Software used by the credit bureau Equifax to help consumers dispute mistakes on their credit reports provided a back door to hackers that allowed them to steal sensitive information on as many as 145.5 million people, the company’s former CEO said today.
The U.S. Department of Homeland Security notified Equifax and other companies about the vulnerability in the software application “Apache Struts” on March 8. But the company failed to put the necessary patch in place right away — allowing hackers to access sensitive information on Equifax servers on numerous occasions from May 13 to July 30, former Equifax CEO Richard F. Smith told lawmakers today.
Testifying before the House Committee on Energy and Commerce’s Subcommittee on Digital Commerce and Consumer Protection, Smith said the personal identifying information — “PII” — stolen by hackers included names, Social Security numbers, birth dates, addresses, and in some cases, driver’s license numbers.
The credit card information of approximately 209,000 consumers was also stolen, as well as certain dispute documents with personally identifying information for approximately 182,000 consumers, Smith said.
“Equifax was entrusted with Americans’ private data and we let them down,” Smith, who stepped down as CEO on Sept. 25, told the committee. “To each and every person affected by this breach, I am deeply sorry that this occurred. Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize.”
Smith said that the March 8 warning from the U.S. Department of Homeland Security’s Computer Emergency Readiness Team was disseminated to IT personnel throughout the company, but the vulnerable version of Apache Struts that needed to be patched was not identified.
After the patch wasn’t applied within the 48-hour period required by Equifax’s security policies, the company missed another chance to fix the mistake. On March 15, the company’s information security department ran scans “that should have identified any systems that were vulnerable to the Apache Struts issue,” he said.
But the problem wasn’t detected until July 29, when Equifax’s security department noticed and blocked “suspicious network traffic” on the consumer dispute website. When suspicious activity continued the next day, the company took the consumer dispute website offline.
It wasn’t until Sept. 7 that the company announced the security break publicly, saying 143 million customers were affected.
Additional 2.5 million consumers affected by breach
On Monday, Equifax said that Mandiant — the cybersecurity firm it hired to investigate the breach — had completed a “forensic analysis” that determined 145.5 million U.S. consumers were potentially affected. Equifax said it will mail written notices to all 2.5 million additional U.S. consumers identified by Mandiant since the Sept. 7 announcement
Although the company said “there is no evidence the attackers accessed databases located outside of the United States,” about 8,000 Canadian consumers were affected, down from an initial estimate of 100,000. A forensic investigation into how many consumers may have been affected in the United Kingdom has been completed, but Equifax said it’s still holding discussions with regulators regarding the scope of consumer notifications.
Precautions for affected consumers
To make amends for the breach, Equifax is offering free credit file monitoring by all three credit bureaus, Equifax credit lock, Equifax credit reports, identity theft insurance, and Social Security Number “dark web” scanning for one year.
Consumers can learn whether they were affected by the data breach and access these free services through a dedicated website, equifaxsecurity2017.com.
Equifax was initially criticized for attaching terms and conditions to the free services that included a mandatory arbitration clause. Smith said the clause had been inadvertently cut-and-pasted from the terms of another Equifax service and “was never intended to apply” to the free protections.
The mandatory arbitration clause “was immediately removed as soon as it was discovered,” and more than 7.5 million customers have now registered for the program, he said.
At the end of January, 2018, Smith said Equifax will roll out a new service that will “allow consumers to control their own credit data, by allowing them to lock and unlock their credit files at will, repeatedly, for free, for life.”
Smith said he was “pleased to see the company move forward with this plan, which we had put in motion months ago, and which I directed the company to accelerate, as we were constructing the remedial package in response to the breach.”
Tips from federal consumer watchdog
The Consumer Financial Protection Bureau offers the following tips to consumers to protect their personal information from being misused.
1. Review your credit report. You can request a free credit report from AnnualCreditReport.com every 12 months, from each of the three major credit bureaus — Equifax, Experian and TransUnion.
2. The nuclear option: a security freeze. A security freeze keeps anyone — including yourself — from opening new accounts in your name. In most states a freeze lasts until you remove it, but expires after seven years in some states.
3. Activate fraud alerts. Fraud alerts require lenders to take additional verification steps to make sure that you are the one making a request to open a new account, issue a new credit card, or increase the limit on an existing account. An initial fraud alert lasts for 90 days, although extended alerts for identity theft victims last seven years.
4. Pay attention to credit card and bank statements. If you notice a small amount has been withdrawn from your checking account and then returned, it could be a thief testing whether the small transaction will be noticed.
5. Watch for bills from unfamiliar companies. If you’re billed by a company you don’t recognize, someone else may have opened an account in your name. Contact the company to find out.
6. Shred documents with personal or sensitive information. Hard copies of your financial information should be stored in a safe place. If you need to dispose of them, be sure to shred them.
7. Change passwords. Be sure to create strong passwords for all of your financial accounts and don’t use the same password for multiple accounts. Don’t use information that might help thieves guess them, like your birthday, address or phone number.
8. File your taxes pronto. Scammers can try to use your Social Security number to get a tax refund — but not if you file before they do. Also, remember the IRS will contact you by mail. Don’t provide personal information in response to phone calls or emails that are supposedly from the IRS — they could be “phishing” attempts.
9. Take advantage of additional protections for active duty servicemembers. If you’re currently serving at home or abroad, you’re eligible for active duty alerts or a security freeze to reduce the risk of identity theft.
10. Watch out for your kids. The FTC warns that identify thieves “could use your child’s Social Security number to get a job or a tax refund, open bank and credit card accounts, apply for a loan or rent a place to live. It might be years before you or your child realizes there’s a problem.” If and you think your child’s information has been compromised, the FTC recommends checking their credit report. In most cases, they shouldn’t have one.
Know your rights under the National Consumer Assistance Plan
In 2015, attorneys general in New York and 30 other states reached an agreement with the three major credit bureaus aimed at improving the accuracy of information that’s collected on credit reports, and give consumers more leverage to correct any errors.
Under the “National Consumer Assistance Plan” launched the following year by Equifax, Experian and TransUnion, credit bureaus must now wait 180 days before listing information they receive about unpaid medical bills on your credit report. They’ll also remove unpaid medical debts from your credit report if they’re paid by your insurance company.
Other consumer protection measures to be fully implemented by credit bureaus by March, 2018 include:
- Debts that aren’t the result of a contract or agreement — traffic fines or parking tickets, for example — will no longer appear on your credit report.
- Debts that have been turned over to a collection agency or sold to a third party must include information about who the original creditor was.
- Consumers who request their free annual credit report from a credit bureau and successfully dispute information included on their report will be able to obtain another free credit report without waiting 12 more months.