The Equifax breach, which is still under investigation, has left the nation reeling. Here at Threat Sketch, our heart goes out to the 143 million potential victims (which includes us). While Threat Sketch does not provide consumer cybersecurity services, we are experts in the field of cybersecurity, and are well aware that cyber attacks are on the rise. The first thing for all victims of this breech to do is lock and freeze credit. Brian Krebs has great information on this topic in his blog post: The Equifax Breach: What You Should Know.
In addition, we would like to add the following tips applicable to any data breach:
- Victims should call their bank, credit card and investment companies. They should ask what, if anything, those organizations can do to lock down their accounts, explaining that personal information was hacked. Avoid being sold a credit monitoring solution, you only need one (if any).
- Not all personal bank (checking/savings/investment) and credit card accounts offer protection from fraudulent transactions. This means if someone drains your account while posing as you, you take the hit, rather than the bank replacing that money and trying to find the thief. At some places, you have to ask for, and sometimes pay for, protection from fraudulent transactions. It really depends on the institution.
- Victims should review and possibly change any security questions on file at financial institutions, email, social media, etc., that could be guessed by what the hackers took. Other non-financial service providers might have security questions that need updating too.
- Remember going forward that two-factor (aka 2-step, multi-factor, or token) authentication is important. Each organization will call it something different and implement it in their own way, but nearly all have it in some form. This is the login process where, in addition to a password, you must enter a pin that is generated by an app on your phone, or sent via text-message. If an organization you work with doesn’t offer this you should switch to one that does. This applies to email, social-media, and financial institutions, as well as your cell phone accounts.
- Aggressively monitor your own credit on an annual basis, looking for new accounts that you did not authorize. This is really all the monitoring services do for you, but they can’t really know your information like you do. They also tend to look only at one, maybe two, of the three major credit bureaus. Beware of any source other than the one authorized by the FTC to pull free reports. Others are scams, or sales-fronts. (FTC Credit Report)
What should employers do, besides disseminating this information, to help settle nerves within the ranks? Give employees time to make these calls and address these issues. An hour here or there to allow employees to protect themselves will go a long way toward building morale. For more suggestions check out our blog post: Damage Control: Communicating with and Protecting Victims after a Cyber Attack.
About the Author Rob Arnold: Rob, founder and CEO of Threat Sketch, has worked in internet security for over 20 years, including launching his own consulting firm to provide executive IT and security consulting to small, medium and Fortune 100 companies.