The data breach disclosed by credit-reporting agency Equifax today (Sept. 7) may be the worst data breach in history when you combine what was compromised with the number of accounts affected.
According to Equifax, full names, street addresses, dates of birth and Social Security numbers for 143 million people were stolen by online criminals between May and July 2017. That information is all that a data thief needs to completely impersonate someone else — to have credit cards issued, mortgages obtained, loans made, utility accounts opened, even jobs taken or arrest records made in your name.
You can check whether you're affected by this breach at https://www.equifaxsecurity2017.com/potential-impact/. If you get a "thank you" and a date on which to enroll for the TrustedID identity-protection service, you're affected. If not, you'll get a message saying "Not Impacted."
If you've ever taken out a loan or applied for a credit card in the United States, you probably are affected. I just found out that I am, and for the first time in more than a decade of covering information security, I don't know exactly what to do.
Equifax discovered the breach July 29, and hasn't explained why it waited six weeks to inform the public — or why three company executives reportedly sold $1.8 million worth of Equifax stock in the interim. We'll leave those questions to the proper investigative authorities.
In the meantime, I would recommend reading through the guide on what to do if you're affected by a data breach. You don't need to worry about changing your passwords or canceling your credit cards for this breach, except for about 209,000 people whose credit-card info Equifax did lose, who will be individually notified by the company. (You can also read up on what to do if your Social Security number is compromised, and why it's so hard to get a replacement number.)
But you and I should contact one of the three major U.S. credit-reporting agencies — Experian, TransUnion and, yup, Equifax — and ask to have a 60-day credit alert put on your file. It's free, can be renewed every 60 days with no limit on renewals, and applies to all three agencies.
People directly affected by the Equifax breach will get one year of TrustedID identity protection, courtesy of Equifax. That's good. (Once the year is up, I'd recommend that anyone affected by the Equifax breach sign up and pay for commercial identity protection services for a few more years.)
However, all these measures may be mainly palliative. The horse has already left the barn — it did so back in June or July, to be exact. My "fullz" — thief-speak for a full set of personally identifying information — is out there to be bought or sold, and yours may be as well. All each of us can really do is hope that his or her own personal information doesn't end up being exploited.