Equifax is one of the oldest credit rating agencies in the world. It currently processes information on over 800 million consumers.
The company has suffered two very severe breaches this year. One breach occurred this March when the attackers exploited a vulnerability in the Apache Struts system used by the company.
The vulnerability was supposed to be fixed, but somehow it wasn’t, and the security team failed to find any flaws in the system. Lacklustre encryption and shoddy breach monitoring practices also contributed to the breach.
As a result, a second, more serious attack occurred during May and July this year. More worryingly, the company waited until 7 September to notify the general public of the breach.
Adding insult to injury, this month also reportedly saw the Equifax website inadvertently offering malware for download via a compromised Flash plug-in.
Social Service numbers, names, drivers’ licence numbers, birth dates addresses were affected. A smaller number of users also lost their credit card numbers. The staggering number of files leaked – 145.5 million – means over two thirds of all Americans with credit reports are vulnerable. Users from Canada and the UK are also affected.
With this information, identity theft is a legitimate possibility. That’s why you should freeze your credit immediately. Click here to verify whether you’ve been affected.
During a congressional hearing, the now-former Equifax CEO Richard Smith cited human and technological errors as the chief reasons for the criminal attack.
Lawmakers expressed concern about such late reporting and nonchalant attitude towards a breach. A self-regulating credit industry obviously is not working, according to Rep. Jan Schakowsky, D-Ill. Most agreed that some sort of regulation is necessary.
The management was further criticized for huge golden parachutes that they received after they resigned. Several allegations of insider trading are also being investigated by the Authorities. Reportedly, Equifax executives sold $1.8mil worth of shares just after the breach had occurred, but before it was disclosed to the public.
To shed any doubts about the completely inept handling of the breach, the company offered to help individuals determine whether they’ve been affected by the breach. The tweet linked to a phishing website, set up by a privacy expert Nick Sweeting, luckily without malicious intent.
The impact assessment website also contained a clause barring its users from suing the company if they use it. After public outcry, it was removed.
Equifax is offering free credit freezes for all affected customers until 21 November. They will also monitor your credit for free for a year.
The question is, why would you trust them at all after the recent events?