I’m sure by now you’ve seen the headlines: Equifax had a data breach and a bunch of Americans’ personal information was stolen by hackers. It’s easy to ignore incidents like these because they’re becoming more commonplace.
The incident with Equifax is a bigger deal, though. Past incidents like Target and Yahoo have included important pieces of sensitive information, but never the whole picture.
The Equifax breach included names, Social Security numbers, birth dates, addresses, and some credit card numbers. That’s enough information to take out a loan in your name, rack up credit card charges, claim your tax refund, or even withdraw money from your bank account. And it happened to 143 million Americans. That’s 44% of the population.
I’ve gotten a few questions about the Equifax breach this week, so I thought a blog post might help answer a few of them. This post will cover what happened, why it’s important, what you should do now, and why you shouldn’t trust that they’ll “make things right”.
The Equifax Breach: What Happened
Timeline
According to Equifax (and the Federal Trade Commission), hackers stole the names, Social Security numbers, birth dates, addresses, and in some cases driver’s licenses of 143 million people in their database between mid-May and July. Hackers also made off credit card information from about 209,000 people, along with some other info from people in the UK and Canada.
The company’s official statement is that they first caught wind of “unauthorized access” on July 29th. They didn’t report the breach publicly until September, though. And as far as I can tell, they have yet to give a legitimate reason why it took six weeks to make the announcement.
If that wasn’t bad enough, three of their executives sold $1.8 million in Equifax stock on August 1st and 2nd. Equifax claims the executives didn’t have any knowledge of the breach at the time, but that remains to be seen.
What Equifax is Doing Now
Since the announcement Equifax has walked the standard “corporate scandal tightrope”. There’s been a bunch of messaging to the effect of “we are cooperating fully with authorities” and “we are conducting an exhaustive internal investigation”. The CEO has also made an attempt at an apology.
As a result of the breach, Equifax is offering a free year of credit monitoring services to anyone who wants to sign up. Initially the company required that you forfeit your right to sue them if you sign up for the services. But after a quick & heavy rebuke from politicians, the media, and attorneys, they’ve done an about face. Now, by agreeing to terms of service on Equifax’s free monitoring services you’re still you’d be granted an exception to this specific “cybersecurity incident”. You’d still be giving up your right to seek legal action in other areas though, and legal experts aren’t convinced the exemption would hold up if the rubber hits the road.
This is important if you’re thinking about taking up Equifax on their offer, since 23 difference class action lawsuits were filed within 48 hours of their initial announcement. By using the free service there’s a chance, despite Equifax’s updated agreement, you’d lose eligibility to participate in one of them.
Why We Should Care About the Breach
In short, this breach included a TON of your personal information. While data breaches are becoming commonplace these days, other headlines (think Target and Yahoo as two recent cases) probably included fewer pieces of personal information. Hackers might have gotten away with your SSN, credit card number, or email address, but wouldn’t have captured your entire “picture”.
The Equifax breach is much more severe. In this breach our personal information is Equifax’s product. They are in the business of collecting and maintaining our credit history, including Social Security numbers, birth dates, addresses, and other things. This isn’t just a piece of our financial info, it’s the whole enchilada.
With the whole picture, criminals can take out credit cards & loans in your name, steal your tax refunds, and sometimes even access your bank accounts. Not only is the number of people affected astronomical, the sensitivity of the information stolen is far greater.
What We Should Do About It
Given the breadth of the breach (44% of the U.S. population!!) we should all take a few precautionary steps. Here’s what I’d consider:
1: Check to See If You Were Affected
The good news from all this? In addition to the monitoring service mentioned above, Equifax created a website devoted to telling consumers whether their data has been compromised. Yay!
The bad news? The website sucks, plain and simple. Boooo!
The site will request your last name and the last six digits of your SSN. Yes, I realize that entering this info to a site maintained by the same company that just had 143 million Social Security numbers stolen gives you pause. Same here. But at the end of the day, if my information was compromised there’s a hacker out there with more than six digits of my SSN.
