Editor's NOTE: Updated 14 September to include links AND phone number to all 4 agencies for a credit freeze. People are reporting better luck with the phone.
As most of you have read by now, Equifax was hacked. Equifax is one of four credit rating services, called Credit Bureaus (the other three are Experian, Trans Union and Innovis). This means they harvest (and sell) the financial data and credit ratings of almost every adult citizen in the United States. Yesterday (7 Sep) Equifax announced they were hacked between mid-May through July 2017 and discovered the incident on 29 July. Over 143 million records may be compromised. This includes peoples' names, Social Security Numbers, addresses and, in some instances, driver’s license numbers. This is a big deal. If your credit card gets compromised, that can be changed. SSNs, birth dates and full names are MUCH harder to change. Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared. So, as a security awareness officer what should you be communicating to your workforce? Here are key points about communicating the incident.
- Stick to the Known Facts. There will be a growing number of guesses, finger pointing and opinions in the coming days, do not share those as most will be wrong and/or changing.
- This is Not the Victim's Fault. Big incidents like this are a growing problem in the age of big data. Companies collect a huge amount of data about people, data that people have no control over nor can they do anything to protect it. That subject will be shelved for a whole different discussion.
Now, the most important part, what can you tell your people do to protect themselves? Equifax has created a website where people can learn more about the incident. One of the options they offer is people can check to see if their data is believed to be compromised. While this is a nice feature, I would operate under the assumption that your data has been hacked as Equifax could be wrong and/or is still trying to figure out what happened. These are four steps that you can recommend to your workforce that people should take (or download this pre-made email template you can use or modify as you need).
- Credit Monitoring: People can sign up for free for Equifax's TrustedID credit monitoring service (Note: they will be asked to come back 13 Sep to set it up, looks like Equifax is scrambling to get the free registration service functional. In addition, if you sign-up for the free service, it appears you could limit legal recourse you might have otherwise had. The lawyers are still working this out). Credit monitoring does NOT protect you from credit card fraud, this is a common misconception. What a credit monitoring service does is notify you when someone is attempting to commit Identity Fraud in your name, such as registering for a new credit card or bank loan. Some services also help you recover from Identity Theft. Here is an excellent writeup by Brian Krebs on the limitations of Credit Monitoring.
- Security Freeze: This is the action that does the most to protect you. Unfortunately, few people know about it. What a security freeze does is lock your credit scores so no one can access them. This means that while your credit score is frozen no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you) a loan or credit card. The challenge is you have to manually setup a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. Then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding writeup of what a Security Freeze is and how to get one. Here are the details where you can submit for a credit freeze with each of the four Credit Bureaus.
Equifax: 1-800-685-1111 / 1-800-349-9960
- Monitor Financial Accounts: Watch your bank and credit card accounts carefully. Many of them have a service where they notify you (via text or email) if a bank withdraw or credit card charge is over a certain limit, or can send you daily reports of your financial activity. We highly recommend you enable at least one of these. You are looking to make sure there are no unauthorized transactions in the coming weeks.
- Social Engineering Attacks: Warn people that in the coming days/weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls or text messages trying to fool people. A great source to keep people updated is the free OUCH! Security Awareness newsletter.
If you do get hit with Identity Fraud, the FTC has created a very impressive site to help you recover. The Equifax situation will be fluid, expect new updates and findings over the coming days. However the behaviors we cover above apply regardless of how the situation changes, so we recommend you focus on those.
Update: Here are two additional steps recommended by the FTC. My one concern is you don't overwhelm people with so many behaviors that they end up being confused and not taking any action.
- Tax Fraud: Unfortunately, another crime that can be committed with this stolen information is tax fraud. In other words, criminals submit for tax refunds in the name of the victim. The easiest way to protect yourself against these attacks is submit your tax refund as soon as possible, beat the bad guys to it.
- Password: If you had an account on the Equifax site (login / password) people should change their password. Even though Equifax did not report any passwords being compromised, their investigation is still on going.
Learn the latest trends and lessons learned in building mature awareness programs in the SANS 2017 Security Awareness Report.