“At this time, we do not have a database of impacted individuals. I am unable to tell you whether you are impacted,” Kevin, an employee of a third party customer service agency hired by Equifax explained.
One-hundred and forty-three million people have never felt more socially insecure than they do today. Forty-one days after an-ongoing investigation, Equifax, one of three major credit bureaus in the U.S., disclosed to the public that on July 29th, 2017, it fell victim to a massive cyber-security leak that could potentially impact 143 million U.S. consumers. As a result, shares in the company have dropped significantly. NYSE:EFX
The company indicated that it believes consumers personally identifiable information (”PII”) were exposed—including social security numbers, names, dates of birth, addresses, credit card numbers, and potentially driver’s license numbers.
Upon discovering the breach, Equifax immediately hired an outside forensics firm to investigate the breach to identify the source and potential effects it caused not just to the company, but to consumers nationwide. While the FBI investigation is still on-going, representatives of the company believe that the attacker(s) gained access to certain files by exploiting an application vulnerability. It is still unknown as to which application or vulnerability was the key allowing entrance into the company’s system.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Equifax chairman and CEO Richard F. Smith.
What Can You Do?
As of now, Equifax has informed the public that if you fear your information may be compromised, to visit Equifax Security 2017 to see if you were one of the individuals affected by the breach. Once the individual enters their name and last six numbers of their SSN, they will be given an Enrollment Date to which they will be allowed to check to see if their information has been compromised.
Additionally, the company through November 2017, is allowing consumers to enroll in TrustedID Premier, a 3-credit bureau monitoring service, also managed by Equifax, which will send the individual a message alerting them to whether or not their information has been compromised. In order to receive the message, the individual will need to input their name and the last six digits of their SSN.
Useful or Too Burdensome?
If a user chooses to enter their information on the Equifax website to see if they had been affected, one of three messages appear:
(1) That the user has indeed been impacted by the cyberattack;
(2) That the user has not been impacted; OR
(3) An unclear message listing a date at which the user could enroll in Equifax’s “TrustedID Premier” service without further information as to whether their identity had been stolen.
The third option listed a date and said:
“Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.”
For implications this massive, this tool proves more burdensome than useful. Adding to that, it’s also asking users to enter the very information consumers are warned daily about not to provide.
Time to Wake Up, These Execs Did...Insider Trading Alert?
According to Bloomberg news, three days after the breach, Chief Financial Officer John Gamble sold shares worth $946,374; Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099; and Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. Totaling almost $1.8 million in shares, none of these transactions were part of the 10(b)(5)-1 trading plans. The company indicated that these executives were not informed of the breach at the time. Ironic? The SEC is investigating the potential of insider trading as it pertains to these three executives.
This is a HUGE wakeup call to not just Equifax, but to TransUnion and Experian that ANYONE can fall victim to a cyber attack—especially a company who monitors and maintains almost the entire country’s personal information. These next few weeks will be essential in how Equifax and the FBI approach this serious attack and what data breach prevention policies (if any) are implemented and carried out.
Even more frightful is the company’s decision to wait 41 days AFTER discovering the attack and launching its investigation, to inform the general public that their entire identities and financial information could have been exploited and potentially sold on the black market is that 41 days have passed whereby consumers could have taken measures to determine whether they were victimized by the attack and how to go about safeguarding what credentials and information they have.
“I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer Richard F. Smith
Apologies Do No Justice, Do They?
But when it comes to PII, is a blanket apology like this enough to justify the delay in releasing this information critical to potentially half the nation’s consumers? We will find out.
It’s not IF a company will fall victim to an attack, it’s WHEN. Companies should plan to be attacked at any given time. To think otherwise is detrimental to any corporate structure and its consumer base.
Andrew Rossow is a Cyberspace and Technology Attorney in Ohio as well as a writer and global traveler. Mr. Rossow writes about law and technology and the impact it has on consumers, businesses, and the legal field itself through his #CYBERBYTE series. A native of Dallas, Texas, Andrew traveled on the Semester At Sea program where he was able to study and compare the current structure of the legal and technology markets of countries such as Brazil, Africa, India, Vietnam, and China and how it relates to the legal and technology field in the U.S.. Andrew received his Bachelor’s from Hofstra University in New York and graduated from The University of Dayton School of Law.
For more information, follow Andrew’s #CYBERBYTE series on Facebook at www.facebook.com/drossowlaw and Twitter at @RossowEsq.