If you’ve seen the news, you’re probably aware that Equifax announced last week that hackers had breached some of its website application software, potentially affecting the sensitive personal information of approximately 143,000,000 consumers. If you believe you may be affected by the breach, or are wondering what to do about it, read below for: (A) a brief background of the breach and mitigating efforts, as well as: (B) 5 basic steps to take that may improve your chances of protecting yourself from identity theft as a result of the breach.
A. Background: Equifax Breach
The scope of data includes names, social security numbers, birth dates, addresses, and driver’s licenses. The incident may have also compromised credit card numbers for 209,000 U.S. consumers, and other “dispute documents” that contained identifying information for 182,000 consumers. On July 29, the company discovered the intrusion, which began in mid-May and continued through July. More information can be found in a video statement by CEO, Rick Smith. To support consumers, Equifax has beefed up its call centers and is directing consumers to a specific Equifax’s website, where they can type in their last name and the last 6 digits of their social security number to see if they are impacted; they also have the option to enroll in its “TrustedID Premier” service. Normally costing $19.95 a month, Equifax is offering this “comprehensive package of ID theft protection and credit monitoring at no cost.”
Criticisms. Some debate currently exists about whether consumers should sign up for this product on the Equifax website, and various criticisms are being blasted on social media and elsewhere over the way in which Equifax is handling the breach:
- Some have specifically criticized the nature of Equifax’s help, asserting that (a) consumers may be giving up some rights to sue the company if they signed up for its credit monitoring services, and (b) while companies do offer an opt out provision, consumers must do so in writing within 30 days of accepting the services, which the CFPB has pushed back against.
- One Ars Technica article even criticizes the security of the Equifax website itself, which encourages you to type in your last name and the last 6 digits of your social security number to see if you’ve been impacted. According ot the article, “it runs on a stock installation WordPress … that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number.”
- Some criticize free credit card monitoring as simply a Band-Aid, like treating the symptom instead of the underlying disease.
- Other criticisms range from the Equifax’s delay (five weeks) before announcing to sale of shared by top executives shortly after the July 29 discovery of the breach.
Response. Contrary to some of these assertions and several social media posts, Equifax has clarified on its website that consumers signing up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of Trusted ID Premier. Equifax also subsequently clarified in its FAQs that enrolling in the free credit file monitoring and ID theft protection associated with this cybersecurity incident does not waive any rights to take legal action.
B. Now What Do I Do?
Perhaps you are concerned that your information may have been compromised. Perhaps you even went on the Equifax website and were told that your information “may have been impacted”. As you weigh the pros and cons of enrolling in Equifax’s TrustedID Premier product, or entering your information to see whether you may have been impacted, here are some additional steps you can take to protect yourself:
- Check your credit reports. Through this website, you can check your credit reports once a year – for free – from each of the 3 major credit reporting agencies, Equifax, Experian, and TransUnion. Accounts or activity that you do not recognize could indicate identity theft.
- Consider placing a credit freeze on your files. While it may not prevent an identity thief from making charges to existing accounts, placing a credit freeze on your file could make it harder for someone to open a new account in your name. A freeze will remain in place until you request it to be removed or temporarily lifted, which can take up to 3 business days. Note that if you plan on opening a new account, applying for a job, renting an apartment or buying insurance in the near future, you will need to either remove the freeze or lift it temporarily for a specific time or specific party (e.g., potential landlord, employer, etc.). Check with your credit reporting company for the costs and lead times associated with temporarily lifting a freeze. If you coordinate with the party, you can find out which company they are contacting, and simply lift the freeze for that company instead of all three.
- Alternatively, if someone has misused your information, place a fraud alert. While a credit freeze locks down your credit, a fraud alert allows creditors to access your report as long as they take steps to verify your identify. For instance, if you provide a phone number, the business must call you to verify you are the person making the credit requests. This may prevent someone from opening new credit accounts in your name, but won’t prevent the misuse of your existing accounts (i.e., bank, credit card, insurance statements), which you should still monitor for any indications of fraudulent transactions. You must only ask one of the three credit reporting companies to put a fraud alert on your report – they will contact the other two. Fraud alerts are free, but require you to provide proof of your identity. They can vary from: (a) initial fraud alert (90 days, but can be renewed), (b) extended fraud alert (7 years) and (c) active duty military alert (protecting the military while deployed for one year).
- Monitor your existing credit card and bank accounts closely. As stated above, credit freezes and fraud alerts help prevent the opening of new accounts using your information, but they may not prevent misuse of your existing accounts. For the next couple of months, put a note in your calendar to sit down and go through each bank and credit statements to monitor for any charges you do not recognize.
- File your taxes early. Tax identity theft can occur when someone uses your Social Security number to get a tax refund or a job. You may recall in 2015, when hackers obtained sensitive information and then used the data to authenticate themselves to the IRS Get Transcript application and receive tax record belong to approx. 724,000 tax filers. More recently, the IRS announced the compromise of an online tool used to fill out FAFSA student loan applications. By filing your taxes as soon as you have the tax information you need, you can help to prevent a scammer from doing so. Respond to any letters from the IRS right away.
Contact Information for the Three Credit Reporting Companies:
- TransUnion — 1-800-680-7289
- Experian — 1-888-397-3742
- Equifax — 1-888-766-0008