Equifax Breach 101
Just when you were getting all excited because your credit score went up, THIS happened: 143 million Americans were impacted by a significant data breach at Equifax, which is one of the nation's three major credit reporting agencies, says Seena Gressin, an attorney with the Division of Consumer & Business Education with the United States Federal Trade Commission (the FTC). The data that was leaked included:
- Social Security Numbers (SSNs)
- Birth dates
- Driver's license numbers
- Credit card numbers
- Credit card dispute documents
It's not the biggest data breach in recent cyber-history (that distinction goes to Yahoo), but it might feel to you like the most terrifying because:
- Equifax has your financial information, including your entire credit history, a record of every late payment you've ever made, every credit card account you've ever held, every car lease, every mortgage, every loan for which you've applied, the details of every dispute you've ever had with a lender, and any claims, liens, or judgments against you.
- As a storehouse of Americans' financial and credit history, Equifax also holds a lot of very personal information that identifies you as you, including your full name, any aliases, your Social Security Number, your birthday, and potentially your driver's license number.
- You didn't even GIVE your information to Equifax, and yet they have it! Equifax receives your information from credit card companies, banks, and other lenders (Equifax compiles the information to come up with a credit rating for you).
- The information Equifax has about you can be used not only in deciding whether to give you a loan. Your credit report is one of the most essential pieces of a background check. If the info is wrong and to your detriment, it could mean that you don't get the job or the apartment you want.
- Equifax is one of three major credit bureaus that compiles and warehouses this information. The other two, Experian and TransUnion, have not been hacked. "Yet," some say, and they don't mean to sound paranoid, just realistic.
- Although this event brings up legitimate concerns about privacy, identity theft, and identity theft protection, you cannot opt out of this information-compiling system unless you never want to lease a car, rent an apartment, and possibly get another job.
But try to remain calm. You've got this, especially now that you've got this handy outline of what you can do going forward to respond to this particular event, as well as a primer on how to prevent identity theft and protect your data and your money from wannabe thieves.
Was your data impacted?
Equifax created a dedicated website where consumers are theoretically able to learn whether they were impacted. That said, you'll need to log in, which involves providing the last six digits of your Social Security Number (SSN).
"No big deal," you might say, if you routinely give out the last four digits of your SSN. But there are a number of caveats to be aware of:
- Your Social Security Number is a nine-digit number, the first four digits of which are tied to where you lived when you (or your parents) applied for your number; the next two digits are a "group number" within the geographical location; and the last four digits are your serial number. Here's more information about how much your SSN reveals about you.
- Since where you were born isn't all that hard for cybercriminal to suss out, it's really only the last four digits of your SSN that stand between you and all the problems you're trying to avoid by reading this article.
- Equifax is not asking for the last four digits; they're asking for the last six.
- Equifax was already hacked once. No, wait, they've actually been hacked more than once. We're not saying that should make you wary of trusting Equifax with your information, especially since there's nothing you can do about them having most of the information they have on you. We're just saying that maybe you should consider their history of protecting your personal, identifying information before voluntarily handing over still more personal, identifying information.
- Every single person we spoke to who has handed those digits over to Equifax in the hopes of determining whether their data was compromised has received the same message, which we paraphrase here: "Maybe."
A bankruptcy attorney in New York that we spoke to said he'd be shocked if Equifax would ever volunteer to an individual that his info had been hacked. "An individual who knows for certain his data's been hacked can theoretically blame Equifax for almost anything that happens to him going forward, from getting a lousy rate on his mortgage to getting turned down for his dream job." Leaving it as "maybe" leaves Equifax open to less liability. Here are the times you should never give your social security number out.
Therefore, perhaps you'd be better off simply assuming you were impacted and then taking the following steps.
Consider Equifax's offer of a bundle of post-hack protective services
Equifax has offered free a package of services of post-hack protective services to all US consumers, regardless of whether they were definitely impacted. The package is offered under the name, TrustedID Premier, and includes:
- Credit monitoring through the three major credit bureaus, one of which is Equifax, itself, and the other two of which are Experian, and TransUnion (collectively, the "Big 3"). Credit monitoring is the process of periodically reviewing your credit reports for accuracy and changes that could indicate fraudulent activity. This is not a service unique to Equifax or TrustedID Premier, as discussed below in "Consider credit monitoring").
- The ability to lock and unlock Equifax credit reports. Locking and unlocking credit reports so that lenders have no access to them (which also means that cybercriminals can't open up accounts using your credit information) is traditionally known as getting a "credit freeze. It is not unique to Equifax as is discussed below under "Consider a credit freeze").
