Many readers wrote in this past week to say they’d finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in the massive data breach discovered this year at the Office of Personnel Management (OPM). Almost as many complained that the OPM’s response — the offering of free credit monitoring services for up to three years — won’t work if readers have taken my advice and enacted a “security freeze” on one’s credit file with the major credit bureaus. This post is an attempt to explain what’s going on here.
OPM offices in Washington, DC. Image: Flickr.
Earlier this week I got the following message from a reader:
“I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”
The reader continued:
“This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”
I reached out to my followers on Twitter to gauge their reactions to this. I wrote: “Finish this sentence: Lifting a freeze to enable credit monitoring is like….” Here were some of the notable responses:
@sdweberg 10:22pm …shooting your rottweilers and paying the neighbors a monthly fee to “keep an eye on” your house.
@shane_walton 10:15pm …installing flash to watch a flash video about the evils of flash.
@danblondell 10:13pm …leaving the storm doors open to keep an eye on the tornado
@flakpaket 12:48am …leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors.
@ShermanTheDad 8:25am …taking your gun off safety to check and see if it’s loaded.
Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file *after* you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.
As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.
Many of these third party credit monitoring services also induce people to provide even more information than was leaked in the original breach. For example, ID Experts — the company that OPM has paid $133 million to offer credit monitoring for the 21.5 million Americans affected by its breach — offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.
If you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth signing up for these credit monitoring and repair services. Otherwise, I’d strongly advise my US readers to consider freezing their credit files at the major credit bureaus.
Depending on in which state you reside, there may be a small fee to place and/or thaw a freeze on your credit file, and freezing them at all four major bureaus (Equifax, Experian, Innovis and Trans Union) could cost as much as $60. But this is a small price to pay for peace of mind.
In a report released last month, the consumer US-PIRG urged all consumers to place a security freeze on their credit files. US-PIRG suggests if you already have freezes on your reports, you will need to lift your freezes before signing up for the credit monitoring and reinstate the freezes. If you don’t have freezes on your credit reports yet, sign up for the free credit monitoring first, then place your freezes.
In a perfect world, breached organizations would offer to pay the costs involved in freezing your credit files, but sadly the standard playbook in corporate breach response is to pay for credit monitoring.
PROTECTING DEPENDENTS FROM ID THEFT
One area where credit monitoring makes more sense is with dependents and children under the age of 18. That’s because it’s impossible to freeze a credit file that doesn’t exist, and most minors aren’t going to have one (hopefully).
According to Experian, if your children already have credit reports in their names, one of three things has happened: You have applied for credit in their names and the applications were approved; you have added them as authorized users or joint account holders on one or more of your accounts; someone has fraudulently used their information to apply for credit and they are already identity theft victims.
One way to find out is to visit annualcreditreport.com to apply for a copy of their credit report. The most important precaution parents can take is to keep a close eye on dependent credit files when kids reach their mid-teens. That way, if a credit file materializes for your child because of identity theft, there is still time to sort it out before the kid actually needs a line of credit or loan. However, if your child becomes the victim of ID theft at a very young age, it probably makes more sense to freeze the kid’s credit file.
Most credit monitoring services will allow you to enroll your children as well, but that coverage generally expires after they reach 18. KrebsOnSecurity reader Michael found this out when he tried to sign up his five kids after receiving a notice from the OMB.
“For some reason, coverage for adult children was not provided when I signed up and is discontinued once they reach 18, so at the outset, only 2 of my 5 kids were included even though their data was also compromised,” Michael wrote.
If you’re considering freezing your credit file, have a look at this primer which walks through the various steps needed to place a freeze. It also includes pointers to additional steps that consumers can take to avoid becoming victims of identity theft.
Were you or your family impacted by the OPM breach? How have you responded? Sound off in the comments below.
Freezing your credit is a great idea and I applaud Brian for always pushing it on readers but I feel like fraud alerts should be mentioned as well. Fraud alerts are free, easy to sign up for online, and once you sign up at one bureau they must pass it on to the other big two. One downside is that they must be renewed every 90 days. The benefit of fraud alerts is that you can still open new lines of credit but they must be verified at a phone number you provide.
I know firsthand it works as I got a verification call about a week ago.
I’ve been meaning to setup freeze’s, but making a phone call is annoying. Free and online sounds pretty nice. Any other downsides to this other than having to do it every 90 days?
The 90 days is for the fraud alert. A freeze is ongoing unless you temporarily thaw it. I believe you are supposed to send a certified letter to each to set it up, but you can thaw online or by phone for a certain number of days and it will freeze on expiration.
