Anyone who has ever applied for a credit or debit card is in Equifax’s database, experts said, and problems won’ t go away.
Equifax’s response to consumers who may face a lifetime of problems after having their personal information hacked is being widely criticized as inadequate and self-serving.
The website-based process the firm set up so people can find out if they’ ve been affected requires people to input more personal information: their last name and last six digits of their Social Security numbers. Many consumers are reporting that when they try to sign up for the free credit-monitoring program, they get messages that they can’ t enroll.
“I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived, ” renowned cybersecurity expert John Krebs posted on his blog. “The web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach — equifaxsecurity2017.com — is completely broken at best, and little more than a stalling tactic or sham at worst.”
Equifax announced Thursday that criminal hackers had accessed highly personal data from more than half of America’s adult population, with exposed data including names, Social Security numbers, birth dates, addresses and some driver’s license numbers. Also revealed to criminals were credit card numbers for about 209,000 U. S. consumers, along with credit-report dispute documents that identify about 182,000 more people in the U. S., the company said.
The exposure of Social Security numbers and birth dates raised alarms among cybersecurity experts.
“These millions of victims will be at increased risk of fraud for the rest of their lives, ” said John Gunn, chief marketing officer at VASCO Data Security.
Anyone who has applied for a credit or debit card, taking out any kind of loan or debt, or even applied for an apartment rental that requires a credit report is likely in Equifax’s database, said Atiq Raza, CEO of San Jose cybersecurity firm Virsec.
Equifax did not immediately respond to a request for comment.
Vicki Chang, a Berkeley real estate investor who tried to sign up after Equifax’s process told her she’ d been affected by the hack, received a message that she wouldn’ t be able to enroll in the monitoring program until Sept. 11.
Equifax had no business offering its own credit-monitoring program, but rather should have worked in partnership with another provider to offer it for free to affected consumers, said Forrester Research analyst Jeff Pollard.
It’s not quite right for them to use this as a way to inflate their users of their credit-monitoring service, ” Pollard said. “It seems at least from the outside that they are trying to have some kind of benefit from what is ultimately a failure on their part, ” he said.
The criminals had access to the personal data from mid-May through July, Equifax said.
The company said it took action to shut down the breach once it discovered it July 29, but the firm waited more than a month to make the breach public.
