11
Sep 17

The Equifax Breach: What You Should Know

It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you — the consumer — are ultimately responsible for protecting your financial future, this is it. Here’s what you need to know and what you should do in response to this unprecedented breach.

Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.

Q: What information was jeopardized in the breach?

A: Equifax was keen to point out that its investigation is ongoing. But for now, the data at risk includes Social Security numbers, birth dates, addresses on 143 million Americans. Equifax also said the breach involved some driver’s license numbers (although it didn’t say how many or which states might be impacted), credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

Q: Was the breach limited to Americans?

A: No. Equifax said it believes the intruders got access to “limited personal information for certain UK and Canadian residents.” It has not disclosed what information for those residents was at risk or how many from Canada and the UK may be impacted.

Q: What is Equifax doing about this breach?

A: Equifax is offering one free year of their credit monitoring service. In addition, it has put up a Web site — www.equifaxsecurity2017.com — that tried to let people determine whether they were affected.

Q: That site tells me I was not affected by the breach. Am I safe?

A: As noted in this story from Friday, the site seems hopelessly broken, often returning differing results for the same data submitted at different times. In the absence of more reliable information from Equifax, it is safer to assume you ARE compromised.

Q: I read that the legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach. Is that true?

A: Not according to Equifax. The company issued a statement over the weekend saying that nothing in that agreement applies to this cybersecurity incident.

Q: So should I take advantage of the credit monitoring offer?

A: It can’t hurt, but I wouldn’t count on it protecting you from identity theft.

Q: Wait, what? I thought that was the whole point of a credit monitoring service?

A: The credit bureaus sure want you to believe that, but it’s not true in practice. These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

Q: Well then what the heck are these services good for?

A: Credit monitoring services are principally useful in helping consumers recover from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place.

Q: What’s the best way to do that?

A: File a security freeze — also known as a credit freeze — with the four major credit bureaus.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including EquifaxExperianInnovis and Trans Union.  It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Consumers Union has a useful breakdown of state-by-state fees.

Q: But what if I need to apply for a loan, or I want to take advantage of a new credit card offer?

A: You thaw the freeze temporarily (in most cases the default is for 24 hours).

Q: What’s involved in thawing my credit file? And do I need to thaw it at all three bureaus?

A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes the phone with the company from which you hope to gain the line of credit (or research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours, but hiccups in the thawing process sometimes make things take longer. It’s best not to wait until the last minute to thaw your file.

Q: It seems that credit bureaus make their money by selling data about me as a consumer to marketers. Does a freeze prevent that?

A: A freeze on your file does nothing to prevent the bureaus from collecting information about you as a consumer — including your spending habits and preferences — and packaging, splicing and reselling that information to marketers.

Q: Can I still use my credit or debit cards after I file a freeze? 

A: Yes. A freeze does nothing to prevent you from using existing lines of credit you may have.

Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?

A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.

Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.

An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.

Q: Why would I pay for a security freeze when a fraud alert is free?

A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.

Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?

A: It depends on your state. Some states allow bureaus to charge $5 for a temporary thaw or a lift on a freeze; in other states there is no fee for a thaw or lift. However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services. Again, Consumers Union has a handy state-by-state guide listing the freeze and unfreeze laws and fees.

Q: What about my kids? Should I be freezing their files as well? Is that even possible? 

A: Depends on your state. Roughly half of the U.S. states have laws on the books allowing freezes for dependents. Check out The Lowdown on Freezing Your Kid’s Credit for more information.

Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?

A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them. Avoid other sites that offer “free” credit reports and then try to trick you into signing up for something else.

Q: I just froze my credit. Can I still get a copy of my credit report from annualcreditreport.com? 

A: According to the Federal Trade Commission, having a freeze in place should not affect a consumer’s ability to obtain copies of their credit report from annualcreditreport.com.

Q: If I freeze my file, won’t I have trouble getting new credit going forward? 

A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.

Q: Can I have a freeze AND credit monitoring? 

A: Yes, you can. However, it may not be possible to sign up for credit monitoring services while a freeze is in place. My advice is to sign up for whatever credit monitoring may be offered for free, and then put the freezes in place.

Q: Beyond this breach, how would I know who is offering free credit monitoring? 

A: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.

Q: I see that Trans Union has a free offering. And it looks like they offer another free service called a credit lock. Why shouldn’t I just use that?

A: I haven’t used that monitoring service, but it looks comparable to others. However, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to steer people away from securing a freeze on their file. I notice that Trans Union currently does this when consumers attempt to file a freeze. Your mileage may vary, but their motives for saddling consumers with even more confusing terminology are suspect. I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

Q: I read somewhere that the PIN code Equifax gives to consumers for use in the event they need to thaw a freeze at the bureau is little more than a date and time stamp of the date and time when the freeze was ordered. Is this correct? 

