homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Cyber Aces
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. What to Communicate About the Equifax Hack
370x370_Lance-Spitzner.jpg
Lance Spitzner

What to Communicate About the Equifax Hack

As most of you have read by now, Equifax was hacked. Equifax is one of four credit rating services, called Credit Bureaus...

September 8, 2017

Equifax Hack

Editor's NOTE: Updated 14 September to include links AND phone number to all 4 agencies for a credit freeze. People are reporting better luck with the phone.

As most of you have read by now, Equifax was hacked. Equifax is one of four credit rating services, called Credit Bureaus (the other three are Experian, Trans Union and Innovis). This means they harvest (and sell) the financial data and credit ratings of almost every adult citizen in the United States. Yesterday (7 Sep) Equifax announced they were hacked between mid-May through July 2017 and discovered the incident on 29 July. Over 143 million records may be compromised. This includes peoples' names, Social Security Numbers, addresses and, in some instances, driver’s license numbers. This is a big deal. If your credit card gets compromised, that can be changed. SSNs, birth dates and full names are MUCH harder to change. Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared. So, as a security awareness officer what should you be communicating to your workforce? Here are key points about communicating the incident.

  • Stick to the Known Facts. There will be a growing number of guesses, finger pointing and opinions in the coming days, do not share those as most will be wrong and/or changing.
  • This is Not the Victim's Fault. Big incidents like this are a growing problem in the age of big data. Companies collect a huge amount of data about people, data that people have no control over nor can they do anything to protect it. That subject will be shelved for a whole different discussion.

Now, the most important part, what can you tell your people do to protect themselves? Equifax has created a website where people can learn more about the incident. One of the options they offer is people can check to see if their data is believed to be compromised. While this is a nice feature, I would operate under the assumption that your data has been hacked as Equifax could be wrong and/or is still trying to figure out what happened. These are four steps that you can recommend to your workforce that people should take (or download this pre-made email template you can use or modify as you need).

  1. Credit Monitoring: People can sign up for free for Equifax's TrustedID credit monitoring service (Note: they will be asked to come back 13 Sep to set it up, looks like Equifax is scrambling to get the free registration service functional. In addition, if you sign-up for the free service, it appears you could limit legal recourse you might have otherwise had. The lawyers are still working this out). Credit monitoring does NOT protect you from credit card fraud, this is a common misconception. What a credit monitoring service does is notify you when someone is attempting to commit Identity Fraud in your name, such as registering for a new credit card or bank loan. Some services also help you recover from Identity Theft. Here is an excellent writeup by Brian Krebs on the limitations of Credit Monitoring.
  2. Security Freeze: This is the action that does the most to protect you. Unfortunately, few people know about it. What a security freeze does is lock your credit scores so no one can access them. This means that while your credit score is frozen no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you) a loan or credit card. The challenge is you have to manually setup a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. Then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding writeup of what a Security Freeze is and how to get one. Here are the details where you can submit for a credit freeze with each of the four Credit Bureaus.
    Equifax: 1-800-685-1111 / 1-800-349-9960
    Experian: 1-888-397-3742
    TransUnion: 1-888-909-8872
    Innovis: 1-800-540-2505
  3. Monitor Financial Accounts: Watch your bank and credit card accounts carefully. Many of them have a service where they notify you (via text or email) if a bank withdraw or credit card charge is over a certain limit, or can send you daily reports of your financial activity. We highly recommend you enable at least one of these. You are looking to make sure there are no unauthorized transactions in the coming weeks.
  4. Social Engineering Attacks: Warn people that in the coming days/weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls or text messages trying to fool people. A great source to keep people updated is the free OUCH! Security Awareness newsletter.

If you do get hit with Identity Fraud, the FTC has created a very impressive site to help you recover. The Equifax situation will be fluid, expect new updates and findings over the coming days. However the behaviors we cover above apply regardless of how the situation changes, so we recommend you focus on those.

Update: Here are two additional steps recommended by the FTC. My one concern is you don't overwhelm people with so many behaviors that they end up being confused and not taking any action.

  • Tax Fraud: Unfortunately, another crime that can be committed with this stolen information is tax fraud. In other words, criminals submit for tax refunds in the name of the victim. The easiest way to protect yourself against these attacks is submit your tax refund as soon as possible, beat the bad guys to it.
  • Password: If you had an account on the Equifax site (login / password) people should change their password. Even though Equifax did not report any passwords being compromised, their investigation is still on going.

Learn the latest trends and lessons learned in building mature awareness programs in the SANS 2017 Security Awareness Report.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Security Awareness

Related Content

Blog
SSA-_Renewing_Your_SSAP_-_Two_Easy_Steps_-_340x340_Thumb.jpg
Security Awareness, Security Management, Legal, and Audit
March 22, 2023
Renewing Your SANS Security Awareness Professional (SSAP) – Two Easy Steps
You will need to renew your SSAP every four years, a process we've worked hard to keep as simple as possible to ensure it helps you grow your career.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
SSA_SSAP-Badge-340x340.png
Security Awareness, Security Management, Legal, and Audit
February 16, 2023
SANS Security Awareness Professional: A New Look for the SSAP Digital Badge
With the expansion of the curriculum in this area comes a small but significant update to the SSAP digital credential.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
Artificial_Intelligence_–_What_to_Tell_Your_Workforce_-_Blog_Thumb.jpg
Security Awareness
February 9, 2023
Artificial Intelligence - What to Tell Your Workforce
Not sure what to share or communicate to your workforce about Artificial Intelligence? Here are some key points you can share.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn