Equifax Breach 101
RHONA WISE/EPA EFE/REX/Shutterstock
Just when you were getting all excited because your credit score went up, THIS happened: 143 million Americans were impacted by a significant data breach at Equifax, which is one of the nation's three major credit reporting agencies, says Seena Gressin, an attorney with the Division of Consumer & Business Education with the United States Federal Trade Commission (the FTC). The data that was leaked included:
- Social Security Numbers (SSNs)
- Birth dates
- Driver's license numbers
- Credit card numbers
- Credit card dispute documents
It's not the biggest data breach in recent cyber-history (that distinction goes to Yahoo), but it might feel to you like the most terrifying because:
- Equifax has your financial information, including your entire credit history, a record of every late payment you've ever made, every credit card account you've ever held, every car lease, every mortgage, every loan for which you've applied, the details of every dispute you've ever had with a lender, and any claims, liens, or judgments against you.
- As a storehouse of Americans' financial and credit history, Equifax also holds a lot of very personal information that identifies you as you, including your full name, any aliases, your Social Security Number, your birthday, and potentially your driver's license number.
- You didn't even GIVE your information to Equifax, and yet they have it! Equifax receives your information from credit card companies, banks, and other lenders (Equifax compiles the information to come up with a credit rating for you).
- The information Equifax has about you can be used not only in deciding whether to give you a loan. Your credit report is one of the most essential pieces of a background check. If the info is wrong and to your detriment, it could mean that you don't get the job or the apartment you want.
- Equifax is one of three major credit bureaus that compiles and warehouses this information. The other two, Experian and TransUnion, have not been hacked. "Yet," some say, and they don't mean to sound paranoid, just realistic.
- Although this event brings up legitimate concerns about privacy, identity theft, and identity theft protection, you cannot opt out of this information-compiling system unless you never want to lease a car, rent an apartment, and possibly get another job.
But try to remain calm. You've got this, especially now that you've got this handy outline of what you can do going forward to respond to this particular event, as well as a primer on how to prevent identity theft and protect your data and your money from wannabe thieves.
Was your data impacted?
Equifax created a dedicated website where consumers are theoretically able to learn whether they were impacted. That said, you'll need to log in, which involves providing the last six digits of your Social Security Number (SSN).
"No big deal," you might say, if you routinely give out the last four digits of your SSN. But there are a number of caveats to be aware of:
- Your Social Security Number is a nine-digit number, the first four digits of which are tied to where you lived when you (or your parents) applied for your number; the next two digits are a "group number" within the geographical location; and the last four digits are your serial number. Here's more information about how much your SSN reveals about you.
- Since where you were born isn't all that hard for cybercriminal to suss out, it's really only the last four digits of your SSN that stand between you and all the problems you're trying to avoid by reading this article.
- Equifax is not asking for the last four digits; they're asking for the last six.
- Equifax was already hacked once. No, wait, they've actually been hacked more than once. We're not saying that should make you wary of trusting Equifax with your information, especially since there's nothing you can do about them having most of the information they have on you. We're just saying that maybe you should consider their history of protecting your personal, identifying information before voluntarily handing over still more personal, identifying information.
- Every single person we spoke to who has handed those digits over to Equifax in the hopes of determining whether their data was compromised has received the same message, which we paraphrase here: "Maybe."
A bankruptcy attorney in New York that we spoke to said he'd be shocked if Equifax would ever volunteer to an individual that his info had been hacked. "An individual who knows for certain his data's been hacked can theoretically blame Equifax for almost anything that happens to him going forward, from getting a lousy rate on his mortgage to getting turned down for his dream job." Leaving it as "maybe" leaves Equifax open to less liability. Here are the times you should never give your social security number out.
Therefore, perhaps you'd be better off simply assuming you were impacted and then taking the following steps.
Consider Equifax's offer of a bundle of post-hack protective services
Equifax has offered free a package of services of post-hack protective services to all US consumers, regardless of whether they were definitely impacted. The package is offered under the name, TrustedID Premier, and includes:
- Credit monitoring through the three major credit bureaus, one of which is Equifax, itself, and the other two of which are Experian, and TransUnion (collectively, the "Big 3"). Credit monitoring is the process of periodically reviewing your credit reports for accuracy and changes that could indicate fraudulent activity. This is not a service unique to Equifax or TrustedID Premier, as discussed below in "Consider credit monitoring").