I think the fee is state dependent, it’s $5 to freeze or thaw in Ohio unless a victim of identity theft.
Michigan doesn’t have a freeze law and several states only require it to be offered to identity theft victims but the agencies are voluntarily offering it to residents of those states that aren’t covered by a law.
I too sent up a 90 day alert, and I renew every 90 days. However, such an alert is not a hard and fast rule. Indeed, I was issued a credit card despite having an alert on my accounts. Granted, it was a card for a gas company. Checking with a friend in the banking business revealed that such alerts are not binding, and card issuers can ignore then.
Yes, they can ignore them. The real value in an alert is not so much the alert, but the fact a phone number and address must be given to set it.
The main reason why fraude happens is that a lender has no confirmed way of checking your address. So if a fraudster applies for credit they cannot determine your current address. If they are not too lazy, they can expect a Florida address to be invalid if you recently applied for credit yourself in e.g. Texas. But they cannot know know for sure you did not move, have a second home, etc.
With an active alert they have an address on file. If it is the same, they can be sure it is you. And also they have a confirmed phone number. That is the true value of an alert, not the flag itself which indeed is just that a suggestion to pay attention.
Note though that officially you are not supposed to set an alert unless you have suspecion of fraude. In practise now pretty much whole America is breached, that may ot matter, but you are on paper misusing the alert if it is for preventing usage.
Last note, you can forgo the 90 days manual renewal if you sign up with Equifax. They allow for auto-renewal of alerts. They are the only company still doing this after Experian sued all others. Experian obviously won’t go after Equifax, so hence they can still offer it.
I setup credit freezes with all 4 credit bureaus online two weeks ago, no phone or mail communication required. Cost me less than 15 dollars for all 4.
I was able to freeze online with all 4 bureaus, several months ago, and was not asked to pay any thing. I reside in NY.
I’m in Ohio, so I should have been charged $5 for all four, but was only charged by two (not that I’m complaining).
Only one is sending me a physical letter, everything else online though I wish Equifax let me choose a PIN.
Just received my notification earlier this week and I’m planning on following through with the credit monitoring service in the near future.
I received the notification Monday that my information, including SSN, DOB, previous employment, addresses among other information was exposed as the result of a background check or spousal enquiry. I was already signed up by OPM for the 3Y monitoring and added detail to the service to include specific account information and my children. Following the 3Y term I will freeze my credit, but it’s nice to have that protection around my kid’s SSNs.
I received my letter two days ago. I think that I will most likely be doing a freeze now as well. I turned on 2FA on all of my accounts because it seemed like the correct thing to do, sounds like the freeze is the next right thing to do.
I got my OPM notification last week and my wife got hers this week. I got a separate notification months ago; I’m still not clear if this second notification is for an additional hack or if they are just admitting the original hack was worse than originally thought.
I signed up for credit monitoring again (I think it’s with a different monitoring firm this time). We plan to sign my wife up for monitoring as well. Based on your article I’ll look into requesting credit freezes. I also need to see how to register my kids for monitoring. The notification said credit monitoring for minor dependent children would be covered, but I didn’t notice any mention of it when I registered with ID Experts.
Drew, you would just add their SSNs into the monitor as dependents. You can add up to ten individual SSNs.
Thanks for the info, VAITGuy. I’ll do it today.
There were two incidents: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
I don’t understand why WE are forced to pay to freeze/unfreeze information we can’t stop THEM from collecting (and monetizing).
This seem’s like a breech of our constitutional right to privacy.
The credit bureaus should be REQUIRED to offer this most basic choice to consumers as a precondition if they are to have the right to collect our information.
I think that everytime the three credit bureaus sell our information to a 3rd party, WE should get a percentage of that. Since it’s 100% OUR information, a 50% cut seems reasonable.
That would certainly cover any costs of freezing and unfreezing our credit records…
I couldn’t agree more. In some states it is already free. I guess the other state legilatures are firmly in the pockets of financial industry lobbyists.
I think it would be acceptable to charge a small one-time fee for the freeze, but they shouldn’t be allowed to charge for the temporary thaws whenever you want to apply for credit.
“This seem’s like a breech of our constitutional right to privacy.” um, what constitution would that be?
See wikipedia for more info https://en.wikipedia.org/wiki/Privacy_laws_of_the_United_States
I may be using too broad a brush on this one, but see this from the link (and based on the 4th amendment):
The privacy laws of the United States deal with several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into his or her private affairs, discloses his or her private information, publicizes him or her in a false light, !!!or appropriates his or her name for personal gain!!!
