Equifax, one of the three largest consumer credit reporting and financial services providers in the nation, announced its data was breached on Sept. 7. The personal information of an estimated 143 million U.S. consumers (44 percent of the population) was stolen from May 13 to July 30. This includes full names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed.
Although Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents were impacted, they are not notifying people that their personal information may have been stolen. Equifax has found no evidence of unauthorized access to its core consumer or commercial credit reporting databases.
Business owners in all industries need to be aware that this data breach could impact their finances, credit, tax returns, and social security and medical accounts. It is important to take steps now, and information should only be accessed using a secure network—not public Wi-Fi. Here is what business owners can do to protect themselves.
- Determine if your personal information was stolen.
- Put a fraud alert on your credit.
- Check your free credit reports.
- Consider putting a freeze on your accounts with Equifax, Experian and TransUnion if you do not intend to apply for credit in the foreseeable future.
- Contact your banks and request that a personal identification number (PIN) is placed on all of your accounts. Check your bank and credit card statements for fraudulent transactions.
- Get free identity theft protection. Equifax is offering TrustedID Premier, its identity theft protection and credit file monitoring service, for free to all U.S. consumers (impacted by the data breach or not) for one year. TrustedID Premier includes three-bureau credit monitoring (Equifax, Experian and TransUnion), copies of your Equifax credit report, the ability to lock and unlock your Equifax credit report, identity theft insurance and internet scanning for your Social Security number. Interested consumers must enroll by Nov. 21.
- Change your sign-on credentials. User IDs and/or passwords should be changed on important bank accounts and any other important accounts. Use different passwords for each account. Enable two-factor authentication, if possible.
- Change your primary email address for all bank and other important accounts if it is used to change your sign-on credentials.
- Take the following actions to protect yourself from tax identity theft.
- File your federal and state tax returns early.
- Monitor your IRS account.
- Adjust your withholdings if you typically receive large refunds.
- Apply for an IP PIN number. The IRS offers an identity-protecting PIN (IP PIN) to prevent someone from filing a fraudulent return with your Social Security number. Participants get a new six-digit number each year that must be used to file a tax return. Otherwise, your e-filed return will be rejected and processing of a paper-filed return will be delayed. As of this writing, the IRS is issuing pins to prior victims of tax-related identity theft, taxpayers in certain states (Florida, Georgia and the District of Columbia) and individuals who are invited to opt-in to the program. If you’ve placed a credit security freeze with Equifax or another credit bureau, you must have the freeze temporarily removed to allow the IRS to verify your identity.
- Protect your Social Security account by taking the following actions.
- Watch for medical identity theft. Check your medical bills and “explanation of benefits” notices from your insurance company for charges for services that did not happen and equipment or medical devices you do not have. Also, check with your pharmacy to ensure that no one is filling your prescriptions.
- Watch out for scams and phishing schemes related to the breach. If you receive an email link from Equifax offering to help you survive its massive security breach, do not open the message, click on the links, or open the attachments. Do not respond to email, text messages or phone calls that request personal information—no matter what company the caller or sender claims to represent. Go directly to the source (website, email address or phone number you know is legitimate). Equifax only sends email to consumers through addresses that end in @equifax.com, @trustedid.com and @e.equifax.com.
This is not the first time in 2017 there was a data breach at Equifax. The company reported a payroll service was compromised during the 2016 tax season. Although Equifax claims the two incidents are not related, they do suspect that the same perpetrators may be involved.
Deloitte, a worldwide Big 4 accounting and consulting firm, announced on Sept. 25, that it too is a victim of a data breach. The firm’s email server was compromised from October 2016 to March 2017. Approximately five million emails were exposed, along with sensitive attachments. The hackers may have gotten usernames, passwords, IP addresses, business information and workers’ health records. The breach apparently stemmed from an administrator’s account that was protected by a password and not two-step verification.
Securing customer data is increasing more important than ever before. Business owners must do everything possible to protect their servers from a data breach.
If you believe you are the victim of identity theft or a data breach, contact local and federal law enforcement authorities such as the FTC Consumer Response Center and your state’s attorney general office.