The Equifax 2017 Exposed: What Half of America Needs to Do Right Now

Equifax has been hacked. As one of the three major credit bureaus in the United States, this is seriously bad. It is considered by many to be the worst security breach in the history of the internet. The extent (about 143 million Americans) and the sensitivity of the data is a rude awakening in a year when cyber has been in the center of the news.

What does this mean for you? It means that your Social Security number, and possibly even your driver’s license information, could be in the hands of hackers. Some are already calling this the worst breach of data in history.   

How Did This Happen?

On September 7th, Equifax announced that a security breach occurred that could impact as many as 143 million people. Though this isn’t the largest breach to occur, it could be the most devastating. The data that was accessed included Social Security numbers, address, birth dates, and driver’s license numbers. All of these can be used for identity theft.

Equifax also announced that the credit card numbers of more than 200,000 people were accessed, as were documents containing personal identifying information for more than 180,000 people. With this information, the hackers can commit credit card fraud. This isn’t as bad as identity theft, as credit card fraud is usually simple to fix, but these thieves could still open new credit card accounts in your name with your Social.

According to Equifax, the company discovered the data breach on July 29. Apparently, the hackers accessed the files from around mid-May all the way through July.

Richard F. Smith, the chairman and CEO of Equifax, admits that this is a “disappointing event” and that it “strikes at the heart” of the goals of the company. He also apologized to customers who work with Equifax and consumers. Boo hoo. I cry for you.

Why Did It Take So Long to Announce This?

You might be wondering why it took so long to announce that there was a data breach at Equifax. After all, the company discovered it on July 29, and didn’t announce it until September 7. Their Director of Social Media, has an answer. She said that as soon as the company discovered the breach, they stopped the intrusion. The company also hired a cybersecurity firm, which did a full investigation. This investigation was time consuming, and they wanted to have all of the information available before informing the public. Makes sense.

But Wait…There’s More

To add to this story, Bloomberg News announced that three executives from Equifax sold shares worth about $1.8 million. What’s shocking is that they did this AFTER the company discovered the breach. This will come back to bite them.

You can check to see if you are affected by the breach by using an online tool that Equifax has set up. FYI, I checked out my info, I’m a victim.

You should go there, enter your last name and the last six digits of your Social Security number, and the system will tell you if your information has been compromised. If it has, Equifax is offering a complimentary enrollment into the TrustedID program. However, there is language in the terms of service that may restrict your ability to have your day in court if you were to join a class action and the NY Attorney General is pissed. According to USA Today, a class action lawsuit has already been filed against Equifax. This class action suit seeks to secure all records associated with the breach and fair compensation for those who were affected.

Read the NYT.

You don’t have to have done any type of business with Equifax to be affected by this. If you have ever applied for a mortgage, loan, or credit card, the company likely has your information. The TrustedID program is going to be free for an entire year for anyone affected. It gives consumers the ability to lock and unlock their credit reports. They also get internet scans for their Social Security numbers and identity-theft insurance. You can also call Equifax at 866-447-7559.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top 12 Tips to Destroy Your Sensitive Data

Believe it or not, you just can’t shred too much. If you aren’t destroying your sensitive data, my best advice is for you to start now. There are people out there who make a living diving into dumpsters in search of credit card info, bank account number, mortgage statements, and medical bills; all things they can use to steal your identity.  

Here are 12 tips that you can use to help you destroy your sensitive data:

  1. Buy a shredder. That said, I don’t own a shredder. I’ll explain shortly. There are a number of different brands and models out there. Some even shred CDs. This is important if you keep your documents saved on a computer, which you then saved to a CD. Don’t, however, try to shred a CD in a shredder that isn’t equipped to do this job. You will definitely break it.
  2. Skip a “strip-cut” shredder. These shredders produce strips that can be re-constructed. You would be surprised by how many people don’t mind putting these pieces together after finding them in trash. Yes, again, people will go through dumpsters to find this information. Watch the movie “Argo” and you’ll see what I mean.
  3. Shred as small as you can using a cross cut shredder. The smaller the pieces, the more difficult it is to put documents together again. If the pieces are large enough, there are even computer programs that you can use to recreate the documents.
  4. Fill a large cardboard box with your shreddables. You can do this all in one day, or allow the box to fill up over time.
  5. When the box is full, burn it. This way, you are sure the information is gone. Of course, make sure that your municipality allows burning.
  6. You should also shred and destroy items that could get you robbed. For instance, if you buy a huge flat screen television, don’t put the box on your curb. Instead, destroy, shred, or burn that box. If it’s on the curb, it’s like an invitation for thieves to come right in.
  7. Shred all of your documents, including any paper with account numbers or financial information.
  8. Shred credit card receipts, property tax statements, voided checks, anything with a Social Security number, and envelopes with your name and address.
  9. Talk to your accountant to see if they have any other suggestions on what you should shred and what you should store.
  10. Shred anything that can be used to scam you or anyone. Meaning if the data found in the trash or dumpster could be used in a lie, over the phone, in a call to you or a client to get MORE sensitive information, (like a prescription bottle) then shred it.
  11. Try to buy a shredder in person, not online. Why? Because you want to see it and how it shreds, if possible. If do buy a shredder online, make sure to read the reviews. You want to make sure that you are buying one that is high quality.
  12. Don’t bother with a shredder. I have so much to shred (and you should too) that I use a professional document shredding service.

