Dwight Watt - Newspaper Article #390 9/20/2017

Question: Was my information stolen in the data breach at Equifax?


Equifax reported last week that personal identity information was stolen in a data breach in their systems. They reported about 143 million people’s information was stolen, which is about one half of the population of the United States. Two major items are 1. Was your information stolen and 2. How did it happen?

The information that was stolen was apparently mainly social security numbers and names. The social security number with the name is the big concern as that is your unique identifier in many systems and will make it easy for someone else to secure credit in your name.

To find out if your information was stolen go to www.equifaxsecurity2017.com That name is not a smart decision that Equifax made in dealing with it. They should have put the checker on their domain, not created a new domain which looks like a phisher is using this breach as way to steal information. Numerous people and systems have warned on the address because of it.

When you go there it will ask you for two items. First is your last name and second Is the last 6 digits of your social security number. If you are like me you will have to stop and thing what those two extra digits are since we are used to giving either the whole number or the last 4 digits.

You will get one of three responses. The first is that you were not in group that was breached. I am in that group. I checked twice. Second is that you are in the group that was breached. In which case, you want to start watching more closely credit cards, your credit report and having monitoring (more on that in a second), you may want to consider a credit freeze (however that can be aggravating) and find out how your credit card and debit card companies handle fraudulent transactions. Generally, you have less responsibility with credit cards. Third is that they are not sure if you were in breached or not. In that case see the second.

Whether you are in group one, two or three, Equifax is offering you free one year of credit monitoring using their credit monitoring service. You should sign up for it. Because of the large number that will be signing up, when you choose that option they will not sign you up immediately but will assign a date in near future. They promise to send a reminder. There have been some questions raised about the wording of the legal agreement for the service.

The other part is realizing that whoever has the data may sale and use it for a number of years. You may not see anything for several years and ten in five years suddenly see behavior of identity theft on your name.

How did the breach occur? You would think that the three major credit reporting companies would be maintaining a high level of security and following generally accepted good practices. From what we know now, Equifax did not do this.

The breach was apparently thru their web server and they are using a open source web server called Apache which is the web server most organizations use when their servers run Linux or UNIX operating systems. It has been around a long time and is regarded as a top \web server. Organizations using Windows Server operating system often use Microsoft’s web server called IIS or may use Apache also.

In the early spring, the Apache Software Foundation reports they had found this hold in the server and written a patch for it and released that patch. (Similar to companies who got caught with ransom ware a year ago on Windows systems and Microsoft had patched and they had not run the patch). Equifax had not run the update with the patch so it became a door with a light shining on it for hackers. They knew a way in. The breach was initially report as occurring about July 29 but now Equifax says it may have run from May.

The next thing Equifax did wrong was they did not report it to the public when they discovered it. They said they reported it to their board of directors after a couple of days, but it was just this week the public found out our data was stolen.

You can make your computer and network more secure but you cannot make a network totally secure. There are new ways always to break in networks and computers everyday and new defenses also. A computer can be made fully secure but it means disconnect from the Internet and any networks (unplug network/ wire and disable or remove the wireless card). However, for almost all people then the computer is worthless as most stuff we do involves the Internet.