by Lora Strum and Dan Cooney PBS.ORG
Equifax is facing nearly two dozen class-action lawsuits, along with a separate suit from the state of Massachusetts, over a massive data breach that compromised the personal information — names, addresses, birth dates and social security numbers — of more than 143 million people.
For those affected by the breach, the path forward is still unclear. While the credit reporting agency announced the breach last week, the breach actually occurred July 29, which means sensitive data from about half of the U.S. population has been available to hackers for weeks.
Here’s what you should know, and what actions you can take next.
Why did this happen?
No one person is completely positive. Equifax told USA Today the hack was the result of an “Apache Struts” vulnerability. Apache Struts is free, open-source software used to create Java web applications. The credit reporting company is unsure of which Apache Struts vulnerability caused the breach.
A hack of this nature is known as a “zero-day,” meaning that this is the first occurrence of a vulnerability in a commonly used program — like Java — and doesn’t have a fix yet. Zero-day exploits are often trafficked to other hackers willing to pay upwards of $20,000 to gain access to the programming.
How can I find out if I was affected?
This hack is being called the largest credit-card-data hack in American history, and even if you haven’t seen any foreign charges in your account, experts recommend you check your status on Equifax’s website: Equifaxsecurity2017.com. You’ll be prompted to enter your last name and the last six digits of your social security number.
I’ve heard that if I enter my information in Equifax’s website, I lose my right to sue them later. Is this true?
Initially, Equifax had language in their credit monitoring agreement that would waive customers’ right to sue at a later date. New York Attorney General Eric Schneiderman tweeted Tuesday that “after conversations with my office, Equifax has now made it explicitly clear” that “no one will waive their right to join a class action” lawsuit.
What could happen to me if I’ve been hacked?
Clements said that a hack of this kind can lead to two types of fraud: account takeover and full identity takeover.
A case of full identity takeover would be when a criminal uses your social security number, birth date, address and name to open one or more new, false accounts in your name.
An account takeover, which can be just as damaging, is when a criminal assumes control of your existing accounts using some of this stolen information to pretend they are you, the account owner. In other cases, by using so-called “social engineering” (where a criminal masquerades as a representative of your bank or credit card company), criminals can persuade people to reveal pin codes or passwords for their accounts, which can then be used to steal your money.
What do I do?
You have a few options, but you must act now and you must follow up, says Clement. First, consider freezing your credit. Freezing your account will completely halt all access to your credit information — but allows you to maintain your credit score — as well as block hackers who may have stolen your information.
A less drastic response is to take Equifax’s offered one-year of free credit monitoring to know if someone is using your information in fraudulent ways. But, Clements warns, the danger doesn’t disappear as soon as you activate credit monitoring or implement an account freeze.
“Social security numbers don’t expire,” he says on the ability of hackers to steal your identity today, tomorrow or 10 years from now. He urges anyone whose data was compromised to follow up year after year to make sure they’re still secure. …………………………..
DCL: A good article, worth reading!