September 18, 2017
(by Todd Feinman, CEO and Founder of Spirion)
My team thought others would be interested in a memo that I sent to some friends and colleagues. The memo follows:
I have received an overwhelming number of requests for information about what to do since the Equifax leak of 143 million SSNs was disclosed. I’ve tried to summarize those questions to help you protect yourself, your family, and your business. If you read nothing else, at least freeze your credit (details below). There have been 5,952 corporate data breaches since 2010 that have leaked over half a billion records and the likelihood of your personal information being exposed – more than once— is high. I’ve been in this industry for over 20 years, written books, presented internationally, and was recently asked to speak on CNBC specifically about Equifax, so let’s get into some of the detailed Q&A
What should I do about the Equifax Data Breach?
- Review your credit reports from each of the three credit bureaus and look for any accounts you didn’t authorize. Equifax didn’t discover the leak for over two months and then didn’t disclose it for another six weeks, so your data could already have been sold or used. (Tip: all three credit reports are free from annualcreditreport.com).
- Freeze your credit asap (after reviewing your credit report – see next question).
- Avoid giving businesses your personal information whenever possible. Always ask if there is an alternative to providing your SSN.
Will freezing my credit hurt me?
- No. Freezing prevents credit reports making it more difficult for an impersonator to open an account in your name. For example, opening a credit card normally requires a bank to run a credit check first, which would fail.
- Landlords, insurance companies, banks, and other organizations might need to legitimately run a credit check on you. If this is necessary, you can temporarily unfreeze your credit.
How do I freeze my credit?
- Contact each of the three credit bureaus (and one other). You will have to provide personal information (including name, address, ssn, birthdate) to prove your identity.
- Note you will receive a PIN online or by postal mail to unfreeze your credit in the future. Keep your PIN safe and secure.
How long will this take me and what does it cost?
- From my personal experience, it should take less than 15 minutes in total.
- The cost varies by state and may be free for you. In NY, I am able to freeze my credit for free but each unfreeze costs $5 per bureau. It also costs me $5 if I lose my PIN. Equifax is providing free credit freezes until Nov. 21st and you can review the costs by state at this link: www.goo.gl/WM9fQN
What if I need to unfreeze?
- Once you make the request with your PIN, it could be instant; however, the bureaus suggest it could take a maximum of 3 business days.
If there have been almost 6,000 data leaks since 2010, why freeze now?
- Wait, you haven’t frozen your credit yet? In all seriousness, you should have with the rate at which companies ask for your SSN and are attacked. Equifax is just the wakeup call but your data is at risk and you are gambling your identity every day you don’t protect it.
- Data stolen from breaches is harvested and sold on the dark web (yes that’s a real thing). Eventually enough of your specific data can make stealing your identity very easy and very costly. For example, maybe you had a Yahoo account and you probably are aware they leaked passwords, names, birthdates, phone numbers, addresses, and email addresses. Criminals can correlate your name and birthdate from Equifax and Yahoo and now they know just about everything about you. Add the other ~6,000 breaches and we are all at high risk.
Can you think of a reason not to freeze?
- If you are applying for a mortgage or lease or bank account/credit card in the next few days, I suppose waiting a week is not the worst thing in the world. But if those things are months away, freeze now and unfreeze later. The additional cost is inconsequential compared to the time and money to combat identity fraud.
- If you want to purchase credit monitoring or haven’t already downloaded your credit reports. Freezes even prevent you from getting a credit report. After you purchase credit monitoring, you can turn on the credit freeze.
Wait, now you are saying I should monitor my credit?
- Security is all about multiple layers of protection. I recommend simply freezing your credit now but if you want even more protection, credit monitoring can alert you to anomalies a freeze might not protect against. Your first year is free from Equifax: www.goo.gl/DfLAo2
- I would not recommend expensive, bloated, credit monitoring services that bundle software or insurance as you will likely get better software elsewhere and the insurance is likely useless.
Equifax offered me 1 year of free credit monitoring. Isn’t that good enough?
- No. Your SSN never expires, so their offer doesn’t help you much. That offer is more of PR maneuver. They probably should have offered you lifetime credit monitoring. This is why a freeze is much better.
Shouldn’t I feel bad for Equifax?
- No. Equifax is not the real victim here, you are. Equifax was negligent. Their web server had a vulnerability that they were aware of and didn’t fix. That vulnerability allowed a hacker in who was then able to get access to your personal data. Equifax and all businesses should minimize the amount of unprotected personal information stored on their systems and know where it is at all times.
- It is unquestionably a matter of when, not if, a company will be hacked. However, what the hackers steal should be better controlled. Organizations have an obligation to increase security on the systems that store our private details.
How could Equifax have prevented this?
- While many IT Security gurus will say “patch your systems; buy more security products” it became evident over the last decade this is an antiquated approach. The solution is now around minimizing sensitive data and classifying it so that systems do not allow it to be leaked during an attack.
- Data classification tags files persistently so that people and systems know they are sensitive and prevent them from being read or copied. Our SSNs were not properly classified and protected.
So Data Classification is the answer?
- It’s a big part of the solution. You cannot protect what you do not see! Of course, a multi-layered approach is even better. Yes, companies need to classify their data so it cannot be stolen using an impersonated employee or system account, however, patching security holes and multiple security technologies all minimize the risk of a break-in. The answer is definitely a data-centric classification approach with additional protection via security tools and solutions.
- Data discovery is also critical because companies and their employees can’t be expected to manually classify millions of files. Data discovery, if done accurately and reliably, can help automate the classification process and ensure hackers don’t gain access to sensitive and personal data.
Didn’t you start Spirion to help companies discover and classify data?
- Yes! Our software is used by thousands of enterprises whom you don’t hear about exposing personal information!
Can I call you to help freeze or unfreeze my credit? What about credit monitoring?
What if I want to recommend your software or buy it for my company?
- I’d be very grateful. These breaches frustrate me both personally and professionally. Send them my way or visit www.spirion.com
Todd FeinmanCEO and Founder, Spirion