September 7, 2017

Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.

In a press release today, Equifax [NYSE:EFX] said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing, but that the breach also jeopardized credit card numbers for roughly 209,000 U.S. consumers and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

In addition, the company said it identified unauthorized access to “limited personal information for certain UK and Canadian residents,” and that it would work with regulators in those countries to determine next steps.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer Richard F. Smith in a statement released to the media, along with a video message. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.

Equifax has set up a Web site — — that anyone concerned can visit to see if they may be impacted by the breach. The site also lets consumers enroll in TrustedID Premier, a 3-bureau credit monitoring service (Equifax, Experian and Trans Union) which also is operated by Equifax.

According to Equifax, when you begin, you will be asked to provide your last name and the last six digits of your Social Security number. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, the company says it will provide everyone the option to enroll in TrustedID Premier. The offer ends Nov. 21, 2017.


At time of publication, the site Equifax is promoting for free credit monitoring services was only intermittently available, likely because of the high volume of traffic following today’s announcement.

As many readers here have shared in the comments already, the site Equifax has available for people to see whether they were impacted by the breach may not actually tell you whether you were affected. When I entered the last six digits of my SSN and my last name, the site threw a “system unavailable” page, asking me to try again later.


When I tried again later, I received a notice stating my enrollment date for TrustedID Premier is Sept. 13, 2017, but it asked me to return again on or after that date to enroll. The message implied but didn’t say I was impacted.


Maybe Equifax simply isn’t ready to handle everyone in America asking for credit protection all at once, but this could be seen as a ploy by the company assuming that many people simply won’t return again after news of the breach slips off of the front page.

Update, 11:40 p.m. ET: At a reader’s suggestion, I used a made-up last name and the last six digits of my Social Security number: The system returned the same response: Come back on Sept. 13. It’s difficult to tell if the site is just broken or if there is something more sinister going on here.

Also, perhaps because the site is so new and/or because there was a problem with one of the site’s SSL certificates, some browsers may be throwing a cert error when the site tries to load. This is the message that OpenDNS users are seeing right now if they try to visit


Original story:

Several readers who have taken my advice and placed security freezes (also called a credit freeze) on their file with Equifax have written in asking whether this intrusion means cybercriminals could also be in possession of the unique PIN code needed to lift the freeze.

So far, the answer seems to be “no.” Equifax was clear that its investigation is ongoing. However, in a FAQ about the breach, Equifax said it has found no evidence to date of any unauthorized activity on the company’s core consumer or commercial credit reporting databases.

I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.

More information on the difference between credit monitoring and a security freeze (and why consumers should take full advantage of both) can be found in this story.

I have made no secret of my disdain for the practice of companies offering credit monitoring in the wake of a data breach — especially in cases where the breach only involves credit card accounts, since credit monitoring services typically only look for new account fraud and do little or nothing to prevent fraud on existing consumer credit accounts.

Credit monitoring services rarely prevent identity thieves from stealing your identity. The most you can hope for from these services is that they will alert you as soon as someone does steal your identity. Also, the services can be useful in helping victims recover from ID theft.

My advice: Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.

The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich. Typically, the way these arrangements work is the credit monitoring is free for a period of time, and then consumers are pitched on purchasing additional protection when their free coverage expires. In the case of this offering, consumers are eligible for the free service for one year.

That the intruders were able to access such a large amount of sensitive consumer data via a vulnerability in the company’s Web site suggests Equifax may have fallen behind in applying security updates to its Internet-facing Web applications. Although the attackers could have exploited an unknown flaw in those applications, I would fully expect Equifax to highlight this fact if it were true — if for no other reason than doing so might make them less culpable and appear as though this was a crime which could have been perpetrated against any company running said Web applications.

This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers. Experian also for several months granted access to its databases to a Vietnamese man posing as a private investigator in the U.S. In reality, the guy was running an identity theft service that let cyber thieves look up personal and financial data on more than 200 million Americans.

My take on this: The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.

In a statement released this evening, Sen. Mark Warner (D-Va.) called the Equifax breach “profoundly troubling.”

“While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach – involving Social Security Numbers, birth dates, addresses, and credit card numbers of nearly half the U.S. population – raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans,” said Warner, who heads the bipartisan Senate Cybersecurity Caucus. “It is no exaggeration to suggest that a breach such as this – exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans.”

