Archive

After Equifax hack, you can pretty much assume someone has your data. What to do next. | TribLIVE.com
U.S./World

After Equifax hack, you can pretty much assume someone has your data. What to do next.

EquifaxCyberattack43541jpg82eee
AP Photo/Mike Stewart
This Saturday, July 21, 2012, photo shows signage at the corporate headquarters of Equifax Inc. in Atlanta. New York Attorney General Eric Schneiderman is pressing credit monitoring companies TransUnion and Experian to explain what cybersecurity they have in place to protect sensitive consumer information following a recent breach at Equifax that exposed the data of 143 million Americans.

It’s been almost two weeks since Equifax first admitted it had been hacked in a massive breach affecting as many as 143 million consumers.

Ever since, people have been begging Equifax to answer a simple question: “Am I on the list of victims?”

Much to America’s dismay, Equifax has yet to provide a firm response. It’s not clear when or if the country will ever get one. But the most depressing thing isn’t Equifax’s failure to tell consumers definitively whether they, individually, are at risk. The most depressing thing is that, at this point, the answer may not even matter.

“Once it’s out there, it’s out there,” said Justin Shipe, vice president of information security at CardConnect, a payment processor.

You may be clinging to some sliver of hope that perhaps your information is not yet “out there.” But with every subsequent breach, the likelihood of your never having been affected by hackers grows slimmer and slimmer.

What is the point of knowing whether Equifax was the one who leaked your data? Perhaps in the short term, you might become part of a class-action suit, and win a few dollars in the inevitable settlement. But in the long run, this knowledge doesn’t help you any more than discovering you were affected by the 2013 data breach at Target, the 2014 incident at Home Depot and the 2015 break-in at the Office of Personnel Management.

If I knew I was affected, I’d take steps to protect myself, like freezing my credit, you say. To which I’d say: Why wait? Many Americans have already called to freeze their credit, or place preemptive fraud alerts on their accounts, and they’re as in the dark right now as everyone else who isn’t Equifax. You don’t need knowledge that you were affected to protect yourself.

If Equifax told individuals whether their information was leaked, couldn’t they trace cases of future identity theft to the hack? Experts say that’s extremely unlikely.

“If we see a large increase in identity fraud, we can potentially hypothesize that some of this increase was due to the Equifax breach, but there’s no way to prove this 100 percent,” said Richard White, the former chief information security officer for the U.S. Capitol Police. “The more time passes, the harder it becomes for a number of reasons, mainly ⅛because of⅜ new cyberattacks that expose more information.”

Even if you could prove a link, what could you do with that revelation that you haven’t already done?

Let’s run a little thought experiment. Suppose you were a victim of not only the Equifax breach, but also the breaches at Target, Home Depot, OPM or Anthem. Now imagine that in 2020, you check your credit report and find out that somebody opened a fraudulent credit card account in your name.

How would you know which breach produced the data that allowed criminals to create the new line of credit? How could you distinguish that from information gathered by garden-variety social engineering attacks such as email phishing?

What would it even matter?

At that point, you’ve been compromised. Whether Equifax was the one to leak your data becomes irrelevant.

You should still be keeping a close eye on your credit reports for any suspicious or unusual activity, such as new loans or credit cards you didn’t ask for. Under the Fair Credit Reporting Act, consumers are entitled to one free credit report from each of the three major reporting bureaus once a year. You can safely access your reports by visiting annualcreditreport.com. You can also apply a temporary fraud alert to your credit, or freeze it entirely so that nobody can open new lines of credit in your name.

Equifax is likely to pay a high price for its failures. But in the grand scheme of things, the one question plaguing all of us has mostly become a pointless mental exercise. And that’s the depressing part.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.