- The ability to lock and unlock Equifax credit reports. Locking and unlocking credit reports so that lenders have no access to them (which also means that cybercriminals can't open up accounts using your credit information) is traditionally known as getting a "credit freeze. It is not unique to Equifax as is discussed below under "Consider a credit freeze").
- Identity theft (ID theft) protection services, which consist of the above, as well as internet scanning for the use of your SSN. This is not unique to Equifax's TrustedID Premier service, as discussed below.
- ID theft insurance, which would help victims of ID theft resolve the resulting issues. This is not unique to Equifax's TRUSTED ID Premier service, as discussed below.
This story of ID theft actually happened, and it's chilling.
Understand the limits of TrustedID Premier
DavidMG/ShutterstockEverything TrustedID Premier can do for you can be done by you, yourself, or by another third party service. You need to understand that because when you contract for the TrustedID Premier service, you are agreeing to their terms of service, which include a binding arbitration clause and a class action waiver with regard to the services going forward (not with regard to the Equifax breach that already happened, as discussed immediately below). What these two provisions mean is that if you have a problem going forward, you can't sue TrustedID Premier individually or as a member of a class action lawsuit.
Content continues below ad
You can sue Equifax
Belenos/ShutterstockThere has been quite a bit of noise on the Internet and around dinner tables regarding whether or not you have the right to sue Equifax in connection with the breach. The terms of Equifax's website include binding arbitration and class action waiver clauses. As a result, many were under the impression that their legal remedies would be confined to arbitration. However, Equifax has now made a public announcement that it won't enforce its arbitration and class action waiver clauses in connection with the existing breach. This means that you CAN potentially sue Equifax for damages specific to yourself as a result of the breach, or you can join a class action (many have been proposed already). Joining a class action precludes you from suing Equifax individually. If you're interested in either, we advise you to consult an experienced attorney. And, well—sorry, not sorry—we can't say "attorney" without offering up these hilarious jokes about attorneys.
Consider credit monitoring
Credit monitoring is the process of periodically reviewing your credit reports for accuracy and changes that could indicate fraudulent activity. Theoretically, all credit monitoring services monitor your credit card and identity activity around the clock, checking thousands of databases for misuse of your personal information and notifying you if there are any key changes to your credit report, a new application for credit, new inquiries from lenders, new account information, changes of address, and any other use of your identity (here are the secrets an identity thief doesn't want you to know). By being notified of fraudulent activity, you have the opportunity to put a stop to it, including closing down fraudulent accounts and correct any credit report mistakes.
Equifax is offering credit monitoring free of charge for one year as long as you sign up by November 21, 2017. There will be a charge for the service after the first year. Only you will be able to decide if you're comfortable enrolling in a service pursuant to which you'll be giving Equifax access to the very information that was leaked during the existing breach. Instead of enrolling with Equifax, you monitor your credit yourself, and you can contract with a third party to do it for you. Both are discussed below.
Self-monitoring is the process whereby you monitor your credit reports on your own, without the help of an automated credit monitoring service. Under the Fair Credit Reporting Act (FCRA), you are entitled to a one free copy of your credit report every 12 months from each of the Big 3. To claim them all, you can visit this website, which is the one mandated by the federal government, or you can call toll free: 1-877-322-8228.
To stagger your credit monitoring activities, you can make a request every four months from each of the Big 3 individually. The contact information is as follows:
PO Box 740241
Atlanta, GA 30374
PO Box 9554
Allen, TX 75013
PO Box 2000
Chester, PA 19016
Some state laws provide for additional free credit reports from each credit-reporting agency. If you live in a state where you're entitled to additional free credit reports, the self-monitoring process is more effective.
Of course, for self-monitoring to be the most effective, you need to remember to order your reports. These apps could help you stay organized, which will help you to stay on top of your credit-report requests.
