One year ago today, on September 7, 2017, Equifax announced its cybersecurity incident involving the private information of 143 million people.
Unbelievably, the Equifax data breach event occurred between May and July 2017, yet Equifax waited six weeks before its public disclosure on September 7, 2017.
But it gets worse, as one month later, Equifax announced that its data breach event included an additional 2.5 million individuals, and then in March 2018, Equifax found an additional 2.4 million people bringing the total number of affected individuals to nearly 148 million.
The Equifax data breach event exposed Social Security numbers, Dates of Birth, addresses, and even driver’s license numbers. This means that affected consumers will have their Social Security numbers and birth dates sold and traded on the “dark web” for the rest of their lives.
So when Equifax offers 12 months or 24 months of “free” credit bureau monitoring – it is essentially worthless as ID theft criminals typically sit on stolen information for 12 to 24 months before they begin to use it for fraudulent purposes.
As we recognize the one-year anniversary of this historic September 7, 2017, public disclosure of the Equifax data breach event, I have listed below some lessons learned for consumers:
- Credit bureau monitoring provides a false sense of security and cannot prevent individual consumers from becoming a victim of ID theft.
- Credit bureau monitoring cannot alert consumers to non-financial ID theft such as taxpayer ID theft/refund fraud, medical ID theft, and credential (e.g. driver’s license or passport) ID theft.
- Consumers underestimate the possibility of becoming an ID theft victim and do not realize how labor and time intensive recovering from identity theft is.
At the same time, here are some lessons learned for Equifax:
- The Equifax CEO, CIO, and CSO were not forced to resign (or “retire”) because Equifax experienced a data breach event, they resigned because of their failed management response to its data breach event.
- If Equifax, a business centered on securing our most sensitive personal information – with more financial and IT resources than most business sectors cannot prevent a data breach from happening – what leads other businesses to believe they can?
- But it’s not just Equifax, as the two other major credit bureaus (Experian and TransUnion) along with the top 10 banks and health insurance companies in the U.S. have all experienced data breaches.
Based on new privacy laws and the current regulatory landscape including GDPR (General Data Protection Regulation), the new California Consumer Privacy Act of 2018, and the recently revised 50 state notification laws – now is a good time to understand what consumers and businesses should do to protect yourself, your family, your employees, and your customers.