I talked to Harold Paicopolos at Highland Shredding, a Boston Area, (North shore, Woburn Ma) on demand, on-site and drop off shredding service. Harold said “Most businesses have shredding that needs to be done regularly. We provide free shredding bins placed in your office. You simply place all documents to be shredded in the secure bin. Your private information gets properly destroyed, avoiding unnecessary exposure.”

Does your local service offer that? Shredding myself takes too much time. And I know at least with Highlands equipment (check your local service to compare) their equipment randomly rips and tears the documents with a special system of 42 rotating knives. It then compacts the shredded material into very small pieces. Unlike strip shredding, this process is the most secure because no reconstruction can occur.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Security training: the Human Being is impossible to fix

As long as humans sit at computer screens, there will always be infected computers. There’s just no end to people being duped into clicking links that download viruses.

12DA report at theregister.co.uk explains how subjects, unaware they were guinea pigs, fell for a phishing experiment.

  • Subjects were sent an FB message or e-mail from an unfamiliar sender, though 16 percent of the subjects who ultimately clicked reported they knew the sender.
  • The sender announced they had images from a New Year’s Eve party but not to share them.
  • 43.5% clicked the FB message link and one-quarter clicked the e-mail link.
  • Many of the subjects denied making these clicks, but most who admitted it named curiosity as the reason.
  • 5% claimed they thought their browser would protect them from an attack.

Obviously, there will always be that percentage of the human population who will allow curiosity to preside over common sense and logic. The idea of simply never, never, ever clicking a link inside an e-mail is an impossible feat for them—perhaps more difficult than quitting smoking or losing 50 pounds.

This is the battle that businesses have with their employees, which is how businesses get hacked into and massive data breaches result.

However, says the report, rigid training of employees may backfire because valid e-mails may be ignored—though it seems that there has to be a way for companies to get around this—perhaps a phone call to the sender for verification if the company is small. For large businesses, maybe executives could just resort to the old-fashioned method of reaching out to employees; how was this done before the World Wide Web was invented?

Digital signing of e-mails has been suggested, but this, too, has a loophole: some employees misinterpreting the signatures.

Nevertheless, security training is not all for nothing; ongoing training with staged phishing e-mails has been proven, through research, to make a big difference. Unfortunately, there will always exist those people who just can’t say “No” to something as mundane as images from a New Year’s Eve party from a sender they’ve never even heard of.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Three Quarters of a Billion Records breached

Last year, says the security firm Gemalto, over 700 million records were breached. Or, to put it another way, this translates to two million stolen or lost records every day.

3D2015 Breach Level Report

  • 1,673 hacking incidents
  • 398 were triggered from the inside of the attacked company: employees and even IT staff who were tricked (social engineering) by hackers into clicking on malicious links or attachments
  • Government agencies suffered the greatest data leaks.
  • Following that were nation states and healthcare enterprises (remember the big Anthem breach?)

Gemalto also says that the U.S. is the leading target of cyber attacks, with the UK, Canada and Australia following behind in that order. But don’t let Australia’s fourth place standing fool you. It reports only 42 publically reported incidents, while the U.S. has reportedly had 1,222.

How can you tell your computer has been compromised by an attack?

  • Your computer is running slowly; you’re not simply being impatient—the device really is moving at a crawl. This is a possible sign the computer is infected.
  • Another possible sign of infection: Programs open up without you making them, as though they have a mind of their own.

