Equifax disclosed on Thursday that hackers had breached their systems and stolen personal information of about 143 million U.S. consumers. The credit reporting company said that hackers gained access to consumers’ names, social security numbers, birth dates, addresses and driver’s license numbers. The cybercriminals also obtained 182,000 dispute documents with personal identifying information and credit card numbers for an estimated 209,000 consumers. The Equifax breach raises an important question. With the number and frequency of massive data breaches over the last few years, is identity theft protection no longer a good-to-have?
In the statement released by Equifax, the cybercriminals breached a U.S. website and accessed the data from the middle of May this year. And the company only discovered the hack on 29 July. This is worrisome as sensitive information of affected consumers may have been exposed to fraud for more than ten weeks prior to discovery, and another six weeks before they are informed. Equifax earned some well-deserved criticisms for taking their time before informing the victims and the ill-equipped handling of concerned consumers.
Need for identity theft protection
To get more insights into the Equifax breach and how consumers can better protect themselves from identity theft, we spoke with Paige Schaffer, President & COO at the Identity and Digital Protection Services Global Unit of Generali Global Assistance.
We hear about hacks all the time. How is the Equifax breach significant in terms of the extent of damage to those affected?
In the last couple of years, we’ve definitely seen large-scale breaches, but the Equifax breach is a bit different for a couple reasons. First, the sheer number of people that are affected is significant: records of approximately 143 million U.S. consumers were leaked (that’s roughly 44% of the population). The information hacked included names, Social Security numbers, birth dates, addresses, and even driver’s license numbers. On top of that, another almost 400,000 people had their credit card numbers or dispute documents containing sensitive personally identifiable information (PII) accessed. The risk posed for those impacted is significantly greater in this breach because of how sensitive this type of data is; it’s not as simple as just changing your passwords to some online accounts or getting a new credit card. In this case, the potential ramifications are endless – victims may potentially see account takeovers, loan – fraud, tax fraud, employment fraud, and the list goes on.
This is the third time in recent times that Equifax companies have been hacked. In your opinion, why are some companies targeted again and again? And what should these companies be doing different to avoid being targeted again and again?
By nature of the business, a credit reporting agency is going to be a very data-rich environment. The treasure trove of personal data that they store is always going to be highly attractive to hackers. Unfortunately, there’s not much they can do as far as being targeted again. Obviously, it’s important for all companies that operate in this type of environment to strengthen their security procedures and always be at the forefront of implementing new data security technologies. Other businesses – specifically those that have the choice of collecting some PII – can definitely learn from this. Companies that store consumers’ Social Security numbers, addresses, dates of birth, driver’s license numbers, or any combination of this type of sensitive data, are going to be more of a target to hackers. A good rule of thumb is: if you don’t absolutely need specific pieces of PII, don’t collect it. In the end, the more data you have, the more attractive you will be to attackers.
It seems consumers have little control over their data especially when it comes to credit reporting agencies. What can an individual do to take back control or at least protect themselves from identity theft?
It’s easy to understand why consumers can sometimes feel like they have no control in regards to what information goes to credit reporting agencies, as they don’t have the option of electing not to do business with a credit bureau in the way that they might with traditional businesses. There are, however, many ways that consumers can protect themselves and help safeguard their information. If you’re not already checking your credit report regularly, start now! You’re allowed one free credit report per year from each of the three credit bureaus, and you can stagger those so that you’re seeing your report somewhat regularly. The earlier you catch any potential fraud, the easier it is to mitigate. Same goes for your bank and credit card accounts – be vigilant and make sure you’re frequently monitoring activity on those.
At the end of the day though, the best peace of mind comes from having an identity theft protection service you can rely on. Unfortunately, a lot of people look at it as just an added expense, when it really is an investment in your financial security. Looking at this breach specifically, Equifax waited 40 days to disclose the breach to the public. They’re now offering one year of free credit monitoring services to those impacted, but again, hackers already had 40 days to do what they wanted with the compromised data. Further, if a customer did opt to take this free post-breach protection, as it currently stands, customers are also waiving their right to take any legal action against Equifax in the future (this is in fine print and, unfortunately, is not an uncommon practice when it comes to post-breach monitoring services).
For those consumers who were affected but already had identity monitoring services, they fortunately would have been alerted should any of their information have been found on the deep and dark web (which is most often the destination in large-scale breaches such as this). In the aftermath of a data breach, consumers should also beware of phishing emails. A good identity theft protection service should also include some kind of online data protection software, such as Generali Global Assistance (GGA) Online Data Protection Suite, which comprised of both anti-phishing and anti-keylogging software. GGA’s Identity Protection also include identity and credit monitoring services which alert you at the first sign of suspicious activity so that you can take action immediately. And if you did find you were a victim of identity fraud, services also include 24/7 assistance from certified Resolution Specialists.
Do you anticipate a day when identity theft protection is as common as medical insurance? And would this be part of public “cyber health” services offered by governments globally?
We do actually; it will take some time to get there, but it’s not unlikely. Our company recently completed consumer research that revealed that 79% of consumers rank “being a victim of identity theft” as one of the top things they are worried about. Surprisingly, this ranked above fears of “becoming seriously ill or injured,” “being in a car accident that would seriously damage your car,” and “your home being robbed.” And yet, medical insurance, car insurance, and home insurance are all common today. We found this information to be pretty enlightening and could be a foresight into what’s to come in the identity theft protection realm. We’re almost at that tipping point where consumers are beginning to look at identity theft protection as a true necessity. It’s a good place to be, and so long as consumers are advocating for themselves and letting their local governments know that it’s not something any person should be without, now is the time for governments to start considering public “cyber health” services for all.
What other advice do you have for consumers to protect themselves against identity theft?
We live in a world where our personal data isn’t so personal anymore. We’ve all heard those identity-theft horror stories, but we’ve also heard many more people tell us about how their credit card account had random charges on it but their credit card company took care of it for them. In today’s digitally connected world, identity theft has become almost normalized, making it seem a little less scary. The Equifax breach will be an eye-opener for some, and with 44% of the U.S. population being affected in this breach, it’s hard to say what we’ll see down the road. The best course of action is to get an identity theft protection program that includes credit monitoring, identity monitoring, online data protection, and resolution services. The limited time frame of the free credit monitoring services offered by Equifax won’t protect you once it’s over – and the fraudsters are banking on that.
Equifax breach shows that identity theft protection may no longer be optional
Data breaches will only get bigger and more frequent. In the digital age, it is often difficult and sometimes outside of our control to prevent both private companies and public agencies from collecting, storing and using our sensitive personal information. While consumers must continue to demand stronger privacy mandates, press companies to take data protection seriously and hold them accountable, consumers may need to also take responsibility for protecting their personal data. At least for now, the Equifax breach shows that identity theft protection may no longer be optional.