Equifax Data Breach 101

Last week credit reporting agency Equifax announced a data breach in which hackers gained access to data for approximately 143 million Americans (or approximately 44 percent of the population).  As some have noted, this is not the biggest data breach in history, but it may be the worst.

What Data Was Hacked

According to Equifax, the breach affected the following:

Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed. In addition to this site, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. We have found no evidence of unauthorized access to Equifax’s core consumer or commercial credit reporting databases.

Equifax Response


Equifax has come under heavy criticism for its response.  It took six weeks for it to report the breach and three of its top executives sold $1.8 million worth of their company stock following the breach.  Then the website Equifax created to enable consumers to determine if they were affected by the data breach initially required that consumers agree to mandatory arbitration of any claims, which the company backed down on after a huge backlash.

Equifax also was criticized for attempting to make money off their breach, by having credit monitoring services auto-renew after the free first year (with consumers being charged automatically).

What Next?

Equifax’s data breach will likely be investigated by the Federal Trade Commission, the Securities and Exchange Commission, state Attorneys General and Congress.  This could be an Exxon Valdez type of event that triggers further regulation of the credit reporting space or Big Data.

The New York Times’ Seriously, Equifax? This Is a Breach No One Should Get Away With”:

Equifax, you had one job. Your only purpose as a corporation, the reason you were created and remain a going concern, is to collect and maintain people’s most private financial data.  Now you have fallen down on your only job — and spectacularly so. Hackers penetrated the spectral gauze of security surrounding your website, and over the course of nearly two months, they made away with the personal information of as many as 143 million Americans. It is the most important financial data available on any of us — our names, birth dates, Social Security numbers, home addresses and in some instances a lot more — and it was just sitting there on your site, all but wrapped up in a red bow.

So, Equifax, I have to ask: Now that you have failed at your one job, why should you be allowed to keep doing it?

TechCrunch was equally appalled, explaining:

This crass, callow, and lazy treatment of our digital data cannot stand.  . . . We must create new, secure methods for cryptographically securing our data… These old organizations — Equifax was founded in 1899 and hasn’t changed much since inception — must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

David R. Smith has a twitter thread that details the many outrages associated with the breach.

Protecting Yourself

The Federal Trade Commission issued the following guidance following the Equifax breach:

  1. Consider placing a credit freeze on your files. Unlike credit monitoring (which alerts you after a potential identity theft has already occurred), a credit freeze makes it harder for someone to open a new account in your name. It is among the strongest precautions you can take. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts. It also requires you to “lift” the freeze if you want businesses, cell phone providers, lenders, or employers to be able to review your credit. There may be a maximum $5 charge with each credit bureau for placing, lifting, or removing a freeze (up to $15 per bureau). The FTC offers more information about credit freezes here.
  2. Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could indicate identity theft. Visit IdentityTheft.gov to find out what to do.
  3. Continue to check your credit reports at annualcreditreport.com. You can order a free report from each of the three credit reporting agencies once a year.
  4. Try to file your taxes early—before a scammer can. Tax Identity Theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS. Don’t believe anyone who calls and says you’ll be arrested unless you pay for taxes or debt – even if they have part or all of your Social Security number, or they say they’re from the IRS.

In addition, you can visit Equifax’s website, www.equifaxsecurity2017.com to:

  • Find out if your information was exposed. Click on the “Potential Impact” tab and enter your last name and the last six digits of your Social Security number. Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection anytime you enter it. The site will tell you if you’ve been affected by this breach.
  • Whether or not your information was exposed, U.S. consumers can get a year of free credit monitoring and other services. The site will give you a date when you can come back to enroll. Write down the date and come back to the site and click “Enroll” on that date. You have until November 21, 2017, to enroll.
  • You also can access frequently asked questions at the site.

Full Disclosure: When I was in law school, I worked for a firm that represented Equifax and covered hearings on Capitol Hill for them.