A: Yes. However, this does not appear to be the case with the other bureaus.

Q: Does this make the process any less secure? 

A: Hard to say. An identity thief would need to know the exact time your report was ordered. Unless of course Equifax somehow allowed attackers to continuously guess and increment that number through its Web site (there is no indication this is the case). However, having a freeze is still more secure than not having one.

Q: Someone told me that having a freeze in place wouldn’t block ID thieves from fraudulently claiming a tax refund in my name with the IRS, or conducting health insurance fraud using my SSN. Is this true?

A: Yes. There are several forms of identity theft that probably will not be blocked by a freeze. But neither will they be blocked by a fraud alert or a credit lock. That’s why it’s so important to regularly review your credit file with the major bureaus for any signs of unauthorized activity.

Q: Okay, I’ve got a security freeze on my file, what else should I do?

A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link

Q: Anything else?

A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.

To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.

To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request. 

Tags: , , , , , ,

243 comments

  1. Brian, what is your advice to people who are forced to mail in identifying information to Experian to effect a credit freeze because the online system is not working for them? It seems to me that the Experian mailing address would be a huge red flag for anyone looking to steal social security numbers and other identifying information as it goes through the mail system. Do you recommend Registered Mail? How else to get this information to the company “safely?” Is this advisable?

  2. I just tried to order my credit report from all three at annualcreditreport.com. Only TransUnion as able to process my report on line. Equifax says “Online Delivery is Inavailable” and Experain says “A condition exists that prevents Experain from being able to accept your request at this time.” How frustrating! I did screen captures just in case.

  3. My paranoia is notorious, but nevertheless–and this in response to Brian Krebs’s comment above–I have white-listed a website in uMatrix. I reasoned that I can’t be holier than the Pope, and gave it a shot.

    Sure enough, ads are showing now, and they are all actually interesting or even useful. Moreover, because I use DNSBL in addition to uMatrix and uBlock, the fact that they show at all helps to verify Brian’s commitment that they are not agency placements.

    An impressive website here, one that harks back to the days when the internet was actually good.

  4. This is great new. New Equifax wrinkle as of this morning 9-16-17. Website and telephone utilities for credit freezes are both sort of functioning. While I was unable during my eight attempts in last days to invoke a freeze, both the website and phone utility both say that I have them. PROBLEM: I don’t have a PIN to lift freeze since I never actually was able to secure one. Have no idea what to do. Thoughts? Many thanks.

    • Nick, same here. No idea.

      • Have you checked your computer’s downloads folder? I had the same experience as you, then checked that folder for other reasons and found a file named ‘SFF.pdf’ — which turned out to be my PIN.

    • Same here, but i couldn’t reach an Equifax representative on the phone.

    • Nick, it seems that Equifax has been placing freezes on the credit reports of callers and not notifying them that it has done so. In any case, I called the Equifax Security Freeze Department 888-298-0045. They confirmed that I had already put a freeze on my credit report when I called a while back (news to me) and promised to send me a PIN by USPS. I even got a confirmation number on the telephone call. Worth a try.

  5. Brian, I tried to freeze my credit with Equifax this morning and got a “System Currently Unavailable – Error 500”, then tried again later only to find that my credit is now frozen. My only option at this point is to request a lift on the security freeze, but this requires a PIN which I never received.
    I called Equifax (866-447-7559) and got through rather quickly. I was told they are aware of issues with the online credit freeze service and are working to resolve it. However, I don’t really think the representative understood the issue I was explaining.
    Also, it looks entirely feasible that the only information you need to place a freeze on your credit is available in the breach!

    • Hi Jerry – Just FYI, I experienced the same issue with intermittent error messages and “contact us via US mail” responses at most of the vendors, but resubmitting the request received positive confirmations/PINs/expected results. Seems like the problems are due to intermittent load.
      Tim

    • The number you listed is only for questions related to the breech and the free monitoring service, not for answering the freeze questions. The representative was totally confused when I was talking about the failure of the website to generate the PDF. He then said it was sent by mail – immediately indicating he was not aware I was talking about the Freeze not the monitoring service. then he told me the line was for inquiries for the breech and Trusted ID, not freezes.

