Frequently Asked Questions

The information below was taken from https://www.equifaxsecurity2017.com/frequently-asked-questions/

What happened?

We identified a cybersecurity incident potentially impacting approximately 145.5 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. We discovered the unauthorized access and acted immediately to stop the intrusion. We promptly engaged a leading, independent cybersecurity firm that conducted a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. We also reported the criminal access to law enforcement and continue to work with authorities.

On March 1, 2018, as a result of ongoing analysis of data stolen in last year’s cybersecurity incident, Equifax Inc., announced that the company confirmed the identities of consumers whose partial driver’s license information was taken. Equifax was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.

Through these additional efforts, Equifax was able to identify 2.4 million U.S. consumers whose partial driver’s license information was stolen, but who were not in the previously identified affected population. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates.

The methodology used in the company’s forensic examination of last year’s cybersecurity incident, with respect to impacted U.S. consumers, leveraged Social Security numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack, in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs. Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information.

When did the company learn of the incident it announced on September 7, 2017?
We learned of the incident on July 29, 2017, and acted immediately to stop the intrusion and conduct a forensic review.

Who and how many people are affected?

On September 7, 2017, we disclosed that the incident potentially impacts approximately 143 million U.S. consumers. On October 2, 2017, we announced that the cybersecurity firm Mandiant had completed the forensic portion of its investigation of the incident. The review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million. If you were part of this impacted group of consumers, we have established a dedicated website, www.equifaxsecurity2017.com, to help these U.S. consumers determine if their information was impacted.

As part of the investigation of this application vulnerability, we also identified unauthorized access to limited personal information for certain UK and Canadian residents. More information for UK and Canadian residents can be found at the following websites:

UK – www.equifax.co.uk/incident
Canada – www.consumer.equifax.ca/canada/equifaxsecurity2017/en_ca/

Update: On March 1, 2018, we disclosed that the incident also impacted partial driver’s license information for approximately 2.4 million U.S. consumers. Equifax will notify these impacted consumers by U.S. Postal mail.

Why are some consumers being notified by mail versus others?

U.S. consumers may have already visited the website to determine whether they have been impacted following both the September 7, 2017, and October 2, 2017, announcements. To minimize confusion, Equifax mailed written notices to all of the additional potentially impacted U.S. consumers identified by the October 2, 2017 update. Equifax will mail notifications to consumers whose partial driver’s license information was impacted as noted in the March 1, 2018, announcement.

What information may have been impacted?

Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, in some instances, driver’s licenses. In addition, the following information was also accessed:

Credit card numbers for approximately 209,000 consumers; and
Certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed.
On March 1, 2018, we disclosed that the incident also impacted partial driver’s license information for approximately 2.4 million U.S. consumers. Equifax will notify these impacted consumers by U.S. Postal mail.

As part of our investigation of this application vulnerability, we also identified unauthorized access to limited personal information for certain UK and Canadian residents. We have found no evidence that personal information of consumers in any other country has been impacted.

Is this a new cybersecurity incident?

There has NOT been an additional incident. This update is based on additional findings from the cybersecurity incident announced September 7, 2017.

Why was this information not disclosed in the initial announcements?

In regards to those with partial driver’s license information stolen, the methodology used in the company’s forensic examination leveraged Social Security numbers (SSNs) and names as the key data elements to identify which U.S. consumers were affected by the cyberattack, in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs. These consumers were not previously identified because their SSNs were not stolen together with their partial driver’s license information.

On October 2, 2017, Equifax (and its independent cybersecurity investigator Mandiant) announced the investigation was complete. Was that accurate?
Yes. The forensic investigation – which determined what was stolen and how – was completed. We continue to engage in discussions with various stakeholders – including consumers, customers, Congress and regulators – and perform additional analysis on the stolen data where appropriate.

Are Equifax’s core consumer or commercial credit reporting databases impacted?

We have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Is the issue contained?

Yes, this issue has been contained.

What was the vulnerability?

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

What are you doing to prevent this from happening again?

We engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.

We continue to work tirelessly to support consumers and make the necessary changes to minimize the risk that something like this happens again. We have taken numerous steps to review and enhance our cybersecurity practices, and we continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.

