Equifax Breach - Communicating impact and actions

This entire response has been comically bad to watch unfold. The type of data and scope of breach were bad enough but add in the bumbling response that reinforced a message of "these guys don't get it" across the industry and press...and it quickly became epic. But I'm inside the industry and have an understanding of how bad it is. What about those friends and family we have outside of industry, who might only find out about this through some apocalyptic local news story? 

I spend a lot of professional time communicating risks to a non-technical audiences (C-suite, boards, etc). I felt it important to do the same for friends and family with this breach. Below is an email I have tapped out and sent to a number of people proactively and after fielding some phone calls. Feel free to copy and use yourself.

---
Hi All,

I assume you've seen the news regarding the Equifax breach, but I wanted to emphasize that this is a big deal in terms of the amount and type of information lost. It is very likely that your personal information has been compromised including: name, date of birth, social security number, drivers license number, and potentially more. This is all the critical information people need for identity theft and fraud. Below are some of my recommendations for preventative and detective controls you can put in place to help protect yourself or get alerted quickly when (not if) something bad happens.


There are three things you should do immediately:
  • Check if your information was compromised at https://www.equifaxsecurity2017.com/
    • Do not enroll in Equifax's credit monitoring program until you read below
  • Enable Two Factor Authentication (2FA) on all financial account websites that offer it
    • 2FA generally involves receiving a unique code (via SMS/email/phone call) that is used as part of a login process for added security
  • Place a 90-day fraud alert on your credit report at one of the four credit reporting agencies: Equifax, Experian, Trans Union, and Innovis. They will communicate it to the others on your behalf. This should be relatively painless and give you some time to implement some of the actions below, which may take more time.


PREVENT:
If your information has been compromised, I would recommend lacing a freeze on your credit reports at Equifax, Experian, Trans Union, and Innovis.

A freeze locks your credit report and will block any inquiry/pull attempts unless you unfreeze the report. This is the strongest preventative control you can put in place to protect your credit and identity. There is a $0 - $15 max cost for placing a freeze on your credit reports depending on state laws. You can find state specific fees here: http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection

Before placing a freeze on your file I highly recommend reading the following article to understand the ins-and-outs: https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

DETECT:
In addition to the freeze, you can put detective controls in place. Detective controls mean you will be alerted if something suspicious happens. These include:
  • Establishing alerts on your bank accounts and credit cards for transactions over a certain threshold. These alerts can be email or SMS.
  • Credit Monitoring*
*I am not a strong believer in credit monitoring based on the cost to subscribe over the course of many years especially if you have a credit freeze in effect and it does not prevent anything.

GENERAL TIPS:
Lastly, some general tips for good security hygiene:
  • Update/patch your computers, mobile phones, and apps as soon as you are notified of updates.
  • Use strong and unique passwords for each website you sign up for
    • Consider using a password manager like KeePass (professional edition, http://keepass.info/download.html) - Happy to give people a tutorial of the software if needed.
    • Never store your usernames and passwords in a file on your computer (exception for managers above, which are encrypted)
    • Writing them down is perfectly fine for home use...just keep in a safe place
  • Vary the usernames you use on websites - if you can see a pattern in your usage so can an attacker

Please don't hesitate to reach out with questions and please feel free to forward this along to family/friends.

Stay Safe,
...

---

Comments on the site are disabled. If you have any edits or concerns drop me an email or contact me on twitter!


UPDATE: 2017-09-14

It appears TransUnion is purposefully obfuscating their process for freezing your credit on their service and instead promoting their own ID Protection service. Reddit user equisux posted a thread detailing changes to the website using Archive.org's Wayback Machine to show changes made aroiund Sept. 11th that bury the freeze option.The post details the new click throughs on the TransUnion website that you need to do and can be found here: https://www.reddit.com/r/personalfinance/comments/6zur5h/transunion_burying_their_credit_freeze_to_sell

Direct phone numbers for all credit institutions are below. Expect massive hold times:
TransUnion Freeze hotline 888.909.8872
Equifax: 800.685.1111 (NY residents 1-800-349-9960 / Canadians 1-800-465-7166) 
Experian: 888.397.3742