The Equifax Breach: It's too late to protect yourself (but not too late to form good habits)

What can I do about the Equifax Breach?

Nothing.

The fact is, when Equifax announced the breach on September 7th, it was far too late.

• The breach happened in May...
• ...Equifax executives discovered the breach at the end of July...
• ...dumped their company stock a few days later...
• ...but waited to inform the public until another month had passed

By the time you learned about this breach, your data had already been compromised for months.

But it's all over the news!

Much of what you see in the news and on social networks is exaggerated, outdated, or just plain wrong. Facebook is a reliable source of cat videos and friend requests, but it's useless for security recommendations.

To learn the facts, you must do some research, track down the original sources of information, and develop your own picture of the incident. But doing all that takes time, requires reading some fairly dull professional articles, and when all is said and done, the final conclusion will be the same: follow best practices, limit your exposure, and be alert for anything out of the ordinary. You cannot prevent or fix a breach. You can only weather the storm.

So I should just do nothing at all?

No, not at all. You should keep doing the same things you have already been doing to protect yourself from fraud and scams. You have been doing these things all along, haven't you? If not, you should start.

If this breach made you think it's time to get serious about security, that's good. But ask yourself: why I didn't get serious about security after the huge Yahoo breach of over a billion accounts that was revealed just last year? Or the Anthem Insurance breach of 2015? Or the JP Morgan Chase breach of 2014? Or the Home Depot breach of 2014? Or the Target breach of 2013? Or the Adobe breach of 2013? Or the...

See my point? All of these data breaches were extensively covered in the media, but you probably don't even remember most of them. It's useless to worry about a single specific breach, because similar big breaches are happening every year, and smaller ones are happening every day. You are ALWAYS at risk of having your personal information stolen, and you will NEVER know about it until after it has already happened.

Humans can't constantly live in a state of hyper-vigilance, their brains simply don't work that way. So instead, you need to form habits and routines that minimize your risk. If you have doubts or suspicions about something, you're almost certainly right, so assume you are and act accordingly.

If news of this breach makes you more cautious than you were before, that's good, but it would be better if you just made a habit of always assuming the worst, and planning for it.

So what are these things I should have been doing all along?

• Don't Panic: Think before acting
• Don't trust warnings from random strangers
• Never open an emailed link or attachment unless you know exactly what it is and why you got it.  
• If you think it's suspicious, it is suspicious
• Never believe anything in an email that has been forwarded to multiple people
• Never believe any email that prompts you to act quickly to avoid serious consequences Never believe anyone who tells you they're going to prevent your personal information from being compromised in a data breach, or fix your credit after identity theft - they are lying to you
• Practice good password security
• Use strong passwords that have nothing to do with your work, your family, or your personal interests
• Use different passwords for different accounts
• Use a secure password database such as KeePass to store passwords and other confidential information
• When possible, use multi-factor authentication for important accounts
• Regularly review all online accounts for unusual activity 
• Not just bank accounts, but phone, internet, cable, utilities, insurance, investments, and gaming accounts
• Never use any service that automatically deducts money from your bank account to pay a bill
• Pay your bills online, but do it every month, using your own bank's service, and review each bill carefully before making the payment
• Challenge any discrepancies BEFORE you pay the bill
• Ask your bank and your vendors about their data security plans, and challenge them if they balk
• Don't trust a third-party to do this for you; they can't do as good a job as you, and they don't really care about you personally
• Take advantage of account features that help you protect your information
• Sign up with your bank to get email or text notifications for transactions. If your bank doesn't provide this service, switch to one that does
• Consider using fraud alerts and credit freezes. A fraud alert ensures you will be notified of any attempts to open new credit lines. A credit freeze prevents anyone, including you, from checking your credit unless you unfreeze it first
• Review your credit reports regularly, and dispute anything you don't recognize
• Cancel unused cards and close unused accounts
• Some banks offer free credit monitoring
• Limit your exposure of personal information
• Shred or burn any offers for credit you receive in the mail
• Keep all social media profiles private
• Read terms of service and rules for all services you sign up with, and always choose the options that expose the least amount of your personal information
• Use throwaway generic email accounts or anonymous email services when a site requires you to register
• Use an ad blocker or internet security program to protect your browser
• Recognize that security is inconvenient, and you can't control everything
• To be secure, you must sacrifice some convenience
• There is no silver bullet, no magic solution that will keep you safe automatically
• You can't do anything about other people and companies
• Your own family could accidentally cause your data to be stolen

Well this is pretty depressing...

It can be if you let it, but really it's no different than how you are constantly thinking about your safety when driving a car.

You obey the law, keep your eyes on the road, never text or make calls while driving. You maintain safe following distance, always use your signals, look before changing lanes, and never ever drive after drinking. But you don't assume the other driver is going to follow the rules, because you know they often don't. So instead, you assume that everyone else on the road is a drunken, texting, idiotic, suicidal maniac, and plan for the worst.

Umm, I don't do all that.

Then you're a bad driver, and you're putting yourself and others at risk every time you get behind the wheel, but that's a rant for another day.

The point is, it's easy to become complacent about everyday situations (like driving) and forget how much danger you're in. You see a horrible accident, and for a little while, you are more careful. But you forget soon enough and are back to trusting random strangers on the road not to kill you.

The same complacency applies to your personal information security.

The Equifax data breach is just the latest in a series of major data breaches where millions of people's personal information has been compromised. Unfortunately, we cannot consider this a unique or unusual event anymore. Going forward, you should assume that your personal data will be breached - not once, but many times.

These are not lonely hackers working in basements. These are organized, coordinated, well-funded teams of professional criminals, and they will find ways to steal your information. You can't prevent it, can't stop it, and may not even find out about it until years after it has happened.

Law enforcement agencies cannot help - They may arrest a few individuals, but these kinds of breaches are funded by powerful organized crime syndicates located overseas, many with ties to foreign governments. Those behind the scenes running these operations will probably never be identified, let alone prosecuted.

Credit Protection Services cannot help - These companies charge fees to monitor your credit for activity, but they can't prevent someone from emptying your bank account, or using your name to get a job, or using your personal information in many other ways.

Credit Bureaus cannot help - and have no incentive to. These agencies have no financial interest in protecting your personal information. You are not their customer, you are the product they sell. Equifax took a beating in the stock market after the announcement, but the people who made the decisions that led to this breach sold their stock before the announcement, and now that the price has started to recover, they can buy it back at a discount. So they're actually profiting from the breach.

The desire to do something to fix the problem is a powerful motivator, and fraudsters and unethical companies are quick to cash in on this. You will see advertising and get emails claiming that you can protect yourself by buying a product, or signing up for a service, or forwarding a message to all your friends. You should be very skeptical of such claims, even if they come from companies you think you know and trust.

Are there any good guys out there?Yes, there are. Some people are genuinely interested in helping you protect yourself, because they themselves have been victimized, and want to help others, or because they feel it's the morally right thing to do.

Information about malware and viruses, including advice and support for fixing problems
https://www.bleepingcomputer.com



https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/
https://www.us-cert.gov/ncas/alerts
http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection-2/
https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#difference
http://clark.com/personal-finance-credit/equifax-breach-how-to-protect-yourself-from-whats-coming-next/
http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/