Equifax, the credit bureau, has been hacked. The breach occurred back in mid-May. It was discovered by Equifax on July 29th. It was publicly announced on September 7th. It’s estimated that 143 million Americans have had their Social Security numbers, birth dates, addresses and perhaps drivers license information stolen. Additionally, credit card numbers for roughly 209,000 U.S. consumers have been exposed and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” Equifax, and really all credit bureaus, maintain so much information on us that the hackers have enough to open credit in your name, take out a loan or perhaps answer security questions to gain access to your accounts. It’s safe to assume that you’ve been impacted in some way.
Equifax set up a site to test whether your information was breached. However, it seems that the site works inconsistently. Besides that, you have to enter your last name and the last six digits of your Social Security number to find out! Yeah, we trust that everything is secure now. Free credit monitoring for a year is being offered by Equifax [called TrustedID Premier, which monitors the big three credit bureaus], but the service is actually owned by Equifax. That’s either a conflict of interest, or something that you might not trust so much given their lack of oversight so far. That free offer ends November 21, 2017. Some are concerned about the wording of the agreement. It seems to suggest that you waive your rights to a class action lawsuit. Equifax says that doesn’t apply in this case, and has taken steps to remove that language (see point #3).
How To Protect Yourself
- See if Equifax says you’ve been affected.
- Credit monitoring, free or paid, does little to prevent identity theft. They can, however, notify you when identity theft occurs, and then help you remove the fraudulent activity and repair your credit score. If you have been affected by the Equifax breach, you can sign up for free here.
- If you’re going to use credit monitoring, sign up before you take the next step of freezing your accounts. Make sure to monitor, and then freeze, both your account and your spouse’s.
- Freeze your credit at four sites (Equifax, Experian, Trans Union, Innovis as well as a banking verification site called ChexSystems.) A freeze will also serve to protect your credit score.
- There may be a $0 – $15 fee, depending on the state in which you live, to freeze your credit. However, it’s much less expensive than trying to recover from identity theft. Most states that charge a fee to freeze your credit will also charge you to temporarily lift the freeze (for instance: when trying to get a new line of credit) using a PIN.
- Depending on your state, you might also be able to place a freeze on your child’s credit.
- Keep your “thawing PINs” in a safe place.
- Every four months, request your credit report for free from one of the three major credit bureaus at annualcreditreport.com. You are allowed one report from each bureau for free each year. If you stagger them out, you have more opportunities to see any irregularities throughout the year. If you have a spouse, you could stagger both throughout the year, effectively getting a free report every two months.
- Closely monitor your credit card and banking transactions. Remember, credit card numbers for 209,000 Americans were stolen. That’s an estimated 8-9% of the country over age 18. Your credit report lists all your active cards, including store cards. There’s a real good possibility they will be used to forge new counterfeit cards or to attempt to make online purchases. Online purchases with credit card information stolen from the 143 million Americans should be made easier since the hackers have your street address as well.
- If you are a victim of identity theft (accounts have been opened or fraudulent charges have been made with your credit/debit card), file a complaint with the FTC at identitytheft.gov. You can use their “Get Started” link to find suggestions specific to the Equifax breach: Get Started > My information was exposed in a data breach. > Equifax > then choose Yes or No depending on whether someone has already used your information to commit fraud.
Other Identity Theft Protection Suggestions
- Opt out of pre-approved credit offers. Identity thieves will sometimes raid your mail (or trash) to take offers for new credit and insurance. If you don’t want those offers to keep showing up in the mail (forcing you to shred them), opt out.
- Try to file your taxes early. The thieves may have your social security number. They have been known to file a tax return in your name (with the money going to them) before you do. When you eventually file, your refund is gone. The IRS recommends: “If your SSN is compromised and you know or suspect you are a victim of tax-related identity theft, the IRS recommends these additional steps:
- Respond immediately to any IRS notice; call the number provided.
- Complete IRS Form 14039, Identity Theft Affidavit, only if your e-filed return rejects because of a duplicate filing under your SSN or you are instructed to do so. Use a fillable form at IRS.gov, print, then attach the form to your return and mail according to instructions.”
- Beware of phishing and spear phishing emails or threatening calls and texts from thieves posing as legitimate organizations such as your bank, credit card companies and even the IRS. Remember, they have enough information about you to make you think they’re legit.
- Never click on a link in an email no matter how legitimate the email seems. Always open a new tab in your browser and contact your financial institution/bank in that way. Don’t copy and paste a link given to you in an email or text.
- If someone calls, find out who they represent, if they have a case number (or similar), and then hang up and call the institution itself by using a legitimate phone number you find online or in a directory.
- Remember: The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.
Equifax Breach Could Have Been Prevented
In closing, it has been reported that the breach was due to Equifax not keeping its Apache Struts software patched. Ugh. The vulnerability was found and patched on the same day, March 6th–a little over two full months before the hack happened in mid-May. Plenty of time to test and deploy the patch. This is exactly why we keep beating the same drum: make sure your systems (PC’s, servers, phones, tablets, software–everything that connects to the internet) are up to date with security patches. It’s interesting to note that the vulnerability was disclosed on March 6th, and only three days later the bug was under mass attack by hackers. Gotta patch quickly it seems.