Hurricane Irma at about 8:00 am EST on September 8, 2017
NOAA GOES Project via Getty Images
By Robert Hackett
September 9, 2017

So Equifax got hacked.

The company, one of three main credit reporting agencies along with TransUnion and Experian, said Thursday that the massive data breach affects up to 143 million people—about half the population of the U.S. The compromised information, which Equifax believes to have been accessed in an unauthorized manner between May and July, includes names, addresses, birth dates, credit card numbers, and, most troublingly, Social Security numbers. Someone (or some group) hit the motherlode.

This is one of the gravest data breaches in recent memory—far worse in scope, if not size, than the billion or so account details Yahoo reported stolen last year. Attackers can use this sensitive personal information to run amok: fraudulently impersonating whomever they please, opening bank accounts or new lines of credit under victims’ names, filing forged tax returns and medical claims, applying for bogus loans, crafting personalized phishing attacks, or any number of other crooked schemes. These threats will follow people forever.

If that weren’t bad enough, Equifax marred its disclosure with glaring missteps. The company, which said it learned of the breach on July 29, kept everyone in the dark for six weeks—valuable time people could have spent taking measures to protect themselves. A few executives apparently tried selling shares of the company before the notice was made public. (Equifax claims that these execs, including its chief financial officer, weren’t aware of the breach at the time—a claim that, if true, is just as bad, but for different reasons.) And then there’s the company’s self-interested credit monitoring offer.

Not letting a good tragedy go to waste, Equifax has granted victims a year of its “TrustedID premier” credit monitoring service for free. Oh, great. Not only does the public have no reason to trust Equifax to handle its information securely, but the offer also gets people on the hook potentially to resubscribe once the 12 months pass, since the identity fraud problem has no end in sight. This strikes me as a practical joke of cosmic proportions.

Here are my recommendations:

  • Assume that you are impacted. If you wish to have absolute confirmation, check here.
  • Implement a credit freeze, as I have advocated in the past. This measure, which can cost around $10, places an extra layer of security on your file at credit bureaus. (You’ll have to lift the freeze whenever you’re looking to open a new credit or loan account.)
  • Keep your eyes peeled for fraudsters. Check your credit reports frequently.


Robert Hackett


Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my, PGP encrypted email (see public key on my, Wickr, Signal, or however you (securely) prefer. Feedback welcome.


You May Like