Equifax Security Breach – What to do now to protect your identity and credit.
You have probably heard by now about the massive security breach at Equifax, one of the leading credit reporting agencies in the U.S. Equifax possesses personal information of virtually every American who has ever obtained a loan or credit card.
On September 8, Equifax revealed that the names, Social Security numbers, addresses, and birth dates of about 143 million Americans, as well as some British and Canadian residents, were accessed by hackers who currently remain at large. Some people’s driver’s license and credit card numbers were also compromised.
Many people are confused about what to do to protect their identity and credit following this breach. Below we explain in detail the steps available to you.
Check whether Equifax says you were affected.
Equifax offers a service to check whether you may have been affected by the security breach. However, reports of inconsistent or confusing results are widespread, and it’s not clear whether anyone is being told they are not impacted. However, this is still a logical and easy first step.
Go to Equifax’s website dedicated to the security breach, www.equifaxsecurity2017.com. There you will enter your (or your family member’s) last name and the last six digits of your Social Security number, and the site will return a message indicating whether your data was compromised.
If you do in fact receive an “all-clear,” double-check the result by re-entering your information. If you receive the same result again, you may elect to take no further action. Please read on before deciding, though, because many of these steps are free, easy, and advisable even if this security breach had never happened.
Regardless of the results, the website will then invite you to enroll in Equifax’s credit protection service. We cover that option next.
Sign up for Equifax’s credit monitoring service for free.
Each of the “big three” credit reporting agencies (Equifax, Experian, and TransUnion) offers, for a fee, a credit monitoring service intended to constantly monitor your credit report for fraudulent activity. These services generally also offer identity theft insurance and unlimited access to your FICO credit score.
TransUnion offers a free basic level of monitoring through a program called TrueIdentity. In the wake of the security breach, Equifax is offering their affiliated credit monitoring service, called TrustedID Premier, free of charge for one year to all Americans regardless of whether they were impacted by the breach. No credit card is required to sign up, and you will not be automatically enrolled or charged when your free year runs out. This offer is in effect until November 21, 2017.
Be aware that because so many people are currently signing up for this service, the email confirming your signup may be delayed.
Initially, many were concerned that the terms of service of TrustedID required that the user waive any right to participate in lawsuits against Equifax over the breach. Equifax subsequently clarified that this is not the case.
These services usually offer the ability to “lock” and “unlock” your credit file at will, which, like a security freeze (explained later), greatly restricts access to your file. This may sound like a great feature, but each agency can only lock or freeze its own copy of your file. So while locking your credit file is a bit like freezing it, you would have to enroll in three separate credit monitoring services in order to take full advantage of this feature, which would be expensive and cumbersome.
Understand that credit monitoring services do very little to prevent accounts from being fraudulently opened in your name. Rather, they provide a way to be alerted to fraudulent activity very quickly. We believe such services are generally not worth the money they cost, but taking advantage of TransUnion’s free program and Equifax’s service while it is free has no downside.
Review your credit reports.
By federal law, each of the big three reporting agencies are required to provide you with your credit report free of charge once per year. The website for this service is www.annualcreditreport.com. Other sites with similar names may sound more familiar because of frequent advertisements, but pay them no attention — the only site where you can acquire your federally mandated free credit report is www.annualcreditreport.com.
All three agencies should have identical records on your credit, and this is usually the case. However, this is not guaranteed. For this reason, it is a good idea to periodically verify the contents of your report with each of the agencies.
The strategy for the most diligent self-monitoring of your credit is to obtain a report from one of the three agencies every four months on a rotating basis. This maximizes the frequency with which you can monitor your reports for free. However, it is quite a bit of work.
If you are planning a large purchase, such as a new car or home, or if you believe you may already be a victim of fraud or identity theft, you should obtain all three credit reports now. Otherwise, you could start with just one. However, if you spot any errors on one, you should check all three for the same errors. Initiate a dispute with any agency showing inaccurate information.
The reports can be quite lengthy, but most of it is a detailed history of each account. You want to look carefully for evidence of fraud such as recently opened accounts for which you did not apply. Also look for evidence of closed accounts having been reopened.
Set up a fraud alert.
When you create a fraud alert on your credit report, this makes it harder for an identity thief to open a new account in your name. This is because lenders are supposed to take extra steps to verify your identity before opening a new account when the alert is in place. This usually means contacting you by phone.
