
About 380,000 credit and debit card numbers and other card details were exposed, along with their owners’ names and addresses, putting them at risk of fraud.
Here’s an overview of major developments for consumers since the announcement of the Equifax breach.
Update: Freeze your credit for free – online or by phone
Starting Sept. 21, 2018, it is free to place or remove a freeze on your credit report. Here are the contact links and numbers to do so.
Be ready to supply your address and Social Security number to verify your identity. For more information about free credit freezes, read “How to free your credit: A step-by-step guide.”
- Under a broad deregulation bill, Congress is requiring the major credit bureaus – Equifax, Experian and TransUnion – to provide a freeze and lift it on request.
- A credit freeze prevents your credit report from being accessed by lenders, blocking ID thieves who would open accounts in your name.
Initial fraud alerts are increased to one year, from 90 days. Fraud alerts on your credit report require lenders to double-check with you to make sure an application for credit is legitimate.
See related: How credit freezes work
An electronic system to fight synthetic ID theft, also known as child identity theft, was enacted.
- Using it, lenders can check the Social Security Administration data to verify that a Social Security number given on a loan application belongs to the individual applicant.
- The current, paper-based verification system is little used because it takes days to return the information.
- Minors are at risk because the made-up Social Security numbers used in the scheme may be assigned to real people after fraudsters have used them to run up debts and skip out on payment.
See related: How to check your child’s credit report
Accountability on Equifax breach pending
In June, Equifax agreed to stronger cybersecurity measures in a settlement with state banking regulators.
The same month, it received notice from the U.S. Federal Trade Commission and Consumer Financial Protection Bureau that the agencies are considering legal action including injunctions and monetary penalties, according to its second-quarter financial disclosure report to the U.S. Securities and Exchange Commission.
Other investigations are being conducted by 48 state attorneys general plus the District of Columbia, the SEC and U.S. Department of Justice and the U.S. Financial Industry Regulatory Authority, among others.
Payback time long in coming
- Equifax offered free credit monitoring for a year to victims.
- Anyone with an Equifax credit report can use a free app called Lock & Alert, which lets you lock and unlock your credit report almost instantly.
On the legal front, class-action lawsuits representing consumers have been consolidated into a case in the U.S. District Court in Atlanta under judge Thomas W. Thrash Jr. Individuals whose information was exposed in the breach are automatically part of the group seeking compensation.
- When there’s a proposed settlement, you should get a chance to accept, or opt out to preserve your individual right to sue.
- You can still determine if your data was involved by using the lookup function on Equifax’s breach information website.
The resolution could be slow in coming, however. Equifax describes the litigation as “in its early stages” in its second-quarter financial disclosure report.
The company has filed a motion to dismiss the consumer lawsuit on the grounds that it doesn’t show people were injured as a result of the breach.
Consumer advocates say the relatively minor consequences for the company reduce incentives for corporations to safeguard people’s data.
“This is no happy anniversary,” U.S. PIRG consumer campaign director Mike Litt said in a July news release, a year after the initial discovery of the breach. “We’re still waiting for Congress to hold Equifax accountable and take action to prevent future breaches.”
Several measures to heighten standards for data security and raise penalties for lapses have stalled in Washington.
But Velasquez said that simply coming down hard on companies that have suffered a breach would oversimplify the problem.
Instead, it’s important to examine whether the company used best practices and rigorous data protection standards, or was negligent.
“This is a very complex problem,” she said. “There is a criminal element at work here – hackers and thieves – they’re the ones we should be focusing our ire on.”