Protecting Your Computer

  • First and foremost, businesses need to rigorously put their employees through training. This includes staged phishing attacks to see if any employees can be tricked into revealing sensitive company information. Training for workers must be ongoing, not just some annual seminar. A company could have the best security software and smartest IT staff, but all it takes is one less-than-mindful employee to let in the Trojan horse.
  • If you receive an e-mail with a link or attachment, never rush to open them. Pause. Take a few breaths. Count to 10. No matter what the subject line says, there is always plenty of time to make sure an e-mail is from a legitimate sender before opening any attachments or clicking any links.
  • Use firewall and anti-virus software and keep them updated.
  • Use a virtual private network to scramble your online activities when you’re using public Wi-Fi so that cyber snoopers see only scrambling.
  • Use the most recent version of your OS and browser.
  • Regularly back up your data.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Three ways to beef up security when backing up to the cloud

Disasters happen every day. Crashing hard drives, failing storage devices and even burglaries could have a significant negative impact on your business, especially if that data is lost forever. You can avoid these problems by backing up your data.

Backing up means keeping copies of your important business data in several places and on multiple devices. For example, if you saved data on your home PC and it crashes, you’ll still be able to access the information because you made backups.

A great way to protect your files is by backing up to the cloud. Cloud backup services like Carbonite allow you to store data at a location off-site. You accomplish this by uploading the data online via proprietary software.

Cloud backup providers have a reputation for being safe and secure. But you can’t be too careful. Here are a few ways to beef up security even more when you use a cloud backup system:

  • Before backing up to the cloud, take stock of what data is currently in your local backup storage. Make sure that all of this data is searchable, categorized and filed correctly.
  • Consider taking the data you have and encrypting it locally, on your own hard drive before backing up to the cloud. Most cloud backup solutions – including Carbonite – provide high-quality data encryption when you back up your files. But encrypting the data locally can add an additional layer of security. Just remember to store your decryption key someplace other than on the computer you used to encrypt the files. This way, if something happens to the computer, you’ll still be able to access your files after you recover them from the cloud.
  • Create a password for the cloud account that will be difficult for any hacker to guess. However, make sure that it’s also easy for you to remember. The best passwords are a combination of numbers, letters and symbols.

Cloud backups are convenient and have a good record when it comes to keeping your data safe. It doesn’t require the purchase of additional equipment or the use of more energy. You can also restore data from anywhere, to any computer, as long as there is an Internet connection available.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Tips for backing up and protecting your data while traveling

The season of giving is now upon us — but don’t forget, it’s also the season of stealing — and no, I don’t mean your wallet or the gift package at your doorstep, but your Social Security number, credit card information, medical records and any other highly confidential information that you have stored on your computers.

1DThieves want your data — the information stored in your smartphone, laptop and other devices. People are especially vulnerable to this crime when they travel. Don’t let the hustle and bustle of holiday travel detract you from protecting your data!

  • Make sure your devices have updated security software.
  • Remove all the sensitive data (e.g., medical records) from your device prior to travel — but not before you back it up.
  • One way to protect your data is cloud backup. Protecting your data begins with keeping your computer in a safe, secure, locked location, but when you are traveling, this is simply not an option. Therefore, automatically back up data to the cloud. The third layer is to use local backups; ideally sync software that offers routine backups to an external drive.
  • Before the trip, an IT expert should install disk encryption for your laptop– especially if you’ll be bringing along lots of sensitive data. If the laptop ends up in the wrong hands, the crook will see only scrambled data.
  • Even with the aforementioned security measures in place, you should also use a virtual private network when conducting online transactions at public Wi-Fi spots, so that snooping hackers “see” only encrypted transmissions.
  • All of the above tactics still aren’t enough. “Shoulder surfers” could visually snatch your login credentials while you’re typing away at the airport lobby or coffee shop. “Visual hackers” may also use binoculars and cameras. A privacy filter for your screen will conceal what’s on your screen. If they’re right behind youthis technology will alert you. You should use a privacy filter even when your back is to a wall.

Never let your device out of your sight, and if you must, like at a relative’s dinner gathering, lock it up.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Best practices for BYOD data storage

The Bring Your Own Device (BYOD) movement has in some ways saved companies money, but in other ways put customer data at risk. Employees are onsite, telecommuting or traveling on business. This means their devices, and company data could be anywhere at any given moment.

7WA company manager or owner realizes that company use of employee mobile devices brings benefits. But employees also use the devices for personal activities, increasing the risk of hackers getting into company data.

The solution is to train these employees in BYOD, information security and awareness. They must be aware of how risky a data breach is, how to secure data, especially if the device is loaded with company data. An overlooked part of that training is knowing how to deal with old data, back up that data and in some cases, delete it.

Data lives in 3 forms: stored on a local device, backed up in the cloud and deleted. Over time, old data begins to accumulate on devices and that can cause problems.

