Equifax Breach: The Bigger Picture, Identity, Impact, and Advice

This is the fourth blog in the running series on the Equifax data breach.

  1. Equif*@#$d: Equifax Breach Response Off To A Rough Start
  2. Equifax Breach: Legal, Vulnerability Blame Game, and the Big Technical Debacle
  3. Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?
  4. Equifax Breach: The Bigger Picture, Identity, Impact, and Advice
  5. Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
  6. Equifax Breach: Timeline, International, Patching, Gender, PCI, oh my!

The Bigger Picture

While the media storm surrounding the recent Equifax data breach, continues its fever pitch, it’s important to keep in mind this is far from the first breach of a credit bureau. In fact, Experian has had its own dealings with a large breach when it had to contend with (and disputes) the exposure of up to 203 million records after the purchase of Court Ventures. Looking at the three major Credit Bureaus, there have been over 140 incidents reported involving various units of the big three entities. While some of the incidents impacted relatively low record counts, it speaks to a larger problem regarding their protection of sensitive information. Russell Brandom wrote an article for The Verge titled “Our entire credit bureau system is broken: The massive Equifax breach is a symptom of a much larger problem”. Ignoring the error of this being the “biggest public breach in the history of credit reporting”, Brandom makes a good argument about the problems surrounding credit bureaus having so much valuable data linked to widely compromised data points like a Social Security number and date of birth.

It is also important to remember that the average person is not an Equifax customer. Banks, credit card companies, landlords, insurance companies – the organization seeking information on an individual’s credit worthiness are the key customers of the credit bureaus.While  Credit Bureaus are likely have your information, it wasn’t because you voluntarily provided it to them. You don’t have a customer / business relationship with them. Instead of using the term ‘customer’, it is more appropriate to call yourself their ‘product’, and as David Brock points out:

Proving Identity & Victim Concerns

Perhaps the biggest concern facing the victims of the Equifax breach is that with the disclosure of sensitive personal information, how will they prove their identity? Even if you interact with Equifax directly, Emin Gün Sirer‏ asks the important question, “how do you prove who you are to a company who leaked all your private data?” How about any other creditor or lending institution? Jake Williams asksknowing this data is out there for 143 mil Americans this morning, how do you verify identity of a new customer?” This will become problematic for victims and creditors alike and most likely will result in more time and effort spent on validating our identities. It’s not difficult to imagine new processes requiring additional paperwork or copies of documents in order to ‘prove’ we are who we claim to be.

Continuing the idea that we are victims, Kim Zetter points out we have no choice when it comes to allowing Equifax access to our information. “Unlike Yahoo breach, consumers can’t just close their Equifax account and take their info/business elsewhere to express their displeasure”. The three Credit Bureaus obtained our information via other sources without our direct consent. Instead, we often form a relationship with a business and agree that they may sell or share our data to third parties. Equifax relies on this along with dozens of other methods for collecting data.

The Direct Impact to Customers

As we noted in our first blog, using Equifax’s TrustedID site to try to verify if you are impacted by the breach didn’t appear to work. Zack Whittaker wrote an article for ZDNet going into more detail and confirming what several people experienced on the first day the service was active. The title of the article, “We tested Equifax’s data breach checker — and it’s basically useless” says it all. For victims who want to put a ‘security freeze’ on their information, Equifax will give them a PIN that allows the victim to remove it later when they feel there is no risk. Unfortunately, that PIN was generated entirely based on the date and time you request the PIN. As Tony Webster points out, “if you froze your credit today 2:15pm ET for example, you’d get PIN 0908171415.” Even worse, Equifax has been using this format for over a decade and acknowledged the issue at least a year ago. So the criminals that took your personal information have a leg up in trying to remove the security freeze as the PIN becomes more guessable. Equifax was sent scrambling once again to correct this and by late Monday confirmed a new PIN generation system would be in place within 24 hours.

While we haven’t seen any Equifax-based phishing mails, we can be sure that criminals and security companies will be chasing opportunities. Twitter user ’Try Catch HCF’ points to the domain “equifax2017.com” which was registered on September 9 by HICHINA ZHICHENG TECHNOLOGY LTD. out of Hangzhou, China. The domain isn’t hosting anything specific at the moment, so the intention is not clear, but this is yet another warning for everyone to be mindful of the follow on scams that are sure to come.


According to Scott McGready, that is likely one of at least 247 domains that have been registered that “look like Equifax” since the breach.

General Advice to Those Impacted

After a breach of a Credit Bureau, those impacted may be struggling to understand how to react.. Unlike a breach that leaked passwords or a credit card number, the information compromised in the Equifax breach cannot be easily replaced. With credit history and extensive personal information including Social Security Numbers, the impact could be more devastating. Twitter user Patrick McKenzie, who says his “hobby in writing letters about the Fair Credit Reporting Act is suddenly topical!” He offers a string of advice for people in his thread, which we quote most of, with minor edits for readability:

  • Tip 1: Do not pay for credit monitoring. You’re statutorily guaranteed three free credit reports a year. That’s sufficient.
  • Tip 2: If someone opens a loan or CC in your name, deep breath: you are going to lose some time but not money. You haven’t been stolen from.
  • Tip 3: You will be inclined to do things over phone, because credit reporting agencies and banks push people to it (and lately apps). No. Calls.
  • Tip 4: Everyone attached to a telephone at a Credit Reporting Agency (CRA) has scripts which are optimized for getting you off the phone and minimal ability to help.
  • Tip 5: If someone has opened an account in your name do not call the bank and ask them to close it. You do not have or want authority on acct!
  • Tip 6: You should file a police report locally and get the police to issue a paper copy or receipt. It doesn’t matter if they investigate.
  • Tip 7: You will snailmail copy of that report to the bank’s legal department (address available online) with a short letter.
  • Tip 8: The contents of the letter: you did not open; correct immediately; any collections activity including reporting to CRAs is a Fair Credit Reporting Act (FCRA) violation.
  • Tip 9: The bank is responsible for all damages and this letter is specific written notice of your complaint. You require resolution immediately.
  • Tip 10: You also require all communication about the matter to be in writing to you.
  • Tip 11: People do not believe me on this but trust me a professional firm letter from someone who sounds competent gets to a lawyer or Senior Vice President (SVP) reliably.
  • Tip 12: Keep copies of everything, indefinitely. Keep a log of when mail was sent and when mail was received. Dropbox is your friend.
  • Tip 13: You should not act like a supplicant; you owe the bank nothing as you’re not in a commercial relationship with them. But: no anger.
  • Tip 14: You do not want to be read as someone who is angry and needs to be talked down. You want to be read as someone collecting a paper trail.

And finally, Twitter user Dissent Doe gives one more piece of great advice: “If you’re concerned about the Equifax breach, and want a security freeze (not fraud alert, but FREEZE), contact Experian & TransUnion, too”. Just remember, each of them will charge you for that freeze, including Equifax, despite them being the reason you want the freeze.

Risk Based Security sends their thanks to those who are helping those impacted.

The story continues with Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup.