On September 7, the credit reporting agency Equifax revealed it had experienced a cybersecurity breach in late July that potentially exposed the sensitive personal data of 143 million Americans to unidentified hackers, and the agency said this week that it had suffered another breach in March.
The data exposed in the breach included millions of consumers’ names, birth dates, addresses, Social Security numbers, and in some cases driver’s license numbers. The hackers also obtained 209,000 credit card numbers and documents with personal information used in disputes for 182,000 people. “On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” Avivah Litan, a fraud analyst at Gartner, told the New York Times when the July breach was disclosed earlier this month
With so many people affected, most US organizations likely have victims of the breach among their employees, whose data could be used to steal their identities and commit fraud. Employers that offer 401(k) plans should contact their third-party administrators to ensure that employees are notified of any vulnerabilities in their accounts, Edward McAndrew, an attorney with Ballard Spahr in Philadelphia and former cybercrime prosecutor for the Department of Justice, tells Allen Smith at SHRM:
The TPAs should notify employees to monitor their account statements for fraudulent activity and start using multifactor authentication to access their accounts, McAndrew said. HR shouldn’t provide the notice itself or it will get inundated with questions from employees about Equifax’s breach, he said.