So I checked anyway. When I did I got the following message: “Based on the information provided, we believe that your personal information may have been impacted by this incident.”
Not exactly reassuring.
So out of curiosity, I tried entering “Test” as a last name and “999999” as a Social Security number. You won’t be surprised to read that I received the exact same message:
As you can imagine, this doesn’t give me much confidence in Equifax’s notification system. The only conclusion I can really draw from this is that we may never know whether our information was compromised in this breach (or any other, for that matter). Your information could circulate throughout the dark web for years before someone tries to take out a loan in your name. For that matter it’s becoming more important to monitor your credit regularly.
2: Freeze Your Credit
This is the equivalent of putting a lock on your front door. When you freeze your credit, you are preventing people from impersonating you. You are restricting access to your credit report, which in turn makes it more difficult for thieves to open new accounts in your name. There are a few parties who can still view your credit report, like debt collectors, existing creditors, or the government. By and large, this is the best way to “lock things down”.
Credit agencies normally charge a fee for credit freezes, but Equifax is temporarily offering the service for free (as they should). As you can imagine they’ve been flooded with calls & requests since announcing the breach. Here are the numbers you can call to put a freeze on your report:
- Equifax: 1-800-349-9960
- Experian: 1-888-397-3742
- TransUnion: 1-888-909-8872
3: Enter a Fraud Alert
A fraud alert is the next best thing from a credit freeze. Fraud alerts takes additional steps to verify your identity when requesting your credit report. For example, if you include a phone number with the alert a business requesting the report must call you for verification before accepting the request. If you don’t want to freeze your credit (if you’re currently seeking credit for a house or a car, for example) I’d definitely recommend a fraud alert on all your accounts. Remember that this won’t help you detect misuse of your existing accounts, though (see below). You can request them by calling the credit reporting agencies above
4: Enroll in Credit Monitoring
If putting a freeze on your credit is the same as locking the front door, credit monitoring is like learning how the thieves broke in after the fact. Monitoring services will notify you after someone has broken in and stolen your stuff. So while it won’t prevent anything from happening it can still be a useful service.
Credit Karma is a helpful tool for monitoring. It’s free to use, too, in exchange for being solicited for credit cards and other offers. You can’t sign up if you’ve already put a freeze on your account. If you haven’t, it’s worth considering. And at the very least, monitor your credit report on your own once per year. It’s free at annualcreditreport.com. (Side note: don’t use freecreditreport.com or other similar sites. They’re not actually free. Annualcreditreport.com is sponsored by the government).
5: Change Your Passwords
I don’t mean to beat a dead horse here, but if someone has your personal information it’s not difficult for them to access your bank account. Freezing your credit and entering a fraud alert won’t do anything for your existing accounts. Changing your password frequently is very helpful in throwing thieves off track. I’m guilty here too; I don’t change mine often enough. But this breach is a big enough deal to make me.
6: Monitor Your Accounts
Changing your passwords is a preventative measure. The only way to notice unauthorized withdrawals is to monitor your accounts. It doesn’t need to take hours out of your week. A regular check of the transactions in your accounts should be enough to ensure no one’s taking money out (or racking up credit card charges) without your permission.
Even though Equifax is offering a free credit monitoring service as a result of the breach, I wouldn’t recommend using it. As I mentioned above, there’s some ambiguity surrounding whether you’d be forfeiting your rights to sue Equifax in the future. And with 23 pending class action suits, I don’t want to take the chance of ruining my eligibility to collect claims down the road.
7: File Your Taxes ASAP
One of the favorite scammer schemes out there today is filing tax return on your behalf. It might sound nice to have a random good samaritan file your taxes for you. But when that person is routing your return check to their own bank account, the feeling quickly sours.
It could take years before someone out there attempts to use your SSN in this fashion, too. The best way to prevent it is to file early. The IRS rejects tax return submissions when there’s already been one filed under the same SSN. If someone does sneak in before you and collects your refund, you’ll need to work with the IRS to rectify the situation. Here are the steps TurboTax recommends if this happens to you.