Hurricane Irma at about 8:00 am EST on September 8, 2017
NOAA GOES Project via Getty Images
By Robert Hackett
September 9, 2017

So Equifax got hacked.

The company, one of three main credit reporting agencies along with TransUnion and Experian, said Thursday that the massive data breach affects up to 143 million people—about half the population of the U.S. The compromised information, which Equifax believes to have been accessed in an unauthorized manner between May and July, includes names, addresses, birth dates, credit card numbers, and, most troublingly, Social Security numbers. Someone (or some group) hit the motherlode.

This is one of the gravest data breaches in recent memory—far worse in scope, if not size, than the billion or so account details Yahoo reported stolen last year. Attackers can use this sensitive personal information to run amok: fraudulently impersonating whomever they please, opening bank accounts or new lines of credit under victims’ names, filing forged tax returns and medical claims, applying for bogus loans, crafting personalized phishing attacks, or any number of other crooked schemes. These threats will follow people forever.

If that weren’t bad enough, Equifax marred its disclosure with glaring missteps. The company, which said it learned of the breach on July 29, kept everyone in the dark for six weeks—valuable time people could have spent taking measures to protect themselves. A few executives apparently tried selling shares of the company before the notice was made public. (Equifax claims that these execs, including its chief financial officer, weren’t aware of the breach at the time—a claim that, if true, is just as bad, but for different reasons.) And then there’s the company’s self-interested credit monitoring offer.

Not letting a good tragedy go to waste, Equifax has granted victims a year of its “TrustedID premier” credit monitoring service for free. Oh, great. Not only does the public have no reason to trust Equifax to handle its information securely, but the offer also gets people on the hook potentially to resubscribe once the 12 months pass, since the identity fraud problem has no end in sight. This strikes me as a practical joke of cosmic proportions.

Here are my recommendations:

  • Assume that you are impacted. If you wish to have absolute confirmation, check here.
  • Implement a credit freeze, as I have advocated in the past. This measure, which can cost around $10, places an extra layer of security on your file at credit bureaus. (You’ll have to lift the freeze whenever you’re looking to open a new credit or loan account.)
  • Keep your eyes peeled for fraudsters. Check your credit reports frequently.

 

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.


THREATS

Equif@$%! As mentioned above, Equifax disclosed one of the worst corporate data breaches of all time on Thursday. Apparently, the breach was due to a vulnerability in Apache Struts, a piece of web software. Now that people’s identities are up for grabs, here are some tips for what consumers can do to protect themselves.

Power grid penetrated. A persistent hacker group has pried its way into the most sensitive digital nooks of hundreds of energy companies in the U.S., Europe, and elsewhere in recent months. According to Eric Chien, a computer security researcher at Symantec, these attackers have gained the ability to “flip the switch” and cause power grid blackouts.

Hurricane Irma scams. Hackers tend to exploit big news events and disasters to scam unsuspecting people. Be on the lookout for phishing scams and phony relief efforts related to Hurricane Irma. Scammers used the same tactics when Hurricane Harvey hit Houston last week.

Russian Facebook ads. Facebook said it ran subversive ads on its flagship social network for two years through May that were paid for by Moscow-backed entities. The company refuses to reveal which ads were sponsored by the Kremlinites. Twitter is reportedly preparing to brief Congress on a similar matter involving ads its own social network.

If you like spy fiction, read thisAlso, a shout out to cybersecurity firm Palo Alto Networks for landing on Fortune’s 2017 Change the World list, and another congratulations to bug bounty startup HackerOne for making the “rising stars” cut.

Share today’s Data Sheet with a friend:

http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.


ACCESS GRANTED

“Presumably, Facebook users would be better able to judge the veracity of a political message if they knew it came from George Soros, the Koch brothers, or a Putin-friendly troll farm in Russia. If we want to avoid similar problems in 2020, the law needs to update political advertising disclosure rules for the digital age.”

Mark Bartholomew, University of Buffalo law professor and author of Adcreep: The Case Against Modern Marketing, lays out why he believes rules for digital political advertising need to change following news that Russian operatives targeted the U.S. electorate with socially divisive Facebook ads.



ONE MORE THING

So it goes. While on the subject of fiction (cf. the final link in the “threats” section), the latest issue of The Atlantic ran a newly discovered, previously unpublished short story by Kurt Vonnegut, one of the 20th century’s all-time literary greats. The piece, which dates to the ’50s, before Vonnegut had taken up novel writing, is called the “Drone King,” and it involves the business of bees. It’s a perfect weekend read. (Fun fact: I used to write for the same college newspaper Vonnegut once edited, The Cornell Daily Sun. Regrettably, we served in different eras.)

SPONSORED FINANCIAL CONTENT

You May Like

EDIT POST