- Identity theft (ID theft) protection services, which consist of the above, as well as internet scanning for the use of your SSN. This is not unique to Equifax's TrustedID Premier service, as discussed below.
- ID theft insurance, which would help victims of ID theft resolve the resulting issues. This is not unique to Equifax's TRUSTED ID Premier service, as discussed below.
This story of ID theft actually happened, and it's chilling.
Understand the limits of TrustedID Premier
Content continues below ad
You can sue Equifax
Consider credit monitoring
Credit monitoring is the process of periodically reviewing your credit reports for accuracy and changes that could indicate fraudulent activity. Theoretically, all credit monitoring services monitor your credit card and identity activity around the clock, checking thousands of databases for misuse of your personal information and notifying you if there are any key changes to your credit report, a new application for credit, new inquiries from lenders, new account information, changes of address, and any other use of your identity (here are the secrets an identity thief doesn't want you to know). By being notified of fraudulent activity, you have the opportunity to put a stop to it, including closing down fraudulent accounts and correct any credit report mistakes.
Equifax is offering credit monitoring free of charge for one year as long as you sign up by November 21, 2017. There will be a charge for the service after the first year. Only you will be able to decide if you're comfortable enrolling in a service pursuant to which you'll be giving Equifax access to the very information that was leaked during the existing breach. Instead of enrolling with Equifax, you monitor your credit yourself, and you can contract with a third party to do it for you. Both are discussed below.
Self-monitoring is the process whereby you monitor your credit reports on your own, without the help of an automated credit monitoring service. Under the Fair Credit Reporting Act (FCRA), you are entitled to a one free copy of your credit report every 12 months from each of the Big 3. To claim them all, you can visit this website, which is the one mandated by the federal government, or you can call toll free: 1-877-322-8228.
To stagger your credit monitoring activities, you can make a request every four months from each of the Big 3 individually. The contact information is as follows:
PO Box 740241
Atlanta, GA 30374
PO Box 9554
Allen, TX 75013
PO Box 2000
Chester, PA 19016
Some state laws provide for additional free credit reports from each credit-reporting agency. If you live in a state where you're entitled to additional free credit reports, the self-monitoring process is more effective.
Of course, for self-monitoring to be the most effective, you need to remember to order your reports. These apps could help you stay organized, which will help you to stay on top of your credit-report requests.
Third party monitoring
If you don't think you can stay on top of your own credit monitoring, and you're not comfortable leaving it in the hands of Equifax (via TrustedID Premier), you can pay for a third party service. One option is to enroll with Experian or TransUnion for their paid credit-monitoring services. But if you're willing to pay for a third party service, those which are independent of the Big 3 tend to track more sources and generally offer more comprehensive monitoring. Several consumers we spoke with have expressed an interest in signing up with LifeLock because it offers a variety of packages that include services such as privacy monitoring tools, lost wallet protection, monitoring of existing credit card and bank accounts, reimbursement for stolen funds, legal assistance in the event of ID theft, and scanning of court dockets for your name.
If this is stressing you out, take a breath and try these stress management tips.
Content continues below ad
Consider a credit freeze
- Each of the Big 3 must be contacted separately. You can use the following toll-free telephone numbers:
- Freezing your credit carries a fee. Fees vary based on where you live, but commonly range from $0 to $10 (freezing is free in seven states). Various state laws also mandate free credit freezing for certain consumers, including those who are already ID theft victims. As noted above, Equifax is offering to freeze your credit free of charge (the offer will be open through November 21, 2017), so if you already paid for a security freeze with Equifax since the breach, you're entitled to a refund. Equifax's offer of free credit freezing does not extend to a freeze with TransUnion and Experian.
- Unfreezing: Credit freezes last until you lift them, except in a few states, where they expire automatically after seven years. If you need your freeze lifted, a credit reporting company must do so within three business days after receiving your request, although it might happen more quickly. Anything you do that requires a credit check will require that you un-freeze your files. These include:
- Applying for a credit card
- Applying for a job
- Renting an apartment
- Buying insurance
- You have to give up more information. Freezing will require that you supply to the reporting bureau your name, address, date of birth, SSN, and other personal information. That obviously may cause you some discomfort at this juncture.
- What freezing can't do. Some people will still have access to your information notwithstanding a freeze. These include your existing creditors (and their debt collection agencies) and government agencies in response to a court order, search warrant, and the like. And freezing cannot prevent a thief from making charges to your existing accounts. You will still need to monitor your accounts for suspicious transactions.
OK, enough about credit freeze for the moment; let's talk about brain freeze, shall we?