Traditionally, a fraud alert was useful mainly to people who believed they had already been the victim of identity theft. In the wake of the Equifax breach, however, many people are creating fraud alerts as a preventative measure. An “initial fraud alert” usually may be initiated online; simply search for “create fraud alert” and follow the instructions provided by any of the big three. An “extended fraud alert,” on the other hand, lasts seven years and requires a law enforcement report of actual identity theft.
There is no fee for an initial fraud alert. The alert expires automatically after 90 days, but may be renewed indefinitely. If a fraud alert is your security method of choice, it is important that you set a reminder to renew it; remember, this breach means your credit is vulnerable indefinitely.
If you wish to create a fraud alert, you need do so with only one of the big three credit agencies; they are required by law to notify the others.
Also be aware that while lenders are supposed to exercise extra diligence in verifying your identity before issuing new credit when a fraud alert is in place, there are few laws around the exact requirements. One would hope that the Equifax breach and increased scrutiny by regulators would prompt an extreme level of caution on the part of lenders, but this is not guaranteed.
Place security freezes.
A security freeze, or credit freeze, is the gold standard of credit security. It prohibits virtually all access to your credit history by anyone, legitimate or illegitimate. Compare this with a fraud alert, which merely directs lenders to be diligent in verifying your identity before opening an account, and you can see a vast difference.
A security freeze does not damage your credit or prevent it from changing by your own actions. It also does not prevent you from freely using your existing credit accounts. However, it does come with two drawbacks: cost and inconvenience.
Drawback: Cost. Placing, temporarily lifting, or removing a security freeze often incurs a fee, which varies by state. Some states prohibit these fees across the board, but Pennsylvania is not one of them. However, Pennsylvania law prohibits such fees for seniors age 65 and over, as well as victims of actual identity theft. Other Pennsylvania residents will generally have to pay a fee of $10 (plus tax) per instance of placing, suspending, or removing a freeze, per agency. These fees can rack up quickly, which is why this may not be a good option for people who expect to have to grant access to their reports.
Equifax is waiving all freeze-related fees until January 31, 2018.
Drawback: Inconvenience. A security freeze prevents fraudsters from accessing your credit information. However, it also prevents legitimate lenders from viewing your credit, even under your instruction, such as when you apply for a loan or credit card. Therefore, you must manually unfreeze your file when applying for new credit, then refreeze them when done. If the lender can specify the agency from which they pull your report, you can suspend the freeze with that agency only. You can also grant one-time access to that particular creditor.
The drawbacks of security freezes are primarily associated with repeatedly suspending and removing them. Those who do not need to do these things only face the initial cost of placing the freeze (and not everyone will pay such fees). In spite of the drawbacks, some experts have taken to generally recommending that people keep security freezes in place, even before the Equifax breach.
If you wish to pursue this option, you should freeze your credit at all three agencies, not just Equifax. This prevents thieves from using your identity to apply for credit with lenders that only pull your report from Experian and/or TransUnion. Here are links and numbers for placing a security freeze at each of the big three:
Equifax credit freeze or 800-685-1111
Experian credit freeze or 888-397-3742
TransUnion credit freeze or 888-909-8872
You may also wish to institute a security freeze at a lesser-known credit reporting agency called Innovis. Relatively few lenders use Innovis, which means most people should rarely have to suspend a freeze at this agency.
Removing or temporarily lifting a freeze requires a PIN code which is assigned when you create the freeze. Resetting this PIN is not easy, so save and guard it very carefully.
The agencies often try to steer people away from freezing their credit. Credit reporting and scoring exists to make obtaining credit a very simple matter — so simple that one can impulsively apply for store credit during checkout. Freezes make obtaining credit less convenient, and largely preclude impulse applications. If credit freezes become very widespread, reporting agencies will likely see their businesses decline.
Therefore, they may try to confuse you by implying that “locking” your credit through their credit monitoring service is a better option, or simply by making the freezing process less clear and obvious than it otherwise might be. Do not be dissuaded; if a security freeze is the right strategy for you, make it happen.
What about credit card numbers?
As mentioned at the outset, most people’s credit card numbers were not illegally accessed, but those of about 209,000 U.S. consumers were. It appears these numbers likely were used previously to sign up for Equifax’s TrustedID credit monitoring service (before it became free to everyone), though this has not been explicitly confirmed. If this applies to you, be sure to carefully monitor charges made to the credit card you used to sign up for this service.
It is not for us to say whether you should take the step of closing this account, but that option is of course available to you if you want to be extra cautious. As the situation unfolds, banks may close these accounts to protect their own interests.