If you were one of the 145 million Americans whose info was stolen in the Equifax breach, you should be worried about keeping your financial accounts safe. Columnist Kim Komando shows you how.
Kim Komando, special for USA TODAY
This news story has been updated to reflect the findings of a federal Government Accountability Office report issued on September 7, 2018
Alvin Kleveno is among the nearly 148 million members of a not-so-exclusive club —consumers whose personal data was compromised in the massive cyberattack disclosed one year ago by Equifax, one of the nation’s three major credit bureaus.
In the weeks after the bad news, the company alerted the Colorado resident that not only was his personal data endangered, a debit card he’d previously used to “unfreeze” his Equifax credit record had also been compromised.
Kleveno, “experienced unauthorized charges” on the card, and “spent time and effort contesting the fraudulent charges with his credit union, canceling the card and traveling to the credit union to obtain a replacement card,” according to a court complaint on behalf of the victimized consumers.
Today, Kleveno is one of 96 named plaintiffs from all 50 U.S. states and the District of Columbia who are suing Equifax in a consumer class-action lawsuit. The case is among a multitude of lawsuits targeting the Atlanta-based company.
The lawsuits have inched through the legal system in the year since the news that nearly half of all Americans had personal information exposed by the breach. Meanwhile, federal, state and overseas authorities pursue yet-to-be-completed investigations.
Although a new law will let Americans freeze their credit reports without charge as of Sept. 21, Lauren Saunders, associate director of the National Consumer Law Center, says “very little has changed” for consumers because personal information for millions of consumers remains in the hands of thieves.
“After publicly announcing the worst data breach in history, Equifax still hasn’t paid a price or provided the information and tools consumers need to adequately protect themselves,” the U.S. PIRG Education Fund, an independent group focused on consumers and the public interest, says in a report issued on Thursday.
Equifax declined to make executives available for an interview about the one-year anniversary of its cyberattack disclosure. However, the company said it has tightened its data security perimeter, hired top cybersecurity and technology professionals, improved cyberattack detection and response times, and offered consumers more control over their data.
The company also agreed to a June consent order with financial regulators from eight states that requires it to conduct security audits at least once a year and take other steps to strengthen data safety.
“Protecting the data entrusted to Equifax is the company’s top priority,” the credit bureau said, adding that it has conducted regular cybersecurity briefings and calls “to update hundreds of business customers on our progress and lessons learned.”
In its initial September 7, 2017, disclosure, Equifax said as many as 143 million U.S. consumers could have been exposed to the danger of identity theft or other crimes when criminal cyberthieves carried out an electronic attack on the company’s computer systems. The company later raised the potential victim count to nearly 148 million.
The embarrassing digital break-in primarily compromised names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers, Equifax said. Richard Smith, the former Equifax CEO, told a House subcommittee in October the company had known before the attack about a computer software vulnerability that required patching.
A Government Accountability Office report requested by Sen. Elizabeth Warren, D-Massachusetts and Rep. Elijah Cummings, D-Maryland highlighted Equifax-provided information showing the attack lasted for approximately 76 days before it was discovered.
The report highlighted multiple weaknesses:
- A digital certificate that’s used to authenticate computer servers and systems had been expired for roughly 10 months. As a result, encrypted digital traffic passed through an Equifax system without being detected.
- Equifax officials notified the company’s systems administrators about the program vulnerability that required patching. However, the recipient list was outdated, and the notice wasn’t received by the administrators who would have installed the patch.
- Individual Equifax databases were not isolated from each other. As a result, the cyberthieves were able to move from one to others, gathering more and more data without being detected.
- The attackers gained access to a database that contained unencrypted usernames and passwords for gaining access to other databases.
- Equifax systems lacked restrictions on the number of allowable database queries. As a result the attackers were able to execute roughly 9,000 queries, far more than what would be needed for normal business operations.
Smith and two Equifax security executives abruptly retired after the company disclosed the breach.
