Security Awareness Blog

What to Communicate About the Equifax Hack

Screen Shot 2017-09-08 at 8.48.37 AM

Editor's NOTE: Updated 14 September to include links AND phone number to all 4 agencies for a credit freeze. People are reporting better luck with the phone.

As most of you have read by now, Equifax was hacked. Equifax is one of four credit rating services, called Credit Bureaus (the other three are Experian, Trans Union and Innovis). This means they harvest (and sell) the financial data and credit ratings of almost every adult citizen in the United States. Yesterday (7 Sep) Equifax announced they were hacked between mid-May through July 2017 and discovered the incident on 29 July. Over 143 million records may be compromised. This includes peoples' names, Social Security Numbers, addresses and, in some instances, driver's license numbers. This is a big deal. If your credit card gets compromised, that can be changed. SSNs, birth dates and full names are MUCH harder to change. Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared. So, as a security awareness officer what should you be communicating to your workforce? Here are key points about communicating the incident.

  • Stick to the Known Facts. There will be a growing number of guesses, finger pointing and opinions in the coming days, do not share those as most will be wrong and/or changing.
  • This is Not the Victim's Fault. Big incidents like this are a growing problem in the age of big data. Companies collect a huge amount of data about people, data that people have no control over nor can they do anything to protect it. That subject will be shelved for a whole different discussion.

Now, the most important part, what can you tell your people do to protect themselves? Equifax has created a website where people can learn more about the incident. One of the options they offer is people can check to see if their data is believed to be compromised. While this is a nice feature, I would operate under the assumption that your data has been hacked as Equifax could be wrong and/or is still trying to figure out what happened. These are four steps that you can recommend to your workforce that people should take (or download this pre-made email template you can use or modify as you need).

  1. Credit Monitoring: People can sign up for free for Equifax's TrustedID credit monitoring service (Note: they will be asked to come back 13 Sep to set it up, looks like Equifax is scrambling to get the free registration service functional. In addition, if you sign-up for the free service, it appears you could limit legal recourse you might have otherwise had. The lawyers are still working this out). Credit monitoring does NOT protect you from credit card fraud, this is a common misconception. What a credit monitoring service does is notify you when someone is attempting to commit Identity Fraud in your name, such as registering for a new credit card or bank loan. Some services also help you recover from Identity Theft. Here is an excellent writeup by Brian Krebs on the limitations of Credit Monitoring.
  2. Security Freeze: This is the action that does the most to protect you. Unfortunately, few people know about it. What a security freeze does is lock your credit scores so no one can access them. This means that while your credit score is frozen no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you) a loan or credit card. The challenge is you have to manually setup a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. Then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding writeup of what a Security Freeze is and how to get one. Here are the details where you can submit for a credit freeze with each of the four Credit Bureaus.
  3. Monitor Financial Accounts: Watch your bank and credit card accounts carefully. Many of them have a service where they notify you (via text or email) if a bank withdraw or credit card charge is over a certain limit, or can send you daily reports of your financial activity. We highly recommend you enable at least one of these. You are looking to make sure there are no unauthorized transactions in the coming weeks.
  4. Social Engineering Attacks: Warn people that in the coming days/weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls or text messages trying to fool people. A great source to keep people updated is the free OUCH! Security Awareness newsletter.

If you do get hit with Identity Fraud, the FTC has created a very impressive site to help you recover. The Equifax situation will be fluid, expect new updates and findings over the coming days. However the behaviors we cover above apply regardless of how the situation changes, so we recommend you focus on those.

Update: Here are two additional steps recommended by the FTC. My one concern is you don't overwhelm people with so many behaviors that they end up being confused and not taking any action.

  • Tax Fraud: Unfortunately, another crime that can be committed with this stolen information is tax fraud. In other words, criminals submit for tax refunds in the name of the victim. The easiest way to protect yourself against these attacks is submit your tax refund as soon as possible, beat the bad guys to it.
  • Password: If you had an account on the Equifax site (login / password) people should change their password. Even though Equifax did not report any passwords being compromised, their investigation is still on going.

Learn the latest trends and lessons learned in building mature awareness programs in the SANS 2017 Security Awareness Report.



Posted September 8, 2017 at 5:58 PM | Permalink | Reply

H. Tsztoo

Someone with an east Indian accent contacted me about 4 weeks ago. They identified themselves by using my last 4 digits and first two digits of my social security number.
This article is very enlightening''. but the bad guys have my financial info. This is very bad.
Equifax should not have waited to tell us that they had been breached.
I was preoccupied at the time with my elderly parents and had no time to deal with this issue.

Posted September 8, 2017 at 6:12 PM | Permalink | Reply

Bill Liggan

If Equifax could share some info on the threat agent and MO we could ascertain our risk. Do they have a robust PRMF in place? The vulnerability was in a Web Application, which one?