Once again the name of the 4th agency is mentioned: Innovis.
Do we really have to contact them as well?
You SHOULD contact Innovis by all means, and I would add ChexSystems and ClarityServices to also freeze. If you have a credit union account, the credit union will inquiry ChexSystems, and payday loan companies will make a ton of inquiries against ChexSystems, which can and will influence the credit union on loan decisions. Clarity is another site that payday loaners like to utilize, and these inquiries will also bounce up to the big 4.
Thanks. It was simple online, with no charge mentioned. They promised to send me snail mail confirmation.
I got mine, and my wife got her’s, because her information was contained in my packets. I’ll be setting a freeze on our accounts, even though I initially took the monitoring from OPM. I rather not have to depend on someone to help me recover from damages caused by the breach. I rather they just never happen.
One thing you may want to mention is that you can’t use the annualcreditreport.com site to check credit for children under 13 – it fails and tells you to contact the credit bureaus directly.
Why is OPM offering a service which, as you rightly state:
“credit monitoring services aren’t really built to prevent ID theft”.
Because OPM got its playbook from the credit reporting industry and this industry is better off getting paid for monitoring services that add revenue than it is with credit freezes that disrupt its business model.
Brian – Your November 18th article ‘Everyone Should Get a Security Freeze’ referenced a report by the US Public Internet Research Group. On page 8 of the report it states, “If you already have freezes on your reports, you will need to lift your freezes before signing up for the credit monitoring and reinstate the freezes. If you don’t have freezes on your credit reports yet, sign up for the free credit monitoring first, then place your freezes.”
I’m gathering from your most recent article that one should NOT lift their credit freeze. Did USPIRG get this one wrong?
I’d forgotten about that, Ndy. Thanks for the reminder. Will update the story with that suggestion.
So what you’re saying is that this whole article is pointless? You make it out as an either/or situation when you can bet really have both. And with the monitoring under the freeze you’ll be alerted to any collections that may be added to your file. Got to say Brian, to “forget” what you yourself wrote just a short while back seems disingenuous.
Talking about identity theft, I’ve been using a chrome plugin called Web of Trust – https://www.mywot.com to warn me about sketchy websites, especially those that infect your computer, but I just learned that their input is based on user feedback. Can anyone recommend service similar to WOT that is not based solely on users?
My problem with WOT is, the bad guy can use compromised machines to submit thousands of good reviews and thus making the tool less effective.
Thanks for your input.
To me, it makes sense to add a child as an authorized user on a credit card (cut up the card when you get it) and then go through the process of freezing the newly made credit report. All of that would be free, if you can prove that the child’s information was already compromised. Kids don’t need companies selling their credit report to each other and the age of the report would actually have a positive effect on their credit score when they did eventually need to think about it (providing the parent’s credit card associated was in good standing).
I ended up benefiting from a credit history reported as being older than I was when I went to buy a house because my father had once put me on a card he’d had since before I was born. I had a credit score over 800, which was better than his.
What is interesting is that my wife received her OPM letter and I did not (yet). I was the one with the clearance. I have three letters like this sitting in a pile on my desk (OPM, CareFirst, Anthem). I have taken no action on any of them.
I wasn’t sure this gave me anything helpful. Unless they are willing to help me clean up my credit after it was stolen. I monitor my credit by watching my credit score monthly via my bank (free), creditkarma (free), annualcreditreport.com (free). This isn’t as in-depth of monitoring as what these organizations are offering, but I feel I should know if something is up.
I never thought about a freeze. Seems like a better response to these breaches. I will need to look into this. Is it easy to un-freeze? I imagine the only time you need to un-freeze is when you are applying for credit (i.e. credit card, auto, mortgage) which shouldn’t happen that often. What about employers looking at your credit history… will a freeze impact this?
Looks like they are offering Identity restoration services (https://www.opm.gov/cybersecurity/#Services) as well as insurance. But only for the coverage period.
Do you think some cyber-criminal organization or person is sitting on a database of identities with a column identifying when the monitoring coverage period is over? 🙂
You will need to ask which bureau they will access for the credit check, and then ask that bureau to lift the freeze for a specific amount of time, or obtain a temporary PIN specifically for the company making the inquiry.
