A damning news report indicates that the Equifax data breach, which has exposed as many as 145.5 million people to identity fraud, didn't have to happen.
An index provider warned the Atlanta-based credit bureau last year that its cybersecurity was lacking and putting millions of consumers at risk, according to the Wall Street Journal.
MSCI (Modern Index Strategies Indexes), a financial company that supplies stock market indexes, cautioned Equifax that the company’s safeguards were ill-suited for the “increasing frequency and sophistication of data breaches,” the Journal reports, adding that the credit reporting agency was not able to demonstrate that it regularly trained employees on cybersecurity risks or that it routinely performed the necessary audits to stave off an attack.
To put things in perspective, just seven months after MSCI’s warning, in March of this year, Equifax suffered a breach, followed by a more massive one on July 29. To make matters worse, the company waited until the second more pervasive breach to even acknowledge the initial hack.
RELATED: Equifax hacked earlier than it first admitted
Year before data breach, Equifax was warned about its cybersecurity shortcomings
On September 7, Equifax said that in late July hackers had broken into its computer systems via a vulnerability in an open-source application connected to its online web portal. On September 15, the agency admitted that "the particular vulnerability … was identified and disclosed … in early March 2017."
The revelation that the agency, one of the three main credit-reporting bureaus used by the lending industry, waited months later to go public with the breach has shaken consumer confidence in the company and led to calls for class-action lawsuits in several states.
With the new information we know on the Equifax data breach, here’s a timeline:
- August 2016: MSCI warns Equifax of vulnerability to data breach
- March 2017: Agency learns that hackers broke into their computer system
- July 29, 2017: Equifax's Security team observes "suspicious network traffic" associated with its online web portal and blocks it
- August 2, 2017: Equifax hires Mandiant, a cybersecurity firm, to investigate the hack and find out what was exposed
- Sept. 7, 2017: Company announces that "criminals" exposed as many as 143 million people to identity fraud
- Sept. 26, 2017: The Board of Equifax announces that Richard Smith is out as Chairman/CEO effectively immediately
- Oct. 2, 2017: Mandiant's concluded investigation shows that an additional 2.5 million U.S. consumers were potentially impacted, bringing the total exposed in the hack to 145.5 million
What personal information was stolen in the hack?
Because of the extensive breach, hackers were able to gain access to a trove of personal data from consumers, including their names, Social Security numbers, birth dates and addresses. In many cases, even more personal data was exposed, including driver’s license and credit card numbers.
Anyone impacted by the breach is now at risk of identity theft and fraud — as any piece of this personal information can be used by, or sold to, criminals who can use it to open credit cards, take out loans, make purchases in your name — or even drain your bank accounts.
Money expert Clark Howard is adamant that consumers must do all they can to protect themselves from identity fraud. Here is what he recommends:
Take these 2 steps to help protect your identity
1. Sign up for Credit Karma's free credit monitoring: Go to CreditKarma.com to sign up for an account. Not only is the service free, but Credit Karma lets you access your credit scores and reports without charge as many times as you like.
2. Freeze your credit with all three main credit bureaus: Clark says even if your personal info was not exposed by the Equifax data breach, you should still freeze your credit to protect yourself and your money.
Check out our Credit Freeze Guide to learn how to freeze your credit with each main agency
Equifax breach: 2 things to protect your money and identity
Clark.com