It’s unclear why Web applications tied to so much sensitive consumer data were left unpatched, but a lack of security leadership at Equifax may have been a contributing factor. Until very recently, the company was searching for someone to fill the role of vice president of cybersecurity, which according to Equifax is akin to the role of a chief information security officer (CISO).

The company appears to have announced the breach after the close of the stock market on Thursday. Shares of Equifax closed trading on the NSYE at $142.72, up almost one percent over Wednesday’s price.

This is a developing story. Updates will be added as needed.

Further reading:

Are Credit Monitoring Services Really Worth It?

Report: Everyone Should Get a Security Freeze

How I Learned to Stop Worrying and Embrace the Security Freeze

Update: 8:38 p.m. ET: Added description of my experience trying to sign up for Equifax’s credit monitoring offer (it didn’t work and it may be completely broken).

262 thoughts on “Breach at Equifax May Impact 143M Americans

  1. VER1TAS

    TrustedID is wholly owned by Equifax. Just as Brian stated, it is pretty rich that they are using their own service. There’s more to this crookery…

    If you enroll in Equifax’s TrustedID from your data being leaked, you waive your rights to sue Equifax and TrustedID in court or be part of any class action.

    See for yourself:

    1. Tom

      That’s very interesting, along with their executives dumping stock.

      When I walk into Home Depot or TJMax, shop and pay with a credit card, I expect that the card data be protected, but I realize that it may be compromised.

      Since I’ve never asked or authorized Equifax to gather and tabulate personal identity and financial information, their carelessness is reprehensible.

  2. Harold

    Just checked the site with a made up name and last 6, it returns a message saying you may have been impacted. Click to enroll. With an enrollment date of 9/13

  3. BEZ

    usa desperately need new world order!! then no more frauds…

    1. Devison

      Definitely not the way to go. The new world order thing and its ploy to peace is not good. It puts power into the Elite and creates a horrible situation of dictatorship. Its elaborate and horrible. Be educated people.

  4. Greg Rhein

    Brian: I know its not a Cyber spin but have you been tracking the Bloomberg story on a number of the Equifax leadership team dumping stocks prior to the “announcement”. This adds to the premise that their arrogance is beyond comprehension.

    1. Alan Welsh

      Good luck Equifax, on even trying to assert your right to limit these users from any claims or class action! Ever see smoke coming from the judge’s head?? You would see that action cost them, one way or the other, if they tried this in court.

  5. Gary

    Freeze or Monitor? After 8 telephone calls taking to the temps bused in for this circus who know nothing beyond the 1 page fact sheet Equifax has given them….I’m still left with the question: What is most effective in both preventing new fraud and identity theft and keeping a handle on my existing accounts.
    Equifax says you can’t have monitoring if you put a credit/security freeze on your accounts with the three bureaus.
    I monitor my existing accounts myself everyday. I’m more worried about fraudulent accounts being opened that I won’t know about until it’s too late.
    So is a freeze the better option?

    1. Nobby Nobbs

      Freeze. Definitely the freeze. Read Brian’s linked articles for details. The monitoring is a pacifier stuffed in the mouth of a hungry baby.

      1. Jason ID

        I wouldn’t listen to what Brian says, most of the time he doesn’t know what he is talking about. Get it direct from the source 😉 Freeze is a bad idea, initial report works just as well, but doesn’t put your life on hold.

    2. Chris

      As long as you don’t mind the modest hassle of not being able to open new lines of credit without removing your freeze, a security freeze is always a better option than credit monitoring. With the freeze, it is much more difficult for someone to open a new line of credit in your name, making it a more proactive approach. Credit monitoring seems to be reactive, just letting you know after someone has done something to open an account in your name that will take up your time to fix.

    3. Jason ID

      Initial vic report is best. It’s places a flag on your credit file, but doesn’t prevent you from accessing credit or opening bank accounts. However, we won’t be able to get to you as banks/brokerage/credit card companies will not automatically open accounts in your name.

      If you put a freeze, it will effectively put your life on hold as you won’t be able to open any kind of bank accounts or apply for loans, etc. Not advised.

      1. Mark

        Fine with me… I don’t open new lines of credit daily.

        Honestly the whole model should be changed to one where the consumer is contacted for consent whenever anyone tries to pull a credit report. It will cost Equifax and co. money but they’ve clearly brought it on themselves.