Posted September 8, 2017 at 6:23 PM | Permalink | Reply


All good questions, and hopefully questions that will be answered in coming weeks.

Posted September 8, 2017 at 8:12 PM | Permalink | Reply


I would disagree to an extent it is Equifax's fault. Its also their problem with how they have handled the breach. From C- level's selling stock before public release to creating a crappy website to allow those possibly affected to sign up for the credit monitoring.
I won't let them off the hook for these mistakes and neither should any other Americans.

Posted September 9, 2017 at 2:19 PM | Permalink | Reply

Mark Decker

Good news: Looks like Equifax has backpedalled on the waiving of lawsuit rights (from their website as of Sep 8):
In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.

Posted September 12, 2017 at 7:24 PM | Permalink | Reply

Andrew Daviel

What is the impact on non-US consumers, e.g. in Canada ?
The site asks for the last 6 digits of (I presume) a US SIN, and mentions "free credit file monitoring and identity theft protection we are offering to all U.S. consumers".

Posted September 12, 2017 at 7:54 PM | Permalink | Reply


Andrew that is a really good question, and to be honest, I don't know the answer. I do know Equifax stated that "limited personal information for certain UK and Canadian residents" was compromised but they were not specific beyond that. Let me do some more digging. This event could have been even more interesting if GDPR was in effect/

Posted September 12, 2017 at 7:57 PM | Permalink | Reply

Paul Doubek

Equifax should most definitely be held accountable. They collect and store my data without my consent, unlike breaches at retail and banking operations with whom I choose to do business. The and the other credit bureaus are high value targets due to the fact that they hold an insane amount of detail on nearly every citizen in this country. They know that (or should know that) and must protect that data accordingly. I would like to see our legislators require credit monitoring and protection free of charge for the life of the information that was stolen, which translates to each of our lifetimes since (as is pointed out) we can't really change things like our names, SSNs, and birth dates.

Posted September 13, 2017 at 12:57 AM | Permalink | Reply

G Smiley

I have had a Security Freeze on my account since the OPM breach. Do we have any confidence that our PINs/passwords (that we use to thaw the accounts) have not also been breached?

Posted September 13, 2017 at 1:19 AM | Permalink | Reply


Equifax has not said anything to the effect the PINS have been compromised. Also, if you have an account with Equifax, I would recommend changing your Equifax password, just to be safe.

Posted September 13, 2017 at 12:57 PM | Permalink | Reply


Re: "they collect my data without my consent"''
Every lender, except perhaps your parents, shares our info with the credit bureaus per their policy. Point in fact, we DO agree to this by signing up for the financial services we use. The problem is we are mostly ignorant of the contractual terms we agree to, because hardly anyone reads the terms. It may not specifically say Equifax or Experian or even credit bureau but the sharing in order to conduct business operations is in there. If it wasn't the lender is in violation of GLBA if they do share the info. Yeah, it sucks but for most of us this is not the first time our info has been stolen. The flip side is we have easy access to loans compared to countries with no credit reporting. Not that Americans really need more credit cards!

Posted September 15, 2017 at 9:07 PM | Permalink | Reply


Agreed. Saying that Equifax is the victim and not to blame is ridiculous.

Posted September 16, 2017 at 2:43 AM | Permalink | Reply


First off, thank you for offering this info.
The Innovis number is incomplete. It is 1-800-540-2505 per

Posted September 16, 2017 at 2:56 AM | Permalink | Reply


Great catch, and fixed. Thanks Justin!

Posted September 16, 2017 at 1:57 PM | Permalink | Reply


I agree, these credit agencies are responsible for the security of our data, and if freezing our accounts makes them more secure, why isn't this already policy for them?
Their services will soon be obsolete if not accurate, so this is for their benefit as well.

Posted September 19, 2017 at 5:28 AM | Permalink | Reply


Just escaped Hurricane Irma thanks to the New York National Guard and came back to the Equifax Hack. The TransUnion site is encouraging a "lock" rather than a "freeze". What is your recommendation?

Posted September 19, 2017 at 11:35 AM | Permalink | Reply


Hey Lisa, I have yet to confirm with TransUnion exactly what they mean by ''Lock'. It's a marketing term developed by them, no one knows exactly what it means. My suggestion, go for the freeze. I highly question TransUnion's motives. They make money with every credit check, they lose money with every credit freeze. So a lock appears to be a very fancy marketing ploy to consumers NOT to freeze their credit accounts. I personally have a freeze with TU.

Posted September 28, 2017 at 11:16 AM | Permalink | Reply

M Prestwood

My biggest concern is hey have our socials. We can freeze our credit, watch our accounts etc but eventually we will relax and they will still have our social. These security behaviors need to become habits for all us