Nearly half of Americans (143 million people!) are facing identity theft nightmares following a massive hacking attack on the credit bureau Equifax earlier this month. The company disclosed that the data breach involved highly sensitive personal information including Social Security and credit card numbers.
Why are people still talking about this breach (including Congress)?
This breach was especially dangerous because it gives criminals the exact information they need to drain bank accounts and steal identities. It is the third largest breach in history, but has the most serious impact on the American people.
How did the breach occur?
Equifax has been slow to fully disclose how the breach happened, but experts originally believed two possible smoking guns are most likely: phishing or malicious insider.
Phishing attacks—phishing attacks are one of the most common ways sensitive data gets leaked. Criminals are looking for very specific information from which they can take advantage of you—account numbers, Social Security numbers, credit cards, addresses, signatures—all of this information can be valuable in stealing your (or your staff or client’s) identity.
For business folks, criminals may send impersonating emails from key people on your staff (accountants or the CEO, for example) asking employees to open attachments or click on links to websites containing a malicious virus that may shut down your entire network).
Another way hackers crack into your networks is by sending sensational emails about your security—your account may have been hacked.
Be Aware: scammers are taking advantage of the Equifax breach to send fake emails claiming they are from Equifax, asking you to click on a link to a malicious site. Whatever you do, DO NOT trust email correspondence from Equifax or any other business which claims you’re a victim of an attack or hacking event.
Never click on links from these emails. At very least, copy the link into a browser to view the linking website (hackers tend to reroute links to malicious places). If the email seems fishy, contact the business by calling a published number on their website.
Malicious Insider—another very possible way Equifax could have been breached is through someone on their payroll that had access to these millions of identities. A malicious insider could send out to criminals or simply to the ethos (depending on motive) lists of sensitive information because of a grudge they hold against their employer, want to profit from the data or are blackmailed into divulging sensitive data.
Whatever the reason, if Equifax did not keep close attention on its users’ activity, they might not suspect malicious insiders even if they were the cause of their massive breach.
The actual cause of the breach?
Turns out Equifax might not have sufficiently patched their networks. Equifax reported last week that hackers were able to get through their Apache server (Apache software is what supports nearly 70% of web servers). Apparently vulnerabilities in Apache (Apache claims the patch was available to fix security vulnerabilities prior to the cyberattack) caused the security breach.
What could a breach do to Equifax?
It’s obvious already that Equifax has lost public trust for a variety of reasons.
First, how can consumers trust their personal data to a company that has been breached? Equifax has risked 143 million identities. Will the public ever trust custody of their sensitive information to them ever again?
Second, when coming up with a solution to help affected consumers, Equifax failed to properly address who was affected. By performing a simple test of their breach notification system, it was clear the company either was (1) signing unaffected people up for a year’s trial of their premium service or (2) they had no idea how to tell who was affected by the breach and were trying to cover their tracks.
It is clear to consumers that Equifax failed to protect entrusted sensitive data and then failed to appropriately notify consumers of the breach—both of which could lead to bad consequences. In fact, nearly 50% of businesses go out of business within the first year of a breach and another 30% close their doors within 2 years. If you hold sensitive data, shouldn’t you make sure you’re keeping it safe?
What should your business do to prevent breaches?
Vigilantly Monitor Your Network— your IT Support should be monitoring your network day in, day out 24/7/365. They should understand what normal activity looks like on your business network. If anything seems suspicious should look into the cause to be sure your network isn’t getting attacked or breached.
Routinely Apply Updates— applying operating system and software updates normally ensure that your business is accounting for latest security vulnerabilities. If your IT Support doesn’t regularly evaluate updates and patch your systems, you are likely vulnerable to attacks that could have been easily prevented. Here is a recent discussion of when to patch your network.
Train Your Users— while IT Support’s main goal is to keep your network humming, it also needs to make sure your users understand the current threat matrix. What are the latest attacks? How have hackers successfully gained access to other businesses? If your users don’t understand the basics of how they might let cybercriminals onto your network, will they be able to help keep it safe?
Consider a Security Audit—having your IT Support team say they are keeping you safe is good, but are they backing their claims up with empirical data? Network security assessments ensure that your business is dotting every ‘i’ and crossing every ‘t’ when it comes to latest security best practices.
Just in case you were one of the 143 million people affected by the Equifax breach, what are some simple steps you can take to ensure your identity is safe?
Check your credit reports—make sure your credit history doesn’t have any fishy activity. If someone has started using your identity as their own, these reports should give you some idea as to what they are doing. Get a free credit report from Experian or TransUnion by visiting annualcreditreport.com. For more information on identity theft, visit IdentityTheft.gov.
Carefully monitor your existing credit card and bank accounts closely—monitor your bank accounts for any suspicious activity. Check your last login date/time to make sure it makes sense. Review balances. Ensure you are alerted when cash is withdrawn or transactions are made.
Consider placing a credit freeze on your files—if you fear your information was disseminated to cybercriminals, consider freezing your credit on file. This will alert banks in the event someone tries to open new accounts in your name.
File your taxes early—to avoid becoming a victim of tax identity theft, consider beating the criminals from stealing your refund. Filing early can ensure that no one will try to submit and claim refunds in your name.
Most Importantly: Think before you react!
Instead of giving out your sensitive information, think if it makes sense that someone is asking you for it. Most spam or fraudulent emails will ask for information that you shouldn’t be handing out. Before responding to a pop up message saying your computer is infected or an email alerting you that your account has been hacked, take a deep breath and decide whether what you’re being asked for makes sense. If you think something is legitimate, consider calling the business to confirm (on a published line). Protecting your personal information is your first line of defense from becoming a victim.
Still unsure whether your data is safe? Zog is always here to help!