Equifax, one of the big suppliers of credit information and credit services, said Thursday that a security breach this summer may have affected as many as 143 million people in the United States.
Let’s do the math on that pretty quickly. There are, according to recent estimates, about 325 million people in the country. So that means that about 44 percent, or nearly half of United States residents. In other words, read on, because this affects you.
“Criminals exploited a U.S. website application vulnerability to gain access to certain files,” Equifax said in a statement.
The breach, discovered July 29, exposed names, birthdates, social security numbers, addresses, and drivers license numbers, as well as 209,000 credit-card numbers and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.
Cool. Cool, cool, cool.
Equifax’s very bread and butter is protecting exactly this information. The company completed its private investigation into the breach, and NBC News said that the FBI is actively investigating the incident with cooperation from Equifax.
CNBC notes that three Equifax execs, including the company’s Chief Financial Officer John Gamble Jr., as well as the company’s workforce solutions president and information solutions president, sold $2 million in shares just days after the breach was discovered. It’s hard not to look at that as an indicator that they knew very early how bad this breach was and took measures to protect themselves.
Don’t use static identifiers when you don’t have to
The lesson here is that even companies that exist literally to protect our data can’t be considered reliable. Whether the breach was a result of negligence or was a result of ingenuity on the part of the intruders, a huge stash of data is now out there in the wild with tons of our personal information.
A year ago, we went into how to store and protect good passwords. One element of that comes in in the form of recovery questions. When you’re answering a recovery question, the answer will likely either be what’s called a “static identifier” or something you get to choose. Static identifiers include all the stuff above – stuff like your Social Security number, your address, and your mom’s maiden name. Stuff that isn’t going to change. Leaks like this make that information a liability. We can’t force banks, utilities, and other companies to stop asking us for our SSNs and other static identifiers, but it’s worth remembering that when we get to pick the answers to these questions, we can put in whatever we want.
It’s a small security blanket, but it’s still another way to protect yourself when breaches like this happen. With a breach of this unprecedented size, though, something will have to change. Hopefully the types of firms I mentioned above will stop relying on those static identifiers and start giving us more secure ways to identify ourselves.
For now, though, keep an eye on your accounts, your statements, and your credit score. This is some Mr. Robot-level stuff.