During the initial weeks after the breach disclosure, consumers complained about an online Equifax search tool that in some cases provided inaccurate results to those who used it in the hope of finding out whether their personal data had been compromised.
Consumer advocates also contended that free security products Equifax offered after the cyberattack were limited in scope and would only provide alerts after an identity theft had occurred.
The consumer class-action lawsuit also says the threat of identity theft proved all-too-real for some of the main plaintiffs.
Identity thieves used the personal information of Grace Cho, a California resident, to open unauthorized accounts in her name and make fraudulent purchases with a wireless phone provider and a department store, the court complaint charges.
Thieves allegedly attempted to use Cho’s information to open unauthorized credit accounts at a retail warehouse club and another department store.
Jennifer Tweeddale not only suffered identity theft, fraudulent accounts on her credit report lowered her credit score by approximately 79 points. The drop could make it more difficult for the Florida resident to qualify for a loan.
The accounts of personal damages suffered by Tweeddale, Cho and Kleveno come from summaries in the consolidated class-action complaint filed in May. USA TODAY was either unable to reach them and other lead plaintiffs, or they did not return messages. A lead counsel representing the consumers also did not respond to an email.
The millions of consumers whose personal data was stolen in the breach “remain subject to a pervasive, substantial and imminent risk of identity theft and fraud, a risk that will continue so long as Social Security numbers have such a critical role in consumers’ financial lives,” the lawsuit alleges.
In the wake of the Equifax breach, a consumer group wants Congress to rethink how we use credit reporting agencies. Consumer Watchdog also wants lawmakers to mandate two factor authentication to safeguard personal information. (Sept. 15)
Equifax’s disclosure of the cyberattack accelerated the business crisis that had begun weeks earlier when the company first detected the breach.
After closing at $142.72 on September 7, 2017, Equifax shares plunged and closed at $89.59 close one week later, a 37 percent skid.
The breach created unexpected corporate costs, from providing credit alerts and other services to millions of consumers, to mounting legal bills and efforts to toughen and upgrade the company’s cybersecurity systems.
When Equifax reported its second-quarter earnings In July 2018, the company said it had run up roughly $300 million in expenses so far. The earnings report said it is “reasonably possible” Equifax will suffer losses from the lawsuits and investigations, but added that it was not yet possible to provide an estimate.
Nonetheless, Equifax shares, which closed at $134.54 on Wednesday, have climbed back and are down just 5 percent from this time last year.
In March, Equifax recruited a new chief executive, Mark Begor, a business veteran with experience in private equity and at General Electric.
By July, he publicly touted a corporate turnaround, saying “we’re rapidly approaching a mode of being back to normal commercial discussions with the vast majority of our (U.S. Information Services) customers,” a critical part of the company’s business. Fewer than five customers continued to have questions about Equifax’s security plans, he said.
In part to allay such lingering concerns, Equifax hired a new security team as part of a cybersecurity overhaul after the breach. The question is how effectively new resources are used, said David Vergara, head of security at OneSpan, a security firm that says its clients include half of the world’s top 100 banks.
“Equifax has taken the proper initial steps, post breach, with some stumbles along the way,” Vergara said. “Only time will tell if Equifax can deliver. And if they do it right, none of us will ever know about it.”
Some Wall Street analysts signal cautious optimism.
In a July 27 note to investors, JPMorgan Chase analyst Andrew Steinerman said, “Equifax is not out of the woods yet.” He noted that rivals TransUnion and Experian have outpaced Equifax’s U.S. Information Services results.
However, he added, “We sense a return to normalcy on the horizon.”
Timothy McHugh, an analyst with William Blair, maintained an outperform rating on Equifax shares in a late July 26 note to investors.
“Equifax’s story will continue to have a lot of moving parts,” he said, “but we are optimistic that the company’s growth rates, margins (and) technology … will improve over the next year or two.”
Contributing: Elizabeth Weise, Adam Shell
Follow USA TODAY reporter Kevin McCoy on Twitter: @kmccoynyc
Read or Share this story: https://usat.ly/2MQF3c7