Equifax data breach could have long-reaching effects for borrowers

Patrick Varine
Saturday, Sept. 16, 2017 9:42 p.m. | Saturday, Sept. 16, 2017 9:42 p.m.

Jacob Tierney | Tribune-Review

A home is under construction in Lorien Fields, one of several housing projects in development in Penn Township. Prospective home buyers affected by the Equifax data breach could have trouble closing the deal if something fraudulent shows up on their credit report.

Details

By the numbers

Here are a few numbers to help put the Equifax data breach into perspective.

209,000

Credit card numbers accessed by the perpetrators of the hack, according to Equifax.

143 million

Number of people potentially affected by the Equifax data breach. The breach affects some Canadian nationals as well, but in terms of the American adult population (245.3 million), it potentially affects 58 percent of U.S. residents.

182,000

Dispute documents containing personal information accessed by perpetrators of the hack, according to Equifax.

2.6

The number of credit cards the average American has, according to The Gallup Organization.

How did this happen?

The Equifax breach affected 143 million people, and according to an international security firm, it easily could have been prevented.

"Clearly this is an abdication of responsibility as far as the security staff at Equifax," said Hamid Karimi, global vice president of business development for Beyond Security. "It's incumbent upon them to make sure all of the proper tools are deployed to protect customer data."

Equifax officials have disclosed that a vulnerability in one of its web servers was exploited to gain access to the information.

Karimi said a typical web server has nearly 30 known vulnerabilities.

"In the case of Equifax, the vulnerability, in the Apache Struts Web application, was published in March 2017 and was well known," Karimi said.

Apache issued a fix, or "patch," for the problem on March 6. Equifax officials said they learned of the breach in May, two months after the patch was released.

"Someone scanned the site, they realized the servers were not patched, and the exploits were successful," Karimi said.

Sources: Equifax, Karimi, Apache Struts

Email Newsletters

Ryin Gaines and his family know all too well what can happen if your identity is stolen.

“My wife had to jump through hoops for over a decade to settle all of the damage that was caused,” said Gaines, 35, of Pittsburgh.

So when he discovered that he was among the 143 million people affected by the Equifax data breach, he jumped to action, slapping a freeze on his credit.

The Sept. 7 announcement of the hack and data breach potentially affects nearly half of U.S. adults, has sent Equifax's corporate stock into a freefall, spurred a Federal Trade Commission investigation, resulted in more than 20 class-action lawsuits and could prevent affected consumers from doing something as simple as financing the new Apple iPhone.

Experts are warning that Americans for years to come could see new credit accounts popping up in their names.

Kelly Keenan of Murrysville entered her information into Equifax's website and discovered that she also was among those likely affected.

“I had been planning to replace a truck we have but absolutely will not until Equifax fixes this error,” she said.

Stories such as Gaines' and Keenan's are playing out across the country.

Christine Stawski, a Realtor with Coldwell Banker in North Huntingdon, said the breach is unfortunate but not unexpected.

“All of our information is valuable, and it's a target,” Stawski said.

While she does not have any current prospective homebuyers affected by the breach, Stawski said she can see it becoming a large problem in the realty market.

“A lender can pull your credit up to the time of closing,” she said. “And if a lender sees that new credit has been opened, they can stop the closing. So that's a huge impact.”

Norm Montgomery, executive vice president at First Commonwealth Bank, which has branches throughout Pennsylvania and central and eastern Ohio, said that is a very real possibility.

“Where the impact would come is if a fraudster used (someone's) data to open phony accounts,” Montgomery said. “At that point, it would be an identity theft, and they'd have to work through the remediation efforts: contacting the credit agency, putting fraud alerts on their credit. ... There would definitely be some additional questions that would have to be sorted out between the customer and the financial institution” before a purchase could be completed.

People whose information has been exposed through the breach have been told one option is to freeze their credit.

But that already has become an issue for one major cellular carrier. Citizens Financial Group, which runs the financing program for Apple and its iPhones, told the Associated Press that any new or existing customers who have credit freezes on their information will be declined financing.

That means if a customer whose data has been compromised can't pay the full cost of a new phone up front — Apple is on the verge of releasing several new phones — they likely won't be able to buy unless they remove the credit freeze.

Gaines planned to take up Equifax on its offer of a free year of credit monitoring. But after finding out that accepting the offer would preclude him from joining one of more than 20 class-action suits already filed against Equifax in the wake of the breach (see update below), he decided against it.

Gaines has been in touch with five law firms that have filed class-action suits. For him, it's not about money.

“Unfortunately, in America, it seems that litigation is the only way to force a change in behavior with some of the big corporations. So I wanted to get on board and do my part immediately,” he said. “Given the way we rely on credit in this country, the companies who task themselves with determining creditworthiness need to be much more careful with our data.”

UPDATE (Sept. 19, 2017, 12:40 p.m.): Initially, the terms of use for Equifax's credit monitoring service, TrustedID, stated that participants forfeited the right to legal action against the company. According to Web fact checking site Snopes.com, Equifax has sought to clarify that the clause does not apply to the data breach incident.

Patrick Varine is a Tribune-Review staff writer. Reach him at 724-850-2862, pvarine@tribweb.com or via Twitter @MurrysvilleStar.