Third party monitoring
create jobs 51/Shutterstock
If you don't think you can stay on top of your own credit monitoring, and you're not comfortable leaving it in the hands of Equifax (via TrustedID Premier), you can pay for a third party service. One option is to enroll with Experian or TransUnion for their paid credit-monitoring services. But if you're willing to pay for a third party service, those which are independent of the Big 3 tend to track more sources and generally offer more comprehensive monitoring. Several consumers we spoke with have expressed an interest in signing up with LifeLock because it offers a variety of packages that include services such as privacy monitoring tools, lost wallet protection, monitoring of existing credit card and bank accounts, reimbursement for stolen funds, legal assistance in the event of ID theft, and scanning of court dockets for your name.
If this is stressing you out, take a breath and try these stress management tips.
Content continues below ad
Consider a credit freeze
oatawa/ShutterstockThe FTC recommends you consider initiating a credit freeze with all three of the Big 3 if you're concerned you're a victim of ID theft. A credit freeze prevents lenders and anyone else from accessing your credit information and prevents anyone else from opening new accounts using your name and identifying information. It doesn't affect your credit score. And it doesn't prevent you from self-monitoring, as described above, although if you've initiated a credit freeze, there is going to be little to monitor. Here's what you need to know to get started with credit-freezing:
- Each of the Big 3 must be contacted separately. You can use the following toll-free telephone numbers:
- Freezing your credit carries a fee. Fees vary based on where you live, but commonly range from $0 to $10 (freezing is free in seven states). Various state laws also mandate free credit freezing for certain consumers, including those who are already ID theft victims. As noted above, Equifax is offering to freeze your credit free of charge (the offer will be open through November 21, 2017), so if you already paid for a security freeze with Equifax since the breach, you're entitled to a refund. Equifax's offer of free credit freezing does not extend to a freeze with TransUnion and Experian.
- Unfreezing: Credit freezes last until you lift them, except in a few states, where they expire automatically after seven years. If you need your freeze lifted, a credit reporting company must do so within three business days after receiving your request, although it might happen more quickly. Anything you do that requires a credit check will require that you un-freeze your files. These include:
- Applying for a credit card
- Applying for a job
- Renting an apartment
- Buying insurance
- You have to give up more information. Freezing will require that you supply to the reporting bureau your name, address, date of birth, SSN, and other personal information. That obviously may cause you some discomfort at this juncture.
- What freezing can't do. Some people will still have access to your information notwithstanding a freeze. These include your existing creditors (and their debt collection agencies) and government agencies in response to a court order, search warrant, and the like. And freezing cannot prevent a thief from making charges to your existing accounts. You will still need to monitor your accounts for suspicious transactions.
OK, enough about credit freeze for the moment; let's talk about brain freeze, shall we?
Instead of a credit freeze, consider a fraud alert
A credit freeze is "worth considering," according to credit analyst, Matt Schulz, although it's quite the "nuclear option." If you don't want to go quite that far in the wake of the Equifax breach, you can consider placing a fraud alert on your credit files. A fraud alert is a notice on your credit file that lets lenders know that they should take the step to contact you and verify your identity before approving you for new credit. A fraud alert is available at no charge to place on your report. You can opt for a 90-day alert (which is renewable), or for a seven-year alert. To place a fraud alert on your credit reports, contact one of the Big 3 (contact info as above); the company you call must tell the other credit reporting companies, who will, in turn, place an alert on their versions of your report.
This woman must wish there were a fraud alert for online dating services.
Consider both a credit freeze and a fraud alert
Rawpixel.com/ShutterstockFor maximum protection, Consumer Reports recommends using both a credit freeze and a fraud alert. If it sounds a bit like double-dipping, don't worry because there are no germs involved.
Monitor the activity on your existing accounts
wk1003mike/ShutterstockEven with credit monitoring, credit freezing, and fraud alerts, you'll still need to monitor your bank account and your credit cards for suspicious transactions.
And remember, no matter what you do, there are things your credit card company is going to know about you.
Content continues below ad
What to do if you believe you've been the victim of ID theft
LDprod/ShutterstockIf you believe you're the victim of identity theft, the FTC recommends that you contact local law enforcement, your state attorney general, and the FTC with the following contact information:
- Federal Trade Commission, Consumer Response Center
600 Pennsylvania Avenue NW, Washington, DC 20580; 1-877-IDTHEFT (438-4338)
- State Attorneys General: Here's how to contact your state attorney general.
