On Thursday September 7, Equifax, one of the three biggest credit reporting agencies in the United States, reported that it had been the victim of one of the largest data breaches in history. The company reports that hackers gained access to information on nearly 143 million consumers, including data such as birthdays, addresses, driver’s license numbers, and Social Security numbers—in short, everything needed to commit rampant identity fraud both now, and years into the future.
To give a sense of how widespread this breach is, consider the following quote from a recent New York Times article: “This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”
What does this mean for you? It means that there’s a greater than 50% chance that identity thieves have the information they’d need to open bank accounts and credit cards in your name, take out new lines of credit, steal your tax refunds and Social Security checks, and even prevent you from getting prescription drugs.
If that doesn’t make you nervous, I don’t know what will.
Equifax’s subpar response to the breach
In response to the breach, Equifax has created a special website at www.equifaxsecurity2017.com to help people determine whether their data has been compromised. In exchange for your last name and last six digits of your Social Security number (as if you really wanted to give them more information right now…), Equifax will give you an enrollment date for its TrustedID Premier credit-monitoring service. The service will be free for a year for any consumers who enroll by November 21, regardless of whether their security has actually been impacted by the hackers.
What’s missing from this website is any definitive confirmation of those who have been affected by the breach—the site only indicates that you are either not affected, or that you may be affected. Moreover, there have been reports of the website returning random results for fictional names, which does not inspire much trust in the tool’s accuracy.
Most importantly, consumers who rushed to sign up for Equifax’s new credit monitoring service may have opted out of legal recourse for the data breach. In other words, by accepting the year of free service, you would not be allowed to sue Equifax for damages resulting from the breach, join class action lawsuits, or benefit from class action settlements. That said, as of September 10, Equifax has withdrawn the arbitration clause from the fine print.
For these reasons, it’s my recommendation that you not only assume you were affected—but that you take steps to protect yourself without Equifax’s help.
To assess potential past identity theft, check your credit report
While the data breach was first reported by Equifax on Thursday, September 7, up to three months had passed from the time that hackers first accessed the Equifax data. This means that identity thieves had a three-month head start on maliciously using your information—so it’s a good idea to check for suspicious activity, just in case.
The US government guarantees everyone a free credit report from all three major bureaus once per year. These free copies of your credit report can be found at www.annualcreditreport.com. In addition, free services such as CreditSesame and CreditKarma may also help you unofficially track your credit scores, while bank statements and credit card statements may also help reveal fraudulent activity.
As you’re reviewing your credit reports and bank statements, be on the lookout for any new bank accounts, credit cards, or other activities that are unfamiliar to you. A more comprehensive list of identity theft warning signs can be found on the Federal Trade Commission website.
If you spot unauthorized activity, be sure to report it to the relevant bank or credit card company, as well as to law enforcement and the FTC via https://www.identitytheft.gov/.
For protection from future identity theft, freeze your credit
Once you’ve checked for fraudulent activities, you can start taking steps to protect yourself from future identity theft. According to a recent story by CNN, “Experts say the single most effective action potential victims can take now is to freeze their credit.”
With a credit freeze, also known as a security freeze, you add an additional layer of protection to your data by creating a special PIN number with the relevant credit bureau. This PIN number is then required any time you wish to access your credit file or add new credit in your name.
This can be slightly inconvenient down the road, as you’ll need to unfreeze it every time someone needs to run a credit check on you, for example if you’re opening a new account or line of credit. However, freezing your credit is one of the few ways to prevent most forms of identity theft.
If you haven’t already done so, I would therefore highly recommend freezing your credit at each of the three credit bureaus: Equifax, Experian, and Transunion. Fees for each of these vary by state, but typically run between $5 and $10 dollars, with fees waived for proven identity theft victims. You can freeze your credit either via phone or online:
Phone: (866) 349-5191
Phone: (888) 397-3742
Phone: (888) 909-8872
To lift the freeze, you will need to contact the relevant credit bureau either online or over the phone, provide your secure PIN number, let them know the length of time to unfreeze the account, and pay the same small $5-10 fee. Be sure to do this a couple days in advance of when you need to access your credit data, as there is frequently a lag time between the request and the unfreezing.
For additional information on credit freezes, the FTC has an excellent FAQ section: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
Note: As of yet, Equifax does not believe security PINs have been accessed by the hackers, so if you have an outstanding security freeze, you should still be protected for now.
How to set up a fraud alert
Like a credit freeze, a fraud alert can help you protect against potential identity theft. With this tactic, the credit bureau will have to verify your identity before they can open up an account in your name. Fraud alerts, especially when combined with the credit freeze, can be a great way to keep your credit data safe.
To set this up, simply call the relevant credit bureau and request a fraud alert. The initial period will only last 90 days, so be sure to set a calendar alert to remind yourself to renew it.
You can contact the credit bureaus to set up fraud alerts using the phone numbers below:
Signing up for ongoing credit monitoring services
In contrast to a proactive strategy such as a credit freeze or fraud alert, credit monitoring takes a more passive approach to responding to identity fraud. When you sign up for a credit monitoring service, you will receive alerts when your credit file has been accessed. This can help you figure out when people are accessing your credit data without your consent.
The problem with credit monitoring, however, is that you’re paying for a retroactive alert, not a proactive solution. By the time that you receive the message that someone is accessing your credit file, the identity thieves may be one step ahead of you.
As mentioned above, Equifax’s solution to the data breach is essentially to offer one year of free credit monitoring services through its upcoming TrustedID Premier service. However, there are a number of other credit monitoring services out there for you to check out. A good comprehensive list and reviews can be found on WalletHub.com.
Equifax’s data breach is no joke, and in many ways the safest thing to do is assume you were impacted. That said—no need to panic. If you take the time to assess for past warning signs of identity theft and protect yourself for the future, you should be in good shape.
Want to share how you are handling the identity theft? Any tips and tricks I might have missed? Feel free to leave them in the comments below!