      2. Nicole Price

        Actually, that period of time forcing you to unfreeze your credit is a perfect excuse to double check your irrational purchase of a $14,071 home theater system from BestBuy.

        Any purchase requiring a new Credit line should be thought out in advance (needs versus wants), and therefore, a frozen credit check is a great way to say “hmmm, do I really need this sweet Bass Boat here in New York City? I’ll need a truck too…Hello, Chevrolete?”

      3. Moike

        >If you put a freeze, it will effectively put your life on hold as you won’t be able to open any kind of bank accounts or apply for loans, etc. Not advised.

        Except that it’s a simple task to temporarily unfreeze in order to open a new account.

  6. Sholom Brody

    Any way to freeze credit files for free in NY based on this breach? Can I even file a police report based on this info to use ass a basis for a free freeze?

    1. Nobby Nobbs

      OK, say you’re right and you have a chip under your skin. Now the medical company that built the chip reports a data breech with PII losses. What do you do now?

      Chip not a fix for this problem.

  7. Susan

    I use OpenDNS but did not receive the phishing message yesterday, shortly after the story broke on the news. Was told to enroll on Sept. 12.

  8. BEZ

    susan dont worry you will be chipped:) like animal…lol,then u will be protected by ur goverment

  9. John Lindemann

    Here’s an idea… if everyone affected by this breach could afford (and purchase) just one share of Equifax stock… and then use that share to vote executives out, perhaps that will result in substantive change.

    Money and ‘power’ is the *only* thing that motivates business (and congress -for that matter). When their position is on the line…changes/improvements happen.

    1. AL

      +1! Vote out their auditors too for rubber-stamping security controls!
      BTW, it may be prudent to wait for the stock to drop more before buying your 1 voting share…

  10. Skip Stein

    Breach at Equifax May Impact 143M Americans
    So, these idiots didn’t have any encryption on the data? Must have had horrendous fire walls or lack thereof. Idiots like these are in EVERY company and government agency and either ignore, disregard or actively avoid proper SECURITY measures. This idiot admits:

    Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.”

    So they are ADMITTING culpability with failed application level security. How the hell did the hackers get base the Main security and into an application level data base? No encryption keys? Nothing to protect raw data? What are these fools doing.

    The ONLY way to stop this from happening again and again is a MASSIVE class action law suit, put these arrogant asses out of business and put the other two on notice to get their act together.

    This IDIOCY must END.

    1. Winston

      “The ONLY way to stop this from happening again and again is a MASSIVE class action law suit, put these arrogant asses out of business and put the other two on notice to get their act together.”

      Not just that, but LAWS requiring JAIL TIME for anyone closely responsible. But bought government prevents that like it prevents accountability for anyone but we peons…

  11. Chris

    At some point class action lawsuits need be what holds these entities responsible

  12. Josh

    I am a reluctant to sign up for their credit monitoring because I read somewhere you have to agree to binding arbitration and it will prevent you from joining any class action lawsuits.

  13. Rob

    I may be too cynical…. but funny that they reported this, right before a massive hurricane hits the US, with hopes that they can bury the news/congressional investigation with a natural disaster…… I like the report… stock sales were made after the loss of data by top leadership at the company….

  14. Rocco

    I’m lost.

    I’ve never used any of these services. Not one. Not ever. I’m also not going to debate their usefulness. But, if I’ve never used one of these services does that open me as a potential victim? Or is this just for people who were using Equifax during the period of the breach when outsiders may have been using an exploit to lift information?

    They seem to be stating that their databases were not affected by the breach. So, if they’ve for some reason been collecting info. on me, that seems to be secure. I think …

    “Equifax said it has found no evidence to date of any unauthorized activity on the company’s core consumer or commercial credit reporting databases.”

    No one is being very clear about exactly who is affected here and the “media” are trumping this up like the world is ending.

    1. Rosseloh

      Yeah, heck if I know. I know for a fact that I haven’t used their pay-for services, but I’m sure I was in their database because I’ve had my credit checked (as have the majority of adults in this country).

      At this point all I can do is keep an eye on my accounts and wait until the full story emerges.

