From the office of State Rep. Randy Hunt:
BOSTON - The scope of the data breach at Equifax combined with the character of the data stolen amounts to an unprecedented cyber theft affecting 143 million Americans, an estimate provided by the company.
To provide context, consider that the U.S. population is about 330 million, of which, close to 250 million are adults (18 years of age and up). Relatively few 18 to 25-year-olds have credit records with the three primary credit companies-Equifax, Experian, and TransUnion-so we're looking at upwards of 75% of people with credit records having had their information stolen.
According to Equifax, a vulnerability in a website application called Apache Struts CVE-2017-5638 was exploited by hackers to gain access to the 143 million credit files, 209,000 credit card numbers, and 182,000 credit dispute documents. Apache Foundation, which oversees the widely-used open source software said "The Equifax data compromise was due to failure to install the security updates in a timely manner." The vulnerability was announced and patched by Apache on March 7, 2017 and modifications were completed by March 10, 2017. The Equifax data breach occurred from mid-May through July.
The five-week delay from discovery of the breach on July 29, 2017 to the September 7, 2017 public announcement is understandable given that Equifax hired a cyber security company to perform an assessment to determine how and when the information was compromised. However, the company's chief financial officer, presumably someone on the short list of executives to be notified of a cyber security disaster, sold more than 13 percent of his Equifax stock on August 1, 2017, a transaction generating proceeds of $946,374. The company stated that CFO John Gamble and two other high-level employees who sold stock on August 1 and 2 were unaware of the data breach at the time of their stock transactions. Equifax stock closed at $146.26 on August 1 and $98.99 on September 13, a loss of one-third of its value post-disclosure.
What You Can Do
Go to www.EquifaxSecurity2017.com - There are consumer updates posted to this page along with a link at the bottom of the page called "Potential Impact." Click this link and then click "Check Potential Impact." At this point, ensure that you are on a secure web page by looking for a lock icon on the screen or a URL beginning with https://. Enter your last name and last six digits of your social security number, then click on the box "I'm not a robot," then click Continue. You will receive a message either indicating that Equifax believes "your personal information may have been impacted by this incident" or "your personal information was not impacted by this incident."
Keep in mind that there are three major credit reporting bureaus: Equifax, Experian, and TransUnion. Each company retains information on consumers' credit transactions, loans, payments, FICO scores, etc. The information stolen from Equifax could be used to open credit cards and apply for loans where the lending institution might have a business arrangement with one of the other credit bureaus; therefore, it is not sufficient to isolate your attempts to block fraudulent use of your data with Equifax. If you plan to file a fraud alert or freeze your credit file, make sure you do this with all three credit reporting bureaus.
You can file a fraud alert that puts the credit bureau on notice that your personal information has been compromised. This should result in the bureau taking additional steps to ensure that changes in your account, including inquiries related to opening new credit cards and loans, are being made by you or with your permission.
A credit file freeze blocks attempts to review your account for new credit cards and loans. Keep in mind, however, that access to your credit files is granted more often than you might imagine, and generally for legitimate purposes. For example, buying furniture over two years with no interest requires the financing company to access your credit file to determine your credit worthiness. E-signing a tax return, something that is gaining acceptance in Rep. Hunt's own CPA practice, requires the signer to confirm information that is contained in their credit file.
Fraud alerts, freezing accounts, and monitoring credit files is not free. Although the monitoring program for affected Equifax customers is free for a year, you must consider the cost of the additional steps not only with Equifax but with Experian and TransUnion as well.
You have had the ability to acquire one free credit file report per year from all three bureaus for many years. Looking at these reports is essential to identifying potential fraudulent transactions. Go to www.annualcreditreport.com or call 877-322-8228 to request your free credit report which includes information from all three bureaus. Do not call the bureaus individually or get tricked into visiting one of the many "free credit score" websites that are, in the end, not free.
Finally, the information breach may well be used to e-file fraudulent tax returns, both Federal and state, in an effort to claim a refund. These fraudsters file early in the tax season hoping to get their version of your tax return through before you file your legitimate return. This activity has netted billions of dollars of refunds that vanished into temporary bank accounts and pre-loaded debit cards. Legitimate taxpayers have waited to have their tax returns processed, with some having refunds of thousands of dollars held up for months.
Currently, the IRS only provides security PINs to taxpayers who have had fraudulent returns filed using their social security numbers. The 6-digit PIN is then required for all future tax return filings. Unfortunately, this "take action after the fact" approach does nothing to protect taxpayers from potential fraudulent returns being filed using the Equifax information.
For more information about the IRS' program, visit https://www.irs.gov/identity-theft-fraud-scams/identity-protection
The Massachusetts Department of Revenue has information here: http://www.mass.gov/dor/individuals/identity-theft-information/
Massachusetts Attorney General's Actions
Attorney General Maura Healey has announced that her office is filing suit against Equifax. More information can be found here: http://www.mass.gov/ago/news-and-updates/press-releases/2017/2017-09-12-intent-to-sue-equifax.html.
Take this situation seriously. Stay up-to-date regarding further consumer options that are sure to become available as we progress through the aftermath of this unprecedented cyber theft. This office will continue to communicate new information as Representative Hunt is made aware.