Lessons Learned on the 1-year Anniversary of the Historic Equifax Data Breach
Vice President and ID Theft Practice Leader
One year ago today, on September 7, 2017, Equifax announced its cybersecurity incident involving the private information of 143 million people (Link to article).
Unbelievably, the Equifax data breach event occurred between May and July, 2017, yet Equifax waited six weeks before its public disclosure on September 7, 2017.
This unauthorized access meant that nearly 44% of the entire U.S. population was affected by the Equifax data breach event.
But it gets worse, as one month later Equifax announced that its data breach event affected millions more than first thought (Link to Article) - where an additional 2.5 million Americans were affected by its massive security breach bringing the total to 145.5 million people.
Then, on March 1, 2018, Equifax found an additional 2.4 million Americans impacted by its 2017 data breach (Link to Article) bringing the total number of affected individuals to nearly 148 million.
The Equifax data breach event exposed Social Security numbers, Dates of Birth, addresses, and, in some cases, driver's license numbers. This data breach event likely means that every affected consumer will have their Social Security numbers and birth dates sold and traded on the "dark web" and "hacker forums" for the rest of their lives.
So when Equifax offers consumers 12 months or 24 months of credit bureau monitoring for "free," - it is essentially worthless as ID theft criminals typically sit on stolen information for 12 to 24 months before they begin to use it for fraudulent purposes.
As we recognize the one-year anniversary of this historic September 7, 2017 public disclosure of the Equifax data breach event, I have listed below some lessons learned for consumers:
- As I referenced, ID theft criminals typically sit on stolen information for 12 to 24 months before they begin to use it for fraudulent purposes.
- Credit bureau monitoring provides a false sense of security and cannot prevent individual consumers from becoming a victim of ID theft.
- Credit bureau monitoring cannot alert consumers to non-financial ID theft such as taxpayer ID theft/refund fraud, medical ID theft and credential (e.g. driver's license or passport) ID theft.
- Consumers underestimate the possibility of becoming an ID theft victim and do not realize how labor and time intensive recovering from identity theft is.
At the same time, here are some lessons learned for Equifax:
- The Equifax CEO (Chief Executive Officer), CIO (Chief Information Officer) and CSO (Chief Security Officer) were not forced to resign (or "retire") because Equifax experienced a data breach event; they resigned because of their failed management response to its data breach event.
- If Equifax, a business centered on securing our most sensitive personal information, with more financial and IT resources than most business sectors, cannot prevent a data breach from happening - what leads other businesses to believe they can?
- But it's not just Equifax, as the two other major credit bureaus (Experian and TransUnion) along with the top 10 banks and health insurance companies in the U.S. have all experienced data breaches.
Based on new privacy laws and the current regulatory landscape including GDPR (General Data Protection Regulation), the new California Consumer Privacy Act of 2018, and the recently revised 50 state notification laws – now is a good time to understand what consumers and businesses should do to protect themselves, their families, their employees, and their customers.
To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.
Scam Alert: IRS Fraud Calls May Be The New Trend In Tax Scams
By Council of Better Business Bureaus. August 20, 2018.
The Internal Revenue Service (IRS) has changed the way it deals with overdue taxes, and that means third party collection agencies may now call you on the phone.
Like the IRS, Better Business Bureau (BBB) is concerned this change might lead to scammers trying new tax scams to trick people with IRS fraud calls. Here is what you need to know about this program that started in April 2017.
A federal law signed in 2015 lets four contractors collect unpaid tax debts for the government. According to the IRS, these are unpaid tax debts that were assessed several years ago and which the agency is no longer trying to collect directly.
All four of the companies contracted by the IRS are BBB Accredited Businesses:
1309 Technology Pkwy
Cedar Falls, IA 50613
200 CrossKeys Office park
Fairport, NY 14450
333 N Canyons Pkwy
Livermore, CA 94551
325 Daniel Zenker Dr
Horseheads, NY 14845
There are many ways to tell whether a call you receive about tax debts is an IRS fraud call. According to the IRS, people with overdue taxes will always receive multiple contacts, including letters and phone calls, from the IRS first. The IRS will also always notify taxpayers before sending their accounts to a private collection agency.
Here's how it will work, and how you can tell the difference between a legitimate debt collector and a tax scam:
- The IRS and the private debt collection company will both send a letter to the taxpayer first. If you get a call first and had no idea you owed taxes, be cautious. NOTE: Taxpayers who have recently moved may have missed those letters. This could lead to confusion if their first contact is from the collection agency. Taxpayers can use Form 8822 to update the IRS with a new address: https://www.irs.gov/uac/form-8822-change-of-address.
- Private debt collectors will be able to identify themselves as contractors of the IRS collecting taxes. These employees must comply with the Fair Debt Collection Practices Act and, like IRS employees, must be courteous and respect taxpayers' rights. If the caller yells, curses, or threatens to have you arrested, it is not a legitimate collector. Just hang up.
- Private debt collectors will not ask for, and cannot accept, credit card information over the phone. Consumers will pay the IRS directly and will not need to send any money to the private debt collection company. You can check this page for payment options: https://www.irs.gov/payments. You can also see your balance and payment history. If the caller asks you to pay them directly, and especially if they ask for an unusual form of payment such as wire transfer or gift cards, it's a scam. Just hang up!
- Taxpayers can ask for their account to be transferred from the private debt collection back to the IRS.
The IRS adds that private collection firms will only be calling about tax debts that people have had for years and that they have been contacted about previously. Taxpayers can confirm they have an unpaid tax debt from a previous year by visiting www.irs.gov/balancedue.
BBB reminds all consumers, particularly those who have outstanding tax debts, that the IRS will explain this new process clearly and will make every attempt to work with them to set up payment plans. They will also give taxpayers the chance to question or appeal the amount owed.
For more information and updates, you can visit: https://www.irs.gov/businesses/small-businesses-self-employed/private-debt-collection.
To report a scam, go to BBB Scam Tracker (BBB.org/scamtracker). To protect yourself from all kinds of scams, visit the BBB Scam Tips page (BBB.org/scamtips).
Stay up on the latest scams by subscribing to BBB Scam Alerts emails. BBB Serving Central Virginia contributed to this report.
If you believe your identity has been stolen, call 866.SMART68 today