Equifax: Five things you should know about the raid on your data

Equifax’s headquarters in Atlanta. HYOSUB SHIN / HSHIN@AJC.COM

Equifax’s headquarters in Atlanta. HYOSUB SHIN / HSHIN@AJC.COM

Atlanta-based Equifax Corp. and consumers whose credit it tracks have continued to struggle with the fallout from a data breach that affected 143 million people in the United States, and more in other nations.

Here are five things you should know about the hacking incident — one of the worst so far — and how it affects you.

1. Protect yourself: You should take a number of steps to protect your personal identity and financial accounts, given the scope of the data breach.

Hackers got some of the crown jewels of identifying information, including folks’ Social Security numbers, names, addresses, driver’s license numbers, and credit card numbers in some cases.

That’s long-lived information that thieves can use indefinitely to set up fraudulent identities, to take out loans, to steal tax refunds, and to possibly raid some accounts.

Experts advise obtaining credit reports on yourself to check for suspicious activity; freezing your credit profiles at all three major credit bureaus; closely monitoring your bank and other accounts; and switching to safer “two-factor” sign-ins on your bank and 401(k) accounts.

2. Expect delays: Equifax offered free credit monitoring and, later, free credit freezes after disclosing the massive data breach on Sept. 7. Two Equifax executives retired shortly after the disclosure.

But the company’s phone lines and online sites have been swamped by worried people who reported being unable to get through, for days in some cases.

A check on Saturday afternoon of Equifax’s Tweets responding to consumers showed that it’s still having problems. The company’s ten most recent Tweets read something like this one: “We’re working diligently to improve customer experience including working to add capacity to handle both the online and call center volume.”

3. Expect confusion: Equifax also set up an online link, , where people can get updates on the situation, check to see if their personal information may have been compromised, and sign up for credit monitoring or freezes.

But the company ended up with egg on its face after it was discovered this week that a software engineer had set up a similarly-named fake site that some 200,000 people went to. Fortunately, his site was used to call attention to how easily Equifax's site was faked, rather than to go on a phishing expedition to steal information.

He later shut the site down and Equifax apologized for the “confusion.”

4. Risky business: Equifax's huge cache of many types of data on consumers make it a prime target for hackers. The company hasn't released many details on how the data breach happened. It disclosed that unknown hackers exploited a weakness in a software application known as Apache Struts and had access to company databases from May 13 until it was discovered in late July.

But industry and data security experts have cited a number of factors that may have increased the risk of the hacking incident. Apache Software Foundation said Equifax hadn't installed a software patch it issued in March. Equifax's fast growth may have exposed security and organizational gaps. Some critics said an earlier hacking incident exposed outdated security measures at the company.

5. Investigations: Equifax has been swarmed with investigations and lawsuits since fessing up to the data raid weeks after it was discovered.

The FBI is conducting a criminal investigation into the data breach. The Consumer Financial Protection Bureau and Federal Trade Commission are also looking into it. According to Bloomberg, the Department of Justice and the Securities and Exchange Commission are investigating $1.8 million of stock sales that three top Equifax executives — not the ones who retired — did a few days after the breach was discovered, but before it was disclosed to the public. Equifax said the executives, including its chief financial officer, didn't know about the hacking at the time of the stock sales.

Dozens of state attorneys general have also announced probes. Federal lawmakers in the House and Senate have scheduled hearings, and are drawing up proposed legislation to require perma-freezes on consumers’ credit profiles and other protections.

Meanwhile, more than 100 consumer lawsuits, most seeking class action status, have been filed against Equifax, or are in the works.