Why the Equifax Data Breach Could Be Draining Your Business Accounts (And Why You Might Not Even Notice!)

Last week’s Equifax announcement of 143 million people affected by one of the most sweeping data breaches (and likely the most danger) attacks ever may be more worrisome than you may suspect. Since Equifax validates credit scores for virtually everyone, they hold in their disposal millions upon millions of records of personally identifiable information—much of which if not locked under key day in and day out could easily allow criminals to steal your identity.

Last week, one of my colleagues had the misfortune of having his identity stolen. The timing and circumstances aligned perfectly with the Equifax data breach as the most parsimonious way his identity could have been stolen (he is a IT Security expert that is especially careful with disclosing sensitive personal information). If identity theft happened to him, it could easily happen to any of you—and with big data breaches of completely sensitive information, you should be more vigilant than ever with both your personal AND business identity and footprints.

If you have had any credit reporting done in the past 3 months or so, there’s a very good chance that you’re one of the 143 million Americans with sensitive personal information at risk from the Equifax breach.

Late last week, Neil received notification from his mobile banking app that someone in Memphis was trying to withdraw $8,400. The man at the teller’s window had Neil’s driver’s license and social security number. He even knew Neil’s bank account information—particularly recent balances in the account.

What caused the bank to call Neil to verify the transaction?

The signature on the driver’s license did not match up to what the bank had on file. Big Red Flag.

The next day, Neil received a notification from his bank’s mobile app that someone was attempting to make another withdrawal from his account just under $9,000 at a Nashville location. The man attempting the withdrawal had similar information—account info, driver’s license and SSN. But yet again, the signatures were checked and did not match up.

The bank alerted Neil to the fraudulent transaction.  At this point, Neil became terrified that someone was completely stealing his identity.

Later that day, a man came to Neil’s published address. Neil had recently moved homes, but was well-acquainted with the new owners of the home. The man was supposedly from the Democratic National Committee and wanted to talk to Neil about “the issues”. The owners, not associated with any political party, were suspicious of the canvasser. They told they guy that they weren’t interested. The canvasser insisted he come in for a minute and hear about their concerns with current issues.

But the homeowners weren’t ready to invite the stranger into their home. Before they shut the door, the canvasser asked the new owner, Tom, if he was Neil. The canvasser had his smart phone ready to collect a signature on his signature pad.

Luckily for Neil, the new owner called him about this experience. It was obvious that this “canvasser” was trying to phish for information. But when Neil heard of this incident, it was crystal clear to him that the stranger at the door was actually prying for one specific piece of information. He wanted a signature to complete all the necessary steps to getting into Neil’s bank accounts.

When Neil found out about the signature, he immediately requested his banks require to call his cell and confirm withdrawal transactions from any of his accounts.

Could your identity be the next to be stolen?

(What you should be doing TODAY):

First, to determine if you’re a victim in the Equifax breach, Equifax is encouraging the public to visit their website (www.equifaxsecurity2017.com) to learn if they were impacted. The site requires individuals to submit their last name and 6 last digits of their social security number.

When we attempted to test this check, we noticed the site seemed to tell everyone the same thing—they were affected by the breach (even fake surnames with fake SSNs!). Equifax suggests you then sign up for a year of their premium monitoring service for free (you also sign away your ability to sue for damages if your identity was one involved in the breach).

Equifax-breach

We suggest you take security a bit more serious than relying on Equifax to look out for your best interests!

Neil, being experienced in information security, decided to apply the same processes that he typically walks clients through. Here are some steps that Neil took and steps we recommend you taking if you suspect your information was leaked through the Equifax leak, or any other breach:

  • Check your credit reports: make sure that your credit history doesn’t contain activity that you don’t recognize. Credit reports contain information about you—what accounts you have and how you pay your bills. If an identity thief is opening accounts in your name, they will probably show up in one of these reports. Check that information like your SSN, address, name and employers are correct. Get a free credit report from Experian or TransUnion by visiting annualcreditreport.com. For more information on identity theft visit IdentityTheft.gov.
  • Consider placing a credit freeze on your files. A credit freeze makes it harder for identity thieves to open accounts in your name or changing information on existing accounts.
  • Carefully monitor your existing credit card and bank accounts closely—point out immediately when charges or transactions don’t make sense. Many credit unions and banks have banking apps allowing you to view your balances instantaneously and get automatic alerts. Set up Text alerts to be aware of activity/transactions.
    • Be sure to check your last login date/time every time you log on. Review balances and transactions to make sure they line up with purchases you’ve made.
    • Consider using automatic bill pay instead of checks to limit the amount of exposure you have to disseminating sensitive information and to keep more precise record keeping.
    • View system alerts, such as balance alerts, transfer alerts and password change alerts.
    • Never use sensitive information in account names or passwords.
    • Never leave a computer unattended if logged into your online banking.
    • Never conduct banking transactions with multiple browser windows open on your computer.
  • Username and Passwords—having secure passwords can be essential. Each password should be unique (per account) and should be hard to crack. Here is a recent discussion of how to create a good password.
  • Identify Phishing Scams, Spyware and Malware—scammers are getting more sophisticated than ever trying to scam you into clicking on links in emails. The first step in protecting yourself and your workplace from scams that may lead to identity theft is to be able to identify current scams. See how you can protect yourself. Also consider reading the latest news on cyberattacks to understand what you’re up against. Knowledge is power.
  • File your taxes early— Tax identity theft happens when someone uses your SSN to get a tax refund. To avoid being a part of the growing number of tax identity theft, consider filling your returns before the deadline. Respond immediately to letters from the IRS (Note: the IRS will NOT call or text you with concerns!).
  • Do not give out sensitive information—be cautious to give out sensitive personal information, such as social security numbers, etc. Do not email sensitive info. And do not leave sensitive information sitting around—at work, in public spaces, on personal checks or on your cell phone. NEVER give sensitive information to your credit union over the phone (they won’t ask for it!). If you receive a call where someone asks for personal information, ask them to mail it to you. Contact the company directly from a published number online or on your statement.
  • Do not leave information out for prying eyes—do not leave financial statements or other documents with personal information around for others to see. Lock them up or shred them if they aren’t needed. Minimize the amount of personal information you carry (NEVER carry your social security card or unused credit cards with you in public places if they aren’t needed). Think twice what you carry with you and what you leave lying around—even at home!
  • Promptly take in mail— do not leave mail in your mailbox, especially when receiving financial statements.
  • Make a list of all of your accounts—keep a list of all of your credit cards, loans, account numbers, expiration dates in case someone has stolen your identity, you know where to go and who to talk to.
  • Manage your passwords— make sure that your passwords are secure. Do not reuse passwords. Store your passwords in a password management tool, such as KeePass.

Most Importantly: Think before you react. Most spam, viruses and fraudulent emails stress urgency and strongly suggest to take action now—don’t become a victim, avoidance of clicking links, responding to unsolicited emails and providing personal information is your defense!

Are you sure your personal data is safe? Are you sure your identity is safe in light of the latest attacks?