Don't let your guard down
JohnKwan/ShutterstockLet's assume that a year or so goes by, and your credit monitoring reveals nothing suspicious. You've received no fraud alerts, and there's been no suspicious activity on any of your accounts. Eventually, you won't be thinking so much about the Equifax breach. But that is precisely when you should be thinking about it. Cybercriminals are likely aware that everyone's radar is up in the immediate wake of the breach and may be playing the "long game" of waiting a year or so before making use of hacked data. So remain vigilant. Let the Equifax breach be a wake-up call for you to stay on top of your credit reports and the activity on your financial accounts, moving forward.
When banking online, look for this letter
MarcBruxelle/ShutterstockBanking online is generally considered safe by the cybersecurity experts we consulted. One such expert, Ross Blankenship, says that most banks use "256-bit encryption along with SSL and HTTPs for their website and mobile experience." But you should always be sure that the website you're using has the telltale "HTTPS" before the URL. Be just as careful with your online-bill-paying as you'd be with paying bills by check, advises Bob Adams, a cyber-strategist with Mimecast. To that end, John Biglin, CEO of Interphase Systems specifically advises:
- Use online banking only when you are on a trusted computer on a private network that you trust.
- When logging in, type in the bank's web address into your browser rather than using a button or link from an email message.
- Make certain that any computer you use is kept up-to-date with current operating system and browser patches. Updates and patches frequently address security issues, so when you get those notifications that it's time for an update, don't close them and forget about them.
But while you're banking online, you're also losing out on the experience of talking to your bank teller, who just might have some pretty crazy stories.
Make online payments only on secure sites
A. and I. Kruk/ShutterstockThese days, there are many ways to pay for goods and services online. Not all are secure. "Online payment sites are not something to experiment with," Biglin says. "I think you should start by assuming they are not secure unless you know there is a site you can trust for online payments." One that virtually all of our experts trust is Paypal. Blankenship advises that, as with online banking, you only use the HTTPs version of the site.
Another online payment system, Venmo, has gotten quite a bit of attention these days. One of its riskier aspects, says Dennis Bonilla, an executive with the University of Phoenix College of Information Systems and Technology, "is that it doesn't have a notification system when your password or email has been changed—a common practice for most other financial transaction companies. Therefore, it's imperative that you have a notification system set up with your bank that will notify you of large transactions so you can be immediately aware if your account has been compromise. In addition, identity theft expert Robert Siciliano points out that Venmo reveals all of your transactions via social media. "One needs to consider if they want that information to be made public."
Content continues below ad
Use precautions with Apple Pay and Android Pay
ESBProfessional/ShutterstockYou can pay for pretty much anything without a wallet these days. But these systems remain largely untested from a consumer adoption standpoint, notes Blankenship. Most of our experts agree that Apple Pay and Android Pay are "mostly safe." If "mostly" safe doesn't give you the warm fuzzies you were hoping for, that's understandable, although Biglin says that he considers it safe to use them, provided you always observe the following precautions:
- A strong passcode on the device you're using it on
- Keep your device locked when not in use
- Keep your device updated. As with your desktop and laptop, updates frequently address security issues.
- Avoid using free wi-fi networks unless absolutely necessary.
When shopping online, stick to reputable sites
EggHeadPhoto/ShutterstockOnly buy things online from reputable, SSL-backed, secure websites; in other words, look for the HTTPs in your browser bar, advises Blankenship, who also notes that when you try to buy what you can't buy legally here in this country, you're putting your information at risk, in addition to all the other risks you may be taking. "Most online pharmacies are linked to black market scammers," he explains.
And don't EVER use a debit card when shopping online
samritk/ShutterstockUsing debit cards for online shopping is just a double serving of daring fate. You're not only vulnerable because you're shopping/paying online, but you're vulnerable because when a debit card is hacked, there's virtually no recourse. "If a credit card is hacked you owe zero dollars on the fraud, but if your debit card gets hacked, the money is drained from your account," points out computer engineer and IT consultant, Richard Roszko. "You only have a very limited time to report any loss. You probably won't even realize the money's gone until you get your statement. By then, it's too late and the money is gone forever."
Some of these online scams involved—not surprisingly—a debit card.