Instead of a credit freeze, consider a fraud alert
A credit freeze is "worth considering," according to credit analyst, Matt Schulz, although it's quite the "nuclear option." If you don't want to go quite that far in the wake of the Equifax breach, you can consider placing a fraud alert on your credit files. A fraud alert is a notice on your credit file that lets lenders know that they should take the step to contact you and verify your identity before approving you for new credit. A fraud alert is available at no charge to place on your report. You can opt for a 90-day alert (which is renewable), or for a seven-year alert. To place a fraud alert on your credit reports, contact one of the Big 3 (contact info as above); the company you call must tell the other credit reporting companies, who will, in turn, place an alert on their versions of your report.
This woman must wish there were a fraud alert for online dating services.
Consider both a credit freeze and a fraud alert
Monitor the activity on your existing accounts
And remember, no matter what you do, there are things your credit card company is going to know about you.
Content continues below ad
What to do if you believe you've been the victim of ID theft
- Federal Trade Commission, Consumer Response Center
600 Pennsylvania Avenue NW, Washington, DC 20580; 1-877-IDTHEFT (438-4338)
- State Attorneys General: Here's how to contact your state attorney general.
Don't let your guard down
When banking online, look for this letter
- Use online banking only when you are on a trusted computer on a private network that you trust.
- When logging in, type in the bank's web address into your browser rather than using a button or link from an email message.
- Make certain that any computer you use is kept up-to-date with current operating system and browser patches. Updates and patches frequently address security issues, so when you get those notifications that it's time for an update, don't close them and forget about them.
But while you're banking online, you're also losing out on the experience of talking to your bank teller, who just might have some pretty crazy stories.
Make online payments only on secure sites
Another online payment system, Venmo, has gotten quite a bit of attention these days. One of its riskier aspects, says Dennis Bonilla, an executive with the University of Phoenix College of Information Systems and Technology, "is that it doesn't have a notification system when your password or email has been changed—a common practice for most other financial transaction companies. Therefore, it's imperative that you have a notification system set up with your bank that will notify you of large transactions so you can be immediately aware if your account has been compromise. In addition, identity theft expert Robert Siciliano points out that Venmo reveals all of your transactions via social media. "One needs to consider if they want that information to be made public."
Content continues below ad
Use precautions with Apple Pay and Android Pay
- A strong passcode on the device you're using it on
- Keep your device locked when not in use
- Keep your device updated. As with your desktop and laptop, updates frequently address security issues.
- Avoid using free wi-fi networks unless absolutely necessary.
When shopping online, stick to reputable sites
And don't EVER use a debit card when shopping online
Some of these online scams involved—not surprisingly—a debit card.
While you're at it, just cut up your debit cards
Content continues below ad
They can swipe info with a swipe of your card
Cell phone scams
- The IRS will never call you about money you owe or a refund they owe you.
- Microsoft will never call you about an issue on your computer.
- No one will ever call you about your warranty running out.
- Your refrigerator is running, but you don't have to catch it (just kidding about this one, but who doesn't love telling jokes from childhood?
Also, try not to lose your cell phone. Seriously. If a hacker gets physical access to your cell phone, it becomes way more challenging for you to protect it, points out Myers. To keep your cell phone secure even in the event of your losing it, keep a strong password in place, suggests Biglin. And keep the device's operating system updated because many updates address security issues. As for what's on your phone, the only apps you should have are well-reviewed apps from reputable app stores, advises Myers. Log out when you're not using your apps, and don't let your apps save your passwords (annoying, right? We'll get to password management in a bit).
Got a problem with robocalls? We've got a solution for you right here.
Alexa and Siri may not be able to keep a secret
"I would advise all users of these devices that use voice recognition to add a PIN for purchases, and avoid any public or high traffic placement of the devices that could be used to falsify purchases; even by minors," advises Morey Haber, vice president of technology at BeyondTrust.
Do you need a tax pin?
"If you do get one, store your PIN offline," advises Blankenship. In fact, put the PIN in a safe or a secret place that you only know.
Notice how we didn't say "PIN number?" That's because it's redundant. Here are some other redundant phrases you might want to consider banishing from your vocabulary.
Content continues below ad
Are we really supposed to remember all that? Is that even possible?
"Use a password management service," Haber says. "Apple has a built in a capability called the iCloud Keychain that can manage your passwords. And there are multiple third-party password managers that can store and create unique passwords for all the applications we use on a daily basis. Use them."
Other password management services that our experts recommended include 1Password, LastPass, and DashLane.
And when you come up with your password recovery questions, don't use these.
Please also bear in mind that if you have an account with any of these online companies, your privacy may already be in danger.