September 21, 2017

Over the past week, we have received numerous inquiries from clients regarding the Equifax security breach. While the true scope of the breach has yet to be determined, we wanted to provide information about the incident as well as recommendations for safeguarding your personal data.

Background of what happened:

Equifax announced on September 7th that the company experienced a data breach from mid-May through July. Hackers accessed the names, addresses, Social Security numbers, dates of birth, and

driver’s license numbers of up to 143 million Americans. Hackers also stole credit card numbers from roughly 209,000 people and the personal information of consumers in the U.K. and Canada. As of this writing, Equifax has not directly notified consumers as to whether their personal data was stolen.

Rather, consumers have been instructed to go directly to Equifax’s web site to determine if they may have been affected by the breach.

How did it happen?

Hackers were able to exploit a vulnerability in the Apache Struts web application software, a program that Equifax uses to support its online dispute portal where consumers record disputes with their credit reports.1 The vulnerability in the software program was announced and a patch was made available to users of the software on March 7th.2 Equifax confirmed that hackers gained access to consumer data through this flaw.3 While industry professionals concede that applying the patch involves a process that can take time, many security experts commented that Equifax should have moved faster.4 Equifax stated its review of patching efforts is still ongoing and it will release more information when it becomes available.5

What should you do now?

Regardless of whether your personal data was compromised by the Equifax breach, experts strongly recommend that all consumers take measures to protect themselves from fraud or identify theft. We have summarized their recommendations below:

  • Check the Equifax website to see if Equifax believes your data has been compromised. Go to www.equifaxsecurity2017.com and click on the Potential Impact tab. Enter your name and last six digits of your Social Security number. To date, this is the only notification Equifax is making to let consumers know their data has been compromised. Some individuals whose credit card numbers have been stolen may receive notification by mail.
  • Order a free copy of your credit report at www.annualcreditreport.com for Experian, Equifax, and TransUnion to look for new accounts that you did not open or any other suspicious activity.
  • Consider placing a credit freeze on your report with all three credit reporting agencies to make it harder for someone to open an account in your name. Once you freeze your credit, you will be required to use a pin number to unfreeze your credit any time you apply for a loan or new credit card. You may go online and place the credit freeze at www.equifax.com, www.experian.com , and www.transunion.com. You may also place a credit freeze by calling Equifax at 1-800-349-9960, Experian at 1-888-397-3742, and TransUnion at 1-888-909-8872.
  • Consider placing a 90 day fraud alert on your files. A fraud alert warns creditors that you may be a victim of identity theft. You only need to contact one of the three agencies to place the alert.
  • Regularly monitor bank, brokerage, and credit card statements as well as medical bills for unauthorized purchases and withdrawals.

Others steps consumers can take to protect themselves:

  • File your taxes early and respond promptly if you receive correspondence from the IRS.
  • Beware of possible scams such as callers claiming to be from Equifax wanting to verify your information or Phishing attempts to acquire your data via email.
  • Strengthen passwords to include a combination of upper and lower case letters, numbers and symbols.
  • Where available, request a four digit pin that must be furnished to obtain account information. Some banks and credit card companies are now allowing consumers to attach a four digit pin number to their accounts which must be furnished before the company will provide account information.

What steps is Carmichael Hill taking to safeguard your personal information?

  • Carmichael Hill maintains a secure encrypted in-house server with no “cloud” access.
  • Carmichael Hill does not provide personally identifiable information in email correspondence and sends all documents which may contain such information through Box.com’s encrypted files sharing platform.
  • We verify money movement directly with clients and will probe any unusual or suspicious requests.
  • Carmichael Hill employees receive regular training to recognize cybersecurity threats.
  • Can I add additional layers of security to my Charles Schwab account?

Charles Schwab offers three additional options for protecting client data. Clients may request a verbal password be attached to their account so that if they call Charles Schwab directly no information can be disseminated without giving the verbal password. Clients may enroll in Charles Schwab’s two-factor authentication system whereby clients need a user ID and password when logging in to their online account as well as a password generated from a physical token or one that has been sent to their mobile phone. Charles Schwab also allows clients to set up a voice ID system whereby Schwab can authenticate your identity using voice recognition. One or more of these features can be added to your account by calling Schwab Alliance at 1-800-435-4000. Please note that Carmichael Hill does not have access to any Schwab user id or password.

For more information, please visit the Federal Trade Commission’s website at www.FTC.gov or go directly to the FTC’s identify theft reporting website at www.IdentityTheft.gov.

We hope you find the above information helpful. Carmichael Hill will continue to monitor developments in the Equifax breach and remain vigilant in protecting client data. Please contact us if you have any questions or concerns.

Jim Stewart, CFP®                     Susan Victory, CFP®                   Jeff Grodsky, CFP®

 

1 Money.cnn.com, “How the Equifax data breach happened: What we know now”, September 16th, 2017
2 USA Today, “Equifax had patch 2 months before hack and didn’t install it, security group says”, September 14th, 2017
3 www.zdnet.com, “Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack”, September 14th, 2017
4 USA Today, “Equifax had patch 2 months before hack and didn’t install it, security group says”, September 14th, 2017
5 MarketWatch, “2 top Equifax execs retire in wake of massive data breach”, September 15th, 2017

REGULATORY DISCLOSURE

Carmichael Hill & Associates, Inc. is a U.S. Securities and Exchange Commission Registered Investment Advisory firm. Registration does not imply that the SEC has endorsed or approved the qualifications of Carmichael Hill or its respective representatives to provide any advisory services. Advisor does not render or offer to render personalized investment advice or financial planning advice through this medium. Advice can only be given after:

  1. Delivery of a disclosure statement by advisor to client.
  2. Execution of our Investment Advisory Agreement between the client and the advisor.
  3. Initial payment of the planning fee or investment advisory fee by the client to the advisor.
  4. Advisor will not solicit or accept business in any state in which she or he is not properly registered or otherwise qualified to conduct business by virtue of a state “de minimis” exemption.
DISCLAIMERS

The information in this web site is based on data gathered from what the Advisor believes are reliable sources. It is not guaranteed as to accuracy, and does not purport to be complete and is not intended as the primary basis for investment decisions. It should also not be construed as advice meeting the particular investment needs of any investor. The identification of specific funds and model portfolios is being made on the assumption that the investor would participate in that investment or portfolio on a long-term basis and only after consulting with their investment advisor to determine their needs and tolerance for risk. With respect to any such identification, there can be no assurance that the fund or model portfolio will in fact perform in the manner suggested.

The results do not represent actual trading due to the timing of the clients’ trades and their trading costs. They may also not reflect the impact that material economic and market factors might have had on the advisor’s decision making if the advisor were managing the clients’ money. Investment and portfolio results may be different than the results the advisor’s discretionary clients achieve due to the timing of trades and the market conditions.

All references that might be made to an investment or portfolio’s performance are based on historical data and one should not assume that this performance will continue in the future.

LINKS DISCLAIMER

At certain places on this Carmichael Hill & Associates, Inc. Internet site, live ‘‘links’ to other Internet addresses can be accessed. Such external Internet addresses contain information created, published, maintained, or otherwise posted by institutions or organizations independent of Carmichael Hill & Associates, Inc. CHA does not certify, endorse or control these external Internet addresses and does not guarantee or assume responsibility for the accuracy completeness, efficacy, timeliness, or correct sequencing of information located at such addresses. Use of any information obtained from such addresses is voluntary.