September 21, 2017
Over the past week, we have received numerous inquiries from clients regarding the Equifax security breach. While the true scope of the breach has yet to be determined, we wanted to provide information about the incident as well as recommendations for safeguarding your personal data.
Background of what happened:
Equifax announced on September 7th that the company experienced a data breach from mid-May through July. Hackers accessed the names, addresses, Social Security numbers, dates of birth, and
driver’s license numbers of up to 143 million Americans. Hackers also stole credit card numbers from roughly 209,000 people and the personal information of consumers in the U.K. and Canada. As of this writing, Equifax has not directly notified consumers as to whether their personal data was stolen.
Rather, consumers have been instructed to go directly to Equifax’s web site to determine if they may have been affected by the breach.
How did it happen?
Hackers were able to exploit a vulnerability in the Apache Struts web application software, a program that Equifax uses to support its online dispute portal where consumers record disputes with their credit reports.1 The vulnerability in the software program was announced and a patch was made available to users of the software on March 7th.2 Equifax confirmed that hackers gained access to consumer data through this flaw.3 While industry professionals concede that applying the patch involves a process that can take time, many security experts commented that Equifax should have moved faster.4 Equifax stated its review of patching efforts is still ongoing and it will release more information when it becomes available.5
What should you do now?
Regardless of whether your personal data was compromised by the Equifax breach, experts strongly recommend that all consumers take measures to protect themselves from fraud or identify theft. We have summarized their recommendations below:
- Check the Equifax website to see if Equifax believes your data has been compromised. Go to www.equifaxsecurity2017.com and click on the Potential Impact tab. Enter your name and last six digits of your Social Security number. To date, this is the only notification Equifax is making to let consumers know their data has been compromised. Some individuals whose credit card numbers have been stolen may receive notification by mail.
- Order a free copy of your credit report at www.annualcreditreport.com for Experian, Equifax, and TransUnion to look for new accounts that you did not open or any other suspicious activity.
- Consider placing a credit freeze on your report with all three credit reporting agencies to make it harder for someone to open an account in your name. Once you freeze your credit, you will be required to use a pin number to unfreeze your credit any time you apply for a loan or new credit card. You may go online and place the credit freeze at www.equifax.com, www.experian.com , and www.transunion.com. You may also place a credit freeze by calling Equifax at 1-800-349-9960, Experian at 1-888-397-3742, and TransUnion at 1-888-909-8872.
- Consider placing a 90 day fraud alert on your files. A fraud alert warns creditors that you may be a victim of identity theft. You only need to contact one of the three agencies to place the alert.
- Regularly monitor bank, brokerage, and credit card statements as well as medical bills for unauthorized purchases and withdrawals.
Others steps consumers can take to protect themselves:
- File your taxes early and respond promptly if you receive correspondence from the IRS.
- Beware of possible scams such as callers claiming to be from Equifax wanting to verify your information or Phishing attempts to acquire your data via email.
- Strengthen passwords to include a combination of upper and lower case letters, numbers and symbols.
- Where available, request a four digit pin that must be furnished to obtain account information. Some banks and credit card companies are now allowing consumers to attach a four digit pin number to their accounts which must be furnished before the company will provide account information.
What steps is Carmichael Hill taking to safeguard your personal information?
- Carmichael Hill maintains a secure encrypted in-house server with no “cloud” access.
- Carmichael Hill does not provide personally identifiable information in email correspondence and sends all documents which may contain such information through Box.com’s encrypted files sharing platform.
- We verify money movement directly with clients and will probe any unusual or suspicious requests.
- Carmichael Hill employees receive regular training to recognize cybersecurity threats.
- Can I add additional layers of security to my Charles Schwab account?
Charles Schwab offers three additional options for protecting client data. Clients may request a verbal password be attached to their account so that if they call Charles Schwab directly no information can be disseminated without giving the verbal password. Clients may enroll in Charles Schwab’s two-factor authentication system whereby clients need a user ID and password when logging in to their online account as well as a password generated from a physical token or one that has been sent to their mobile phone. Charles Schwab also allows clients to set up a voice ID system whereby Schwab can authenticate your identity using voice recognition. One or more of these features can be added to your account by calling Schwab Alliance at 1-800-435-4000. Please note that Carmichael Hill does not have access to any Schwab user id or password.
We hope you find the above information helpful. Carmichael Hill will continue to monitor developments in the Equifax breach and remain vigilant in protecting client data. Please contact us if you have any questions or concerns.
Jim Stewart, CFP® Susan Victory, CFP® Jeff Grodsky, CFP®
1 Money.cnn.com, “How the Equifax data breach happened: What we know now”, September 16th, 2017
2 USA Today, “Equifax had patch 2 months before hack and didn’t install it, security group says”, September 14th, 2017
3 www.zdnet.com, “Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack”, September 14th, 2017
4 USA Today, “Equifax had patch 2 months before hack and didn’t install it, security group says”, September 14th, 2017
5 MarketWatch, “2 top Equifax execs retire in wake of massive data breach”, September 15th, 2017