Here are some key considerations and best practices for dealing with the BYOD phenomenon at your business:

  • Ask yourself when old data no longer needed? Data should have expiration dates set up to indicate this.
  • Businesses should realize that “useless” or “old” data may surprisingly be needed sooner or later. This data can be stored offsite, in the cloud, so that if the device is hacked, at least the old data (which may contain valuable information to the hacker) won’t be accessible.
  • Setting up cloud storage that automatically backs up data will ensure that if a device is lost or stolen, the data is still available. Every bit of data, even if it’s seemingly useless, should be backed up.
  • How do you truly delete data? Don’t think for a second you’ll achieve this by hitting the delete button. In many cases, a hacker could still find it and obtain it from the hard drive. What you can’t see is not invisible to a skilled hacker.
  • Want to just get rid of old data altogether? You must destroy the hard drive. This means put it on the ground and hit with a sledgehammer. Then recycle the guts. Or you can professionally shred it.
  • Deploy Mobile Device Management (MDM) software that gives companies the ability to remotely manage devices. Tasks might include locating, locking or wiping a lost or stolen device. MDM can also be used to update software and delete or back up data.

The planning and prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and the tricks that cyber thieves use.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Weak Passwords Mean Data Breaches

Studies across the board indicate that weak usernames and passwords are one of the top causes of data breaches, and I find that information to be unfortunate, because it is preventable. According to a recently concluded survey conducted by uSamp and sponsored by Siber Systems, creators of the RoboForm Password Manager: 70% reported forgetting a password, or had a password become compromised, in their professional life in the US.

  • More organizations are enacting policies where employees can use their own devices and store information on a cloud.
  • This means that it is more important than ever before to protect accounts with strong passwords.
  • A strong password is the first line of defense against scammers and hackers, and it helps to keep data safer.

The Research on Passwords Doesn’t Lie

The data from these studies indicates that there is no organization in any industry that is not vulnerable to a breach of data.

  • Every company, no matter what size, should put in some effort to protect their sensitive data.
  • Many breaches of data could have been prevented by implementing stronger security controls, improving credentials used to long in and employing safety best practices in the workplace.
  • Weak or stolen usernames and passwords are one of the top causes of data breaches, and more than 75 percent of attacks on corporate networks are due to weak passwords.
  • Almost half of all instances of hacking is due to stolen passwords, which are obtained through the theft of password lists.

Know The Risks of Choosing Weak Passwords

Experts have warned for many years that there are risks associated with relying on weak usernames and passwords to restrict the access of data.

  • Verizon estimates that about 80 percent of all data breaches could have been stopped if a stronger, better password was used.
  • Experts, including the IT team of companies, can offer assistance to employees seeking to improve their passwords and reduce risk.
  • Too many companies protect their data with passwords that are too weak or too easy to guess, such as the name of the organization or other obvious words.
  • It is also difficult to enact policies for improved passwords in the workplace because employees are not informed of the facts.
  • The best passwords are long and varied, with symbols, letters and numbers. These passwords should also not be obvious, such as the name of a company, address or company motto.
  • One of the best investments in ones personal security is in a password manager. Frankly, I don’t know how anyone can use a PC and not have a password manager in place.

Robert Siciliano is a personal privacy, security and identity theft expert to RoboForm discussing identity theft prevention. Disclosures.

Online Data less safe than ever

It’ll get worse before it gets better: online data safety. It’s amazing how many people think they’re “safe” online, while one huge business or entity after another keeps getting hacked to the bone.

1DAnd “safety” doesn’t necessarily mean the prevention of your computer getting infected with a virus, or falling for an online scam that results in someone getting your credit card information. It’s also a matter of privacy. While targeted advertising (based on websites you’ve visited) may seem harmless, it’s the benign end of the continuum—that someone out there is tracking you.

So, do you still think you’re hack-proof?

That you can’t be fooled or lured? That your devices’ security is impenetrable? That you know how to use your device so that nobody can get ahold of your sensitive information?

Consider the following entities that got hacked. They have cyber security teams, yet still fell victim:

  • LinkedIn
  • Yahoo! Mail
  • Adobe
  • Dropbox
  • Sony
  • Target

You may think the hacking is their problem, but what makes you believe that the service you use is immune? Are you even familiar with its security measures? That aside, consider this: You can bet that some of your personal information is obtainable by the wrong hands—if it already isn’t in the wrong hands.

Are you absolutely sure this can’t possibly be? After all, you’re just a third-year med student or recent college grad looking for work, or housewife with a few kids…just an average Joe or Jane…and you use the Internet strictly for keeping up with the news, keeping up with friends and family on social media, using e-mail…innocent stuff, right?

You’ve never even posted so much as a picture online and say you don’t use a credit card online either.