    2. Andre Friedmann

      @ Rocco: Both of us are easily among the 143 million Americans who’ve never hired or used Equifax. And that fact so misses the *entire* point of this whole story: my bankers, my credit card merchants, my mortgage lenders, my brokers have all used (and continue to use) Equifax. They continue to fill Equifax with data about me and about my payments and account balances.

    3. David


      “I’ve never used any of these services. Not one. Not ever”

      Do you have a credit card or any other kind of credit (loans, bills in your name, etc) service? If so, then you are using Equifax or one of the other 3 bureaus solely because the people who provide credit services use these bureaus to report you to them for not making payments or using credit services.

      1. Rocco

        But, this would only be the case if you:

        – Missed payments
        – applied for new credit
        – made a purchase requiring a credit check during that window where people were watching.

        If you simply have a credit card and bank account and made NO CHANGES to either (ie: upping your limit or taking out a line of credit), then there would be no need for the credit check, as it was all done when your initial limits were setup.

        I haven’t made a change to my credit card in decades. I don’t pay my bills late. I’ve never provided ANYONE with my Social Security Number. I can’t think of one occaision in the past 10 years where I took my drivers licence out of my wallet.

        Running a credit check without your authority is illegal. So, I can’t see my info. having gone through Equifax systems and being affected by this.

        Or maybe I’m just way to chill … I dunno.

  15. Carmen

    Is anyone else having trouble signing up to freeze their credit? I just tried signing up with Equifax and Experian online and both sites returned with a message that I need to send them my information (name, social security number, previous address, proof of address, copy of identification, etc) by mail and that they will get back to me once my credit is frozen. I can’t imagine sending all of that information through the mail, and seeing as how Equifax says my information is likely compromised, don’t want to wait weeks to have it frozen!

    1. Forch

      I received the same type of message when I tried to do it online at Experian when I was browsing in private mode. When I went out of private mode, it enabled me to go through with it.

    2. AL

      FWIW, I was able to bypass the snail-mail process by calling their “freeze by phone” number when I followed Brian’s advice in 2015… For Experian, 888-397-3742, press 2, have your SSN and a bunch of info about your current and previous residences ready (they’re available as part of your credit report if you don’t remember – just get the report first).
      They ended my call by telling me they’d send confirmation and an un-freeze PIN via snail-mail, which I received a few weeks later.
      HTH! GL!

  16. Chris

    Last night I called the Equifax hotline number to ask questions about their free credit mon
    itoring and to my shock and amazement, the CAR I spoke to at Equifax was unaware of the data breach and didn’t even know Equifax was offering free credit monitoring. When I told him Equifax announced a customer data breach occurred with their servers he told me to contact the FCC and gave me their web link. At first I thought he was joking, then after confirming everything, he was serious. Can you believe this?!?!?!?

  17. Bruce

    I’ve had a credit freeze in place with all three agencies for a decade, and I actively encourage everyone to do so.

    BRIAN: obviously we can’t trust Equifax. Can you find the steps to *reset* ones PIN for an already-in-place Equifax credit freeze? Seems like an extremely prudent step.

    1. Matt

      Bruce, I would love an answer to this question as well. Infact I would like to know how to change it every 90 days.

  18. Ron Nance

    It seems in light of the issues with Equifax, that people trying to do a credit freeze are coming across companies who are currently unable to handle the load of people recently seeking to do the freeze.

    Innovis was frightfully easy (though they need to mask SSN’s when entering them in).

    Experian can’t identify who I am and wants snail mail in 2017 (don’t snail mail) to do the freeze. They did charge me..twice. Can’t get any customer service.

    TransUnion gives a the following:
    “We are experiencing technical difficulties.
    We appreciate your patience while we resolve this issue. Please try again later or you may initiate your security freeze transaction by phone by calling us at (888) 909-8872.”

    Come on people. This can’t be THAT hard to do.

    1. Carmen

      I had the exact same experience Ron. Although, I’d better check my credit card to see if they charged me…ugh!

  19. D Rose

    It is telling me I may have been affected so they can’t watch over their system so why should we trust them to keep us safe? They can say I one second whether you were comprised but can’t keep hackers out, what is up and what are we suppose to do if they have are social,address, credit info,and birth,WHAT DO WE ALL DO?
    FILE A LAW SUIT OR CONTACT PRESIDENT AND HAVE HIM MAKE IY RIGHT FOR ALL OF US, (we sure can’t change social and everything.

