Equifax, one of the 2 major U.S. credit score companies, has been hacked.
Approximately 143,000,000 users information was breached. This is almost half the population of the entire United States. To call this a big deal is the understatement of the century. Data captured by hackers includes names, addresses, social security numbers, and even credit card information of people Equifax had performed credit scores for.
Of course there is no such thing as a 100% secure data network, and hacks and data breaches happen all the time, but Equifax has been the target of criticism not only for their failure to prevent the breach, but for their treatment of the situation after it was discovered.
First, it took Five Whole Weeks for Equifax to announce the breach to consumers after they learned that it happened. This is long enough for the hackers to have sold the information and for that information to be used to steal customers’ identity.
Second, Three Equifax Managers Sold Their Stock after learning of the breach, but before issuing a public statement. This could constitute Insider Trading, and they could face criminal charges for the sale.
Third, The Source Of The Breach (which Equifax was reluctant to confirm) was a security flaw in Apache Struts that was actually patched 2 months before the attack took place. Meaning it could have been avoided had the I.T. department been diligent with updates.
Fourth and finally, the tool released by Equifax for consumers to check whether or not their information was leaked Is Basically Useless, often giving inaccurate results.
Okay, so all my data in the hands of hackers. Now what do I do?
Use a service like Credit Karma to check your credit score and make sure no fraudulent loans, credit cards, or mortgages have been taken out in your name. If you see suspicious activity, dispute it immediately.
Change your passwords for any and all financial services, like your bank, retirement savings, or credit monitoring services.
And enable 2FA (Two-Factor-Authentication) on all your accounts – this means that you must enter a code from a text message or click a one-time-use link in an email in order to access your information. Yes, this is a pain in the butt, but requiring your account to be authenticated with email or a cell phone number makes it significantly harder for a malicious actor to commit fraud as you.