While you're at it, just cut up your debit cards
nenetus/ShutterstockRoszko thinks that when it comes to secure financial transactions, debit cards are a flat-out bad idea. Swipe a debit card, and you're running the risk of the number being copied. Input your PIN, and you're running the risk that you're being captured on camera. "Just destroy your debit cards," Roszko advises. "Exchange them for plain ATM cards (without a debit feature), or just use credit cards."
Content continues below ad
They can swipe info with a swipe of your card
tuthelens/ShutterstockWhat Roszko was referring to when he said that when you swipe your debit card, it can be copied is true also for ATM cards and credit cards. Any time you insert your card anywhere, you run the risk of your information being exploited. It's rare, points out Blankenship, but it can happen. That's why you always need to monitor your account statements.
Cell phone scams
MonkeyBusinessImages/ShutterstockFor the last several years there have been an increasing number and variety of cold-call scams going around, says Lysa Myers, a security researcher at cybersecurity company, ESET. Based on everything our cybersecurity experts told us, we have one rule that will help you avoid virtually all cell phone scams: hang up if anyone ever asks you for money or personal information, including your SSN, your PIN, and even your name. But just to be sure, here are some things you should be aware of:
- The IRS will never call you about money you owe or a refund they owe you.
- Microsoft will never call you about an issue on your computer.
- No one will ever call you about your warranty running out.
- Your refrigerator is running, but you don't have to catch it (just kidding about this one, but who doesn't love telling jokes from childhood?
Also, try not to lose your cell phone. Seriously. If a hacker gets physical access to your cell phone, it becomes way more challenging for you to protect it, points out Myers. To keep your cell phone secure even in the event of your losing it, keep a strong password in place, suggests Biglin. And keep the device's operating system updated because many updates address security issues. As for what's on your phone, the only apps you should have are well-reviewed apps from reputable app stores, advises Myers. Log out when you're not using your apps, and don't let your apps save your passwords (annoying, right? We'll get to password management in a bit).
Got a problem with robocalls? We've got a solution for you right here.
Alexa and Siri may not be able to keep a secret
Rocketclips Inc/ShutterstockLike Apple Pay and Android Pay, Alexa and Siri are still new enough that their integrity has not really been tested. Blankenship isn't convinced Alexa could survive a cyber-attack and points out that we're starting to see reports of Alexa being attacked remotely." He thinks Siri is more difficult to attack because it's protected by the hardware layer (the device) that requires your passcode. Biglin thinks of devices using Alexa and Siri as "generally" secure, but only to the extent that anything connected to the web is generally secure.
"I would advise all users of these devices that use voice recognition to add a PIN for purchases, and avoid any public or high traffic placement of the devices that could be used to falsify purchases; even by minors," advises Morey Haber, vice president of technology at BeyondTrust.
Do you need a tax pin?
Minichka/ShutterstockThe IRS IP PIN is a 6-digit number assigned to eligible taxpayers to help prevent the misuse of their SSN on fraudulent federal income tax returns. Get one if you require additional services from the IRS like the Get Transcript service used for college loan applications," suggests Blankenship. But if you have no need to electronically link your tax returns, there is no reason to get a PIN, according to Haber.
"If you do get one, store your PIN offline," advises Blankenship. In fact, put the PIN in a safe or a secret place that you only know.
Notice how we didn't say "PIN number?" That's because it's redundant. Here are some other redundant phrases you might want to consider banishing from your vocabulary.
Content continues below ad
Rawpixel.com/ShutterstockNo one wants to hear this, but it has to be said because every expert we spoke to agreed: You should have a unique password for every online account you have—and right now you've probably got a bunch sharing. Even worse, Roszko says that your passwords should be as long as the system can bear, but in no case fewer than 12 characters.
Are we really supposed to remember all that? Is that even possible?
"Use a password management service," Haber says. "Apple has a built in a capability called the iCloud Keychain that can manage your passwords. And there are multiple third-party password managers that can store and create unique passwords for all the applications we use on a daily basis. Use them."
Other password management services that our experts recommended include 1Password, LastPass, and DashLane.
And when you come up with your password recovery questions, don't use these.
Please also bear in mind that if you have an account with any of these online companies, your privacy may already be in danger.