  20. Dan

    Looking into placing a credit freeze as recommended here but have a question that I didn’t see addressed here or in the original post on credit freezes:

    Q: Does placing a credit freeze affect your credit score at all and if so how?

    1. AL

      I’ve had the freeze since 2015 and there has been zero negative impact on my score.
      When I went in for a loan last year I had to ask the lender which credit bureau they use, then I temporarily removed my freeze for that bureau so the lender could pull a report.

  21. joe

    If any of the 3 bureaus are breached, the hacked bureau should be forced to pay for monitoring provided by one of their competitors and PROHIBITED from offering their own monitoring product to the victims…otherwise there is a perverse incentive to not protect the data adequately…

    Equifax is potential getting 140 million new customers for their service, when the trial ends!!!

    1. Nobby Nobbs

      DING DING DING! We have a winner!

      I know a certain company that could use you as new CIO, Joe, you interested?

  22. Winston

    Rather than simply holding hacks and in-place malware in reserve for a potential future military attack as does the NSA as leaked in the excellent documentary “Zero Days”, exactly this sort of data compromise which only just happened to be caught in this case could be held in reserve for a devastating credit system attack. Imagine what would happen to the entire credit system if vast numbers of people suddenly experienced rapid (automated) fraudulent activity.

    In addition, the criminal sites offering millions of credit card numbers compromised and available for purchase which are never purchased (supposedly the vast majority of them) could have themselves been compromised, that data downloaded, and stored for future automated misuse. Since the numbers were never bought and used and, therefore, never compromised, many of the card numbers would still be valid.

    The above would cause exactly what the bailout proponents feared in the 2008 global financial crisis and worse, but it would primarily harm the US.

  23. Rick

    I thought that the first three digits of your SS# was a code for where you were born and the last six were codes for all other information. Why would you want to just give all of your personal information to to an unknown person in some unknown third world country?
    Then Equifax comes up with a solution; You can put all of your personal and credit information in another one of our companies or we can put a credit freeze on all of your personal and credit information in a file at another one of our companies. Oh, these companies are controlled and run by, what’s his name, can’t pronounce it, in a building at, ?? some street, in a city, in the country where whats’s his name is at, today.
    How would these companies like it if someone collected information on the owners, CEOs, etc… and their family members, information like addresses, phone numbers, where they go each day, what day, time and where they get their hair done, shop, have lunch, etc… Information about why kind and how much jewelry and money that each family member carries on them. The make, model, color and tag no. of their auto. Which is all kept safe and secure in a locked cardboard box chained to a park bench in Haiti. Then, for $50.00 they could buy a picture of what is in their box.
    If by chance someone takes the stuff from their box, for only $75.00, they can get a new copy made. Which is a copy made from our main files stored safely and securely under some old shoes in the church closet. We will keep the new copy which we will keep safe and secure in a locked cardboard box chained to a park bench at our other location in Lagos, Nigeria.

  24. Matt

    What I don’t understand is why the default mode of someones credits is wide open.

    The default should be everyone’s account is in security freeze mode, with a PIN requiring unlock.

    It costs only $5.00 in my state, with each of the 3 credit reporting agencies.

    Why is this not the DEFAULT mode at all 3 credit reporting agencies? With PIN numbers being rotated every 30 days.

    I mean, how many typical people need to unlock it so often that it becomes a burden? I sign up for a loan or a credit card maybe once ever 5 years.

    This is just a ploy by Equifax to get you to shell out $19.95 x 12 = $239.40 (over 5 years = $1,197).

    I’m sorry, but this is just wrong. I’ll stick with my security freeze mode and pay $15 every 5 years instead of $1,197.

    1. John Lindemann

      I agree 100% Matt.
      It’s unlikely anyone can sue Equifax over this breach, most likely due to forced arbitration. See: lostinthefineprint d0t c0m for a very detailed (and sad) explanation of how people have been forced to give up their right to a trial.
      *Every* executive knows this- so businesses simply don’t care what happens any more. Even if Equifax were to be sued out-of-business…they would simply file chapter , change their name- and go on business as usual!
      Perhaps a more effective way would be to “work from within”.
      Buy 1 share of Equifax stock- then use your voting right as a shareholder to “send a message” to executives. Put an Executives position in jeopardy -and they will pay attention. Just like congress- when money & position are at stake… things often change for the better.

