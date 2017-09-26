Equifax, one of the three largest American credit agencies that gathers information about approximately 800 million people, sometimes without them even knowing, had its system breached by hackers in mid-May until July, exposing personal information of about 143 million people.

“People can have their whole identity and lives stolen,” said Joan Bradley, a sophomore English major.

Mehmet Tozal, Ph.D., an assistant professor in the School of Computing and Informatics, said he plans to use the breach as a case study in one of his security courses. He said in many identity theft crimes, identities are sold to the black market for about $30 per identity. He added this is dangerous because most credit lines or loans can be opened or started over the phone and hackers involved in this breach in particular possibly have access to all the information needed to do so.

According to the Federal Trade Commission’s website, the information stolen includes addresses, birth dates, social security numbers and driver’s license numbers in some instances. The FTC website also states around 209,000 people had their credit card numbers stolen as well.

Brayden Guidry, junior public relations major, said the situation is worrisome because credit and building credit is important to millennials because they’re at the point in their lives where many are considering buying a house or a car. If one’s credit score was severely affected by this breach, the chance of these potential purchases could be hindered.

“If you don’t have credit, then you barely have a life,” Guidry said.

Tozal said there are things EquiFax should have done differently to prevent the severity of the breach.

Software security vulnerabilities will always happen and when they are discovered, a “patch” — something that attempts to solve a vulnerability — is released, Tozal said. When new functions are added to softwares, he explained they introduce new potential vulnerabilities, which is why it is vital for these patches to be updated regularly.

Brian West, an instructor of Business Systems, Analysis, and Technology in the B.I. Moody III College of Business Administration, said in his research he read that EquiFax discovered a security vulnerability in March and a patch was released for it the same month.

“Again (the patch is), nothing 100 percent, but when you have something like a security patch, you have to update them immediately,” West said.

EquiFax did not update the patch, which led to the breach that came two months later.

In addition to not updating the system, Tozal said another fault lies on EquiFax. He explained when one is in the beginning stages of creating a system, it is imperative to ensure precautionary measures are put in place to prevent potential security issues like this one.

“You always have to think in terms of security and develop scenarios like, ‘What if this web server is attacked?’ You always have to develop countermeasures and it seems as though they (EquiFax) did not implement those countermeasures,” Tozal said.

Tozal continued, from what he researched, “it looks like” all the sensitive information accessed by hackers was in plain text, meaning it was not encrypted.

“If the data was encrypted, victims’ personal information would not have been so easily obtained,” he said. “Even if the hackers got the data, they could not decrypt and get the content of the data; it would just look like garbled text to them.”

EquiFax is a consumer credit reporting agency founded in 1899. In addition to the 800 million individuals it gathers information from, it also does so for 88 million businesses worldwide. They offer credit and demographic related data and services to businesses, and they also sell credit monitoring and fraud-prevention services directly to consumers. Information gathered about consumers are obtained from credit card companies, banks and other lenders.

Many are questioning why EquiFax waited over a month after discovering the breach in May to notify potential victims their identities may have been compromised.

“At the very least it’s an ethical problem and at the very worst it’s violation of law,” West said. “I don’t completely understand the law, but I know that you’re supposed to let someone know.”

On the contrary, Tozal said he understands the notification pause from EquiFax’s end.

“After the data breach occurred I understand that they cannot immediately go to the newspapers,” he said. “I am fine with them letting us know a month or so later, giving that they were probably contacting the federal agencies and everything trying to figure out what they should do about this.”

Carson Whatley, a junior French major who is familiar with the breach, said it makes him uncomfortable because of the number of people it affected.

“You’d figure you’re in there somewhere,” he said.

One hundred and forty-three million is nearly half of the U.S population (about 323 million). West said he imagines if one considers only the adult U.S population, there is probably an even greater than 50 percent chance of one’s identity have been compromised.

“I honestly believe if we took a look at it, I bet you it would be a good 75 percent or 80 percent of folks that have been compromised,” he said.

EquiFax has created a website where one can check if they were affected by the breach and have access to updates and announcements posted by the company. For those who think they were affected by the breach, AP reports they can freeze their account. Freezing the account would make it difficult for a possible identity thief to use the information stolen to create new accounts.

“If you call you can put your credit on hold,” West said. “So if you were to apply for a new credit card or something, they’re going to call to make sure it was you every time.”

Other precautions the FTC lists for possible breach victims is to monitor existing bank and credit card accounts, file taxes early, place a fraud alert on files and check credit reports to see unknown accounts or activity on accounts.

Bradley said she is worried breaches like Equifax are still happening, even with all the security modification over the years.

Both West and Tozal said security issues and vulnerabilities will always exist and breaches such as this will continue to happen as technology continues to be a part of our world.

“I like to say there is no 100 percent guarantee security in any computer based system,” Tozal said. “As technology takes part in our lives in different domains, we are introducing new areas of attack.”