As for helping you clean up the mess, be prepared that the companies will often not talk to any one except the person whose name and information was fraudulently used. So, you can end up with a 3 way conversation and lots of hours on the phone. Easier to do it all in writing as it all is documented.
You may have to temporarily unfreeze your credit it you want to rent an apartment or, in my case, open a bank account. I never thought I would have to work so hard to get a bank to take my money.
My husband received his letter yesterday. Love this statement,”While we are not aware of any misuse of your information…”. Just tell me, how WOULD they be aware of any misuse? They weren’t even aware of their own breach. As it is, everything is frozen, and I wouldn’t bother with enrolling in their identity theft offering because of that. Agree with Brian, they are only good after the fact, the bogus account has already been created and the burn on your name has begun by that time.
What is the purpose of any of these measures? Why would China try to get credit in the names of OPM victims? That doesn’t seem like the most likely threat model here.
Most experts believe that identity theft was not the primary motive. If the Chinese were the culprits, as most believe, then it is likely they would want the data for intelligence/counterintelligence purposes. Identity theft would still be one possible use, however, so better safe than sorry.
Right, look on the bright side. Maybe your personal details weren’t stolen by crooks, maybe it was just a Chinese or Russian intelligence agency.
That actually feels better.
Unfortunately, there was an incident a year or two back in which a low-level Chinese spook decided to freelance with the information he had access to.
Why are they not provideing this service to my adult children, which I have 3 of, when their information was also compromised? That is not fair that they may suffer because of OPM’s negligance.
I didn’t see any information in my letter about how to get new fingerprints. Seems they should cover the cost of that procedure since they allowed my data to be compromised. Can’t change those like a password.
What does freezing your credit means? Does it stops you from being able to make new loans or something? What’s the downside of it?
With your credit files frozen, nobody (Except creditors with whom you already have a relationship) can check your credit file, so nobody (with reasonable risk management practices) would be willing/able to open a new line of credit against your financial identity.
In short, no new loans, no new credit cards, no new utility service (except for those utilities which allow you to put a deposit on the account for the first couple of years), etc.
All of the credit bureaus allow you to temporarily or selectively lift a freeze to allow you to open new credit when you need to. Generally, it has worked easily for me (but see my comments elsewhere in this thread about Equifax).
Once enough people freeze their credit files by default, we should reach a tipping point and new legislation will hopefully be forthcoming to re-balance the mess that is our credit reporting system, because it will finally be in the credit bureaus’ interest to treat us as customers instead of as raw material. But I’m not holding my breath.
I froze my credit files eight years ago. Ever since, with Equifax in particular, I’ve had problems every time I needed to do anything with them – I couldn’t get my (annual free) credit report, I couldn’t sign up for credit monitoring services … and I sometimes couldn’t lift the freeze when I needed to allow someone to check my credit.
This came to a head recently as I needed to switch electric service on in my name at a rental property I own. The utility company happens to use (only) Equifax.
After being told by the Equifax website and phone line for lifting the freeze that they “couldn’t process” the request “with the information I supplied” (even though, as I do check my credit files, I know that the information is all correct), I called a phone number which I happen to have for Equifax (they don’t publicize it, and when the web and phone lines fail they only give a paper mail address to contact). Amazingly, that number was still good, and the people I spoke with at Equifax were able to assist.
What I learned – the first time that Equifax (whose name I usually misspell deliberately…) bothered to mention to me, which explains a lot, is: With Equifax, once you’ve frozen your credit file, any time you want to do anything with your credit file *you have to give them the address that was on the file at the time you froze it*, despite the fact that they do know where you live now.
The only way to update the address on the frozen file is to (permanently) lift the freeze, then re-freeze. (Which they did for me without charging me … except for the hours and hours of my time that they’d wasted over the years).
I do not have this trouble with Experian or TransUnion – with them, I log in to an account instead of (re-)entering my (old, out-of-date) personal data as Equif*cks expects, and I’ve not yet had to lift the Innovis freeze. (So far, for as little as I’ve done with them, Innovis was the easiest to work with).
Equifax sucks, even worse than the others.
Credit freezes ARE good, just know going in that the credit bureaus deliberately make it difficult to use freezes (along with gouging, according to what each state allows them to, to set up or lift a freeze).
Aside, it’s garbage that some credit monitoring services cannot be set up once a credit file is already frozen – the law doesn’t require a freeze to block setting up credit monitoring service – that’s just the credit bureaus once again finding ways to make a freeze less desirable to the consumers that the freeze laws are intended to protect.