What steps should I immediately take?

We recommend that consumers be vigilant in reviewing their account statements and credit reports, and that they immediately report any unauthorized activity to their financial institutions. We also recommend that they monitor their personal information and visit the Federal Trade Commission’s website, www.ftc.gov/idtheft, to obtain information about steps they can take to better protect against identity theft as well as information about fraud alerts and security freezes.

Why am I learning about this incident through the media? Why didn’t Equifax notify me directly?

Equifax issued a national press release in order to notify U.S. consumers of this incident and has established a website, www.equifaxsecurity2017.com, where U.S. consumers can receive further information.

I recently heard about the new credit report lock service from Equifax. What does this service do?

Equifax® Lock & Alert™ allows you to use your smartphone or computer to quickly lock and unlock your Equifax credit file – for free, for life.

Will I automatically be enrolled in the free credit report lock service after one year if I’m currently enrolled in TrustedID Premier?

While you can enroll in Lock & Alert both before and after your year of TrustedID Premier expires, you won’t be automatically enrolled in Lock & Alert.

What is the difference between a credit report lock and a security freeze?

A lock and a freeze have the same impact on your Equifax credit report, but they aren’t the same thing. Both generally prevent access to your Equifax credit report to open new credit accounts. Unless you temporarily lift or permanently remove a freeze, or unlock your Equifax credit report, it can’t be accessed to open new accounts (subject to certain exceptions). See more about exceptions below.

Security freezes (also known as credit freezes) allow you to place, lift, or remove a freeze using a randomized PIN for identity verification. Placing, lifting, or removing a security freeze can be done online, by phone, or by mail. Security freezes are subject to regulation by each state. Freezing and unfreezing your Equifax credit file is free until further notice.
Credit report locks allow you to lock and unlock your Equifax credit file using identity verification techniques such as user names and passwords. The mobile app also can utilize thumbprint and facial recognition verification. With Lock & Alert, you can quickly lock or unlock your Equifax credit report online or via the mobile app. There are no fees to lock or unlock your Equifax credit report if you are enrolled in Lock & Alert.
Please note: If you have a security freeze on your Equifax credit report, you will need to remove it to use Lock & Alert to lock your Equifax credit report. If you have the PIN you received when the freeze was originally placed, you’ll be able to unfreeze your Equifax credit report and replace it with a lock during the Lock & Alert enrollment process.

Exceptions: Locking your Equifax credit report prevents access by potential creditors and lenders, but there are exceptions. These exceptions may include:

Companies like Equifax Global Consumer Solutions that provide you with access to your credit report or credit score or monitor your credit file
Companies you have an existing account or relationship with
Federal, state and local government agencies
Collection agencies acting on behalf of companies you owe
For fraud detection purposes
Companies that wish to make pre-approved offers of credit or insurance to you
Companies reviewing your application for employment
If my Equifax credit report is locked, who can access it?
Locking your Equifax credit report will not prevent access to your credit file at any other credit reporting agency. Locking your Equifax credit report prevents access by potential creditors and lenders, but there are exceptions. These exceptions may include:

Companies like Equifax Global Consumer Solutions that provide you with access to your credit report or credit score or monitor your credit file
Companies you have an existing account or relationship with
Federal, state and local government agencies
Collection agencies acting on behalf of companies you owe
For fraud detection purposes
Companies that wish to make pre-approved offers of credit or insurance to you
Companies reviewing your application for employment
Equifax maintains consumers’ credit reports and provides information to certain customers, including credit card companies and lenders, so that they may offer pre-approved offers to consumers as permitted by law. Consumers that prefer not to receive such offers should visit www.optoutprescreen.com, or call toll free at 888-5-OPT OUT (or 888-567-8688). Consumers may also send an opt-out request in writing to Equifax Information Services LLC, P.O. Box 740123, Atlanta, GA 30374-0123. Consumers should include their complete name, full address, Social Security number, and signature. Equifax will remove the consumer’s name from its pre-approved offer database and share the request with the other two nationwide consumer reporting agencies.