  • But hey, if your passwords aren’t strong, this ALONE qualifies you as a potential hacking victim.
  • So, what is your password? Is it something like Bunny123? Does it contain your name or the name of a sport? Keyboard sequences? The name of a well-known place? The name of a rock band?
  • Do you use this password for more than one account? That gets tacked onto your risks of getting hacked.
  • You need not be someone famous to get hacked; just someone who gets lured into filling out a form that wants your bank account number, credit card number, birthdate or some other vital data.
  • If you just ordered something from Amazon, and the next day you receive a message from Amazon with a subject line relating to your order…did you know that this could be from a scammer who sent out 10,000 of these same e-mails (via automated software), and by chance, one of them reached someone at just the right time to trick you into thinking it’s authentic?
  • People who know you may want your information to get revenge, perhaps a spurned girlfriend. Don’t disqualify yourself; nobody is ever unimportant enough to be below the scammer’s radar.
  • Did you know that photos you post in social media have a GPS tag? Scammers could figure out where the photo was taken. Are you announcing to all your FB friends about when your next vacation is? Did you know a burglar might read your post, then plan his robbery? Between the GPS tags and your vacation dates…you’re screwed.

Well, you can’t live in a bubble and be antisocial, right? Well, it’s like driving a car. You know there are tons of accidents every day, but you still drive. Yet at the same time, if you’re halfway reasonable, you’ll take precautions such as wearing a seatbelt and not driving closely behind someone on the highway.

Most of your fate is in your hands. And this applies to your online safety. You won’t be 100 percent immune from the bad cyber guys, just like you’re not 100 percent immune from a car wreck. But taking precautions and having the right tools really make a tremendous difference.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Data Breach Aftermath

Haste certainly doesn’t make waste if you’ve suffered from an entity getting hacked resulting in a data breach. Don’t waste a single minute delaying notifying affected accounts! In the case of a credit card company, they will investigate; you won’t have to pay the fraudulent charges. The breached card will be closed, and you’ll get a new one. And there is more.
11D
All sounds simple enough, but the experience can be a major hassle. Below is what you should do upon learning your card has been breached:

  • If a SSN is breached, place a credit freeze or fraud alert with the three big credit bureau agencies. Placement of the credit freeze or fraud alert will net you a free copy of your credit reports; review them.
  • See if you can find companies that have accounts in your name—that you didn’t set up. Notify and cancel them. Make a list of entities that might be affected by your ID theft, then contact them.
  • If your identity is actually stolen, you may need documents to show creditors proof of your ID theft, you should file a report with the police and FTC.
  • Keep vigilant documentation of all of your relevant correspondence.

If your credit card was compromised, you also must contact every company or service that was on autopay with the old card. This includes quarterly autopays (e.g., pesticide company) and yearly autopays, like your website’s domain name. Don’t forget these! You now have to transfer all the autopays to your new card.

But you also must consider the possibility that your credit card breach is only the beginning of more ID theft to come. You now must be more vigilant than ever. If it can happen once, it can happen again.

  • Check every charge on every statement. If you don’t remember making that $4.57 charge…investigate this. Thieves often start with tiny purchases, then escalate.
  • Use apps that can detect anomalous behavior with your credit card account. These applications are free and will alert you if there’s a purchase that’s out of the norm, such as there’s a charge to the card in your home town, but an hour later another charge occurs 800 miles away.
  • See if your card carrier will let you set up account alerts, such as every time a purchase exceeds a set amount, you get notified.
  • Never let your card out of your sight. The thief could have been someone to whom you gave your card for a payment—they used a handheld “skimming” device and got your data. If you don’t want to hassle with, for instance, the restaurant server who wants to take your card and go off somewhere to get your payment, then pay cash (if possible).
  • Never use public ATMs; ones inside your bank are less likely to be tampered with with skimming devices.

Other than tampered ATMs and retail clerks taking your card out of your view to collect payment, there are tons of ways your personal information could get into a thief’s hands. Here are steps to help prevent that:

  • Shred all documents with any of your personal information, including receipts, so that “dumpster divers” can’t make use of them.
  • When shopping online, use a virtual credit card number; your bank may offer this feature.
  • When shopping, patronize only sites that have “https” at the start of the Web address.
  • Never save your credit card number on the site you shop at.
  • If a retail site requires your SSN in order to make the purchase, withdraw from the site and never go back.
  • Never give your credit card or other personal information to online forms that you came to as a result of clicking a link in an e-mail message. In fact, never click links inside e-mail messages.
  • Make sure all your computer devices have a firewall, and antivirus/antimalware software, and keep it updated.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.