Jay, thanks for the insight on working with Equifax. Always helpful to hear the details regarding someone’s personal experience, and what to expect, and not expect.
In my state, Virginia, Equifax charges $10 for a freeze if I’m not a victim of identity theft, but I my information was in the OPM breach. So being someone with an elevated risk apparently doesn’t qualify me for the free freeze. I’m going to try submitting my OPM letter (redacted) anyway.
If you haven’t been notified for either breach don’t assume that you are in the clear!
I haven’t worked for the federal government in a few years and did not receive a notification. For the first breach I was given the heads-up by a former coworker who sent me a contact number to call to check. On checking I found that my personal data was included the breach.
The same coworker received a notification 2 weeks ago for the second breach. We submitted our clearances the same time, so again it appears that I will not be notified. This time they have not provided a contact number to check if your effected.
Just as an FYI – if you have a credit freeze with Experian, you can only go to their site to get your credit report – you can’t use the other agencies or the free annual sites… and they charge you $1.00 for it… there might be somewhere to get it free on their site, but they sure don’t make it obvious.
Also, for those asking about unfreezing.. yes, you can do it on-line and there is a fee, but it’s pretty simple. You can give them dates for the thaw and then it’ll automatically re-freeze after the thaw period. I recently moved and changed jobs, so needed to unfreeze all 3 for about a month and it seemed to work just fine.
I am impacted by the OPM breach. I took Brian’s advice and put credit freezes in place. I don’t plan to lift them for the credit monitoring service being offered.
Finally set up freezes at the four main bureaus after getting a notice from T-Mobile about Experian. Did it all online, took about 15 minutes. Experian, by the way, is waiving any applicable fees for those who were affected by the T-Mobile breach. Innovis followed up the online registration with a snail mail confirmation + PIN.
Also set up my SS account in order to lock that down. SSA provides 2-factor authentication and a temporary PIN to initiate this in the snail mail confirmation letter.
Since my state is one of the ones allowing these privateers to charge for freezes when there’s no demonstrable ID theft, I’m going to be working with my legislature to change applicable state law to allow for no-charge freezes + unfreezes, at least for anyone who receives a notification letter about a breach.
> Since my state is one of the ones allowing these
> privateers to charge for freezes when there’s no
> demonstrable ID theft, I’m going to be working with
> my legislature to change applicable state law to allow
> for no-charge freezes + unfreezes, at least for anyone
> who receives a notification letter about a breach.
On behalf of everyone who lives in your state, or chooses to move to it, I’d like to thank you.
You’re welcome.
Found a handy guide to the states’ laws that govern such fees: http://www.ncsl.org/research/financial-services-and-commerce/consumer-report-security-freeze-state-statutes.aspx
Not sure we’ll be successful the first time around; these things can often take 2-3 sessions to accomplish. Should such a bill go to hearing it will be interesting who — or what — comes out of the woodwork to testify!
I was hit by the BCBS breach and signed up in 2015/02, and put a freeze on all (per suggestions here).
The OPM breach was a non-event (still not sure *why* one would want to lift a freeze, sign up for monitoring, and re-init the freeze… I must be missing something…).
I just received a notice in the mail last week saying my personal information has been jeopardized in the data breach, including my fingerprints. I will be signing up for the credit monitoring to have an exta set of eyes watching for ID theft.
I’ve had a credit freeze in place for several years with all credit reporting agencies, yet I was able to sign up for the OPM monitoring without a single problem after I got my notification. They also send me periodic reports of activity (which generally shows nothing). So if each service is mutually exclusive, then which service isn’t working correctly, the credit freeze or the OPM monitoring?
If there are so many businesses making money off of trying to protect/monitor identities, I fear we will never see the expensive middleman cut out, because they have a lot of lobbying power and influence. These companies will also want security breaches to keep happening so they can continue to make money.
I’ve exercised the security freeze option on all 4 credit agencies. Is there a way to double check that the freeze has really taken place? I can login on transunion and see status, but nothing is apparent for the rest!
Find a credit card company with which you don’t have an existing relationship and ask them about the process for applying for a credit card.
Basically, any such credit card company (really, a bank) should be checking w/ an agency, and you could thus use them to verify, your application should fail if you don’t thaw — and since you’re just trying to verify freeze status, that’s all you have to do.
Unfortunately, to really verify this, you’d need 3 credit card vendors each of whom would need to use a different one of the frozen services, plus something to test Innovis — I don’t know if any banks use it for cards, I think it’s more commonly used for other forms of credit.
Thank you for taking the time to reply.