  25. Julianne

    Well, I’m not sure about anyone else, but it worked for me. Fan-freaking-tastic! (insert eye-roll)

    It reads, “Based on the information provided, we believe that your personal information may have been impacted by this incident. Please click the button below to continue your enrollment in TrustedID Premier.”

  26. Pat Hall Berrios

    They give you this site to check to see if your info has been compromised and a phone no#of 866-447-7559 the web site been lock down the people that answer phone don’t know anything cant even answer simple questions a absolute joke. Why bother to give a phone no# and web site if you cant access anyones info to give them a answer. This was just to make you think they really give a crap about your personal info they could care less. I don’t even care for their site they really don’t do anybodys credit justice but by having your personal info and now its been compromised by hackers that really takes the cake!!!

  27. charles

    Transunion offers TrueIdentity “TrueID?” which is free, unlimited and has credit lock too.

  28. Eliot Robinson

    cfpb has some good information:
    UPDATED JUN 08, 2017
    What do I do if I think I have been a victim of identity theft?

    Answer: If you think you’ve been a victim of fraud or identity theft, contact one of the nationwide credit reporting companies and place a fraud alert in your credit report.

    You can contact the three nationwide credit reporting companies, Equifax, Experian, and TransUnion:

    Alerts (888) 766-0008 Equifax Consumer Fraud Division,
    PO Box 740256,
    Atlanta, GA 30374
    Fraud Center (888) 397-3742 Experian,
    P.O. Box 9554,
    Allen, TX 75013
    Fraud Alert (888) 909-8872 TransUnion Fraud Victim Assistance Department,
    P.O. Box 2000, Chester, PA 19016

    A fraud alert requires creditors who check your credit report to take steps to verify your identity before opening a new account, issuing an additional card, or increasing the credit limit on an existing account based on a consumer’s request. When you place a fraud alert on your credit report at one of the nationwide credit reporting companies, it must notify the others.

    There are two main types of fraud alerts: initial fraud alerts and extended alerts.

    Initial fraud alerts

    You can place an initial fraud alert on your credit report if you believe you are (or are about to become), a victim of fraud or identity theft. Credit reporting companies will keep that alert on your file for 90 days. After 90 days the initial fraud alert will expire and be removed, you have the option to place another initial fraud alert at that time. An initial fraud alert requires that the creditor take reasonable steps to make sure the person making a new credit request in your name is actually you. If you provide a telephone number, the lender must call you or take reasonable steps to verify whether you are the person making the credit request.

    When you place an initial fraud alert in your file, you’re entitled to order one free copy of your credit report from each of the nationwide credit reporting companies. These free reports do not count as your free annual report from each credit reporting company.

    Extended alerts

    You can place an extended alert on your credit report after your identity has been stolen and you file an identity theft report.

    When you place an extended fraud alert in your file, you’re entitled to order two free copies of your credit report from each nationwide credit reporting company over a 12 month period.

    An extended alert is good for seven years. An extended alert requires that the creditor contact you in person or through the telephone number or other contact method you designate to verify whether you are the person making the credit request.

    Security freezes

    You can also place a “security freeze” on your credit report, which prevents new creditors from accessing your credit file and others from opening accounts in your name, until you lift the freeze.

    Unlike fraud alerts, if you place a security freeze with one credit reporting company they will not notify the other credit reporting companies. You must contact each credit reporting company individually if you would like to place a security freeze with all three nationwide credit reporting companies.

    Because most businesses will not open credit accounts without checking your credit report, a freeze can stop identity thieves from opening new accounts in your name. Be mindful that a freeze doesn’t prevent identity thieves from taking over existing accounts. States have their own rules about credit freezes and how much you pay for them.

    Special help for servicemembers

    Members of the military (such as members of the Marines, Army, Navy, Air Force, and Coast Guard) have an additional option available to them – active duty alerts, which give service members protection while they are on active duty. Active duty alerts last for 12 months.

    When you place an active duty alert on your credit report, creditors must take reasonable steps to make sure the person making the request is actually you before opening an account, issuing an additional credit card on an existing account, or increasing the credit limit on your existing account. Your name also will be removed for two years from the nationwide credit reporting companies’ pre-screen marketing lists for credit offers and insurance.


    To file an identity theft report, you must file either a police report or a report with a government agency such as the Federal Trade Commission.

Comments are closed.