  6. http://unlimitedblankatmcard.webs.com
    Do you want to be rich within 24 Hours. $Make 2,500USD everyday from our Blank Hacked ATM Card. This is an opportunity for you to make money and start a new life and invest in a new business don’t miss this opportunity. For more details check below.
    Contact us on Our Email: unlimitedblankatmcard@gmail.com. We sell plastic ATM cards with pin and cash out from ATM. They works all over the world.
    Our Website: http://unlimitedblankatmcard.webs.com

  7. Hi Brian – Thanks for posting this detailed Q&A. Having gone through this, I have a few comments: 1) If you get a ‘system currently unavailable’ or ‘submit your request via mail’ response after submitting a freeze/alert request, go back and resubmit it. This seems to be due to busy systems. 2) Chex Systems also allows you to freeze your information. To do so, go to this site: https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/placefreeze

    Thanks again for all this great info.

    • Tim,
      Here is what happened when i applied twice. It merely confirmed the hard core business practices from our friends at “Equihax.”

      When filling out the form to request free tracking services (for which a credit card is not supposed to be required), they generate a note to look for an email to complete the transaction. I waited a week and did not receive anything except an invitation to join IdProtection with an introductory 30 day free trial. Since they ask for a credit card, I ignored it.

      Since I never received the promised “free” notification, I filled out another request (about a week after the first one). Sure enough, 15 minutes later, I received another invitation to join IdProtection: 30 days free, $19.99 after that.

      It appears that Equifax uses the email address from the request for their free one year service to solicit business to generate revenue from the very people they damaged.

      This is more than haphazard, ill-conceived, or clumsy, as Mr Krebs described the “dumpster fire.” This is spiteful, calloused and devious.

      I’ll leave it to you to air your own conclusions and expletives.

  8. What impact does a credit freeze or fraud alert have on insurance companies’ ability to order Insurance Based Scores (IBS) which are used heavily in the rating of auto and home insurance in most states except California? If a consumer orders a credit freeze, does the insurance company get a “no hit” which will then result in a higher insurance premium to the consumer? This could be a massive issue for people who are shopping for insurance or for the clients of those insurance companies who re-order IBS scores every year or two. Thank you for any information you can provide.

  9. Hi Brian – thank you very much for the detailed information. For married couples, should there be a credit freeze done for both people – both SSNs?

    Thanks!

  10. Two things — credit freezes usually last only 7 years, and you need to redo the process. Perhaps this will change post-Equifax breach.

    Second, if someone knows their social security number has been breached, they should also inform the IRS — Form 14039 — which is specifically an identity theft alert — it is like a fraud alert with the IRS. There is a problem with people filing bogus tax returns to claim refunds — this can help avoid this problem.

    • #UnbelievableNonsense

      how do you know there is only seven years for credit freeze??? never heard of this before. cannot believe that!

      are you thinking of something else? with junk mail blocking there is a five year thing that you have renew every five years.

  11. Can we get a list reputable monitoring services? Please? Thank you.

  12. So my husband or I can apply for credit. Therefore, I’m thinking we each need to file a credit freeze…at 4 different credit bureaus. Texas charges $10…that’s 2 times $10 times 4…$80 for a problem I didn’t create!

    • Yes, you are correct… it’s unfair that you must pay these ridiculous fees for freezing a file. Equifax should offer a free credit freeze from now until forever.

      Ironically, the money which Equifax will lose after offering millions of people TrustedID for a year… they could have spent a LOT less and been proactive in guarding their database.

      One day, maybe Congress will take cybercrime more seriously, and enact new laws to protect consumers.

  13. I tried to complete the credit monitoring form and when I get to the word ‘continue’, it has a circle with a line through it and won’t allow the page to advance. I’ve looked over my answers numerous times and there is nothing missing or wrong. Now what?

  14. #EquifaxRunByIdiots

    five members of my family enrolled in the equifax security monitoring thing. still waiting for the stupid confirmation email. equifax must be run by a bunch of idiot hamsters running in a wheel where they are getting swamped by these requests so bad that they cannot even timely get out the confirmation emails. we also checked and there is nothing in our junk spam folders from equifax. go look on twitter and people are complaining not get the confirm email at all. and some who got emails say the confirm links in the emails don’t work!! equifax says 72 hours. been longer than that. maybe the equifax windows computer is bogged down by viruses because the incompetent equifax music major security officer is still on the job. equifax you fail and you fail big time so bigly in the most epic of ways.

  15. What would you recommend for people who moved out of the USA but has social and long good credit history? How to do credit freeze in that case and how to opt out permanently from offers?

  16. What happens if you lose the freeze PIN?

  17. Here is the latest reflection of the hard core business practices from our friends at Equifax.

    When filling out the form to request free tracking services (for which a credit card is not supposed to be required), they generate a note to look for an email to complete the transaction. I waited a week and did not receive anything except an invitation to join IdProtection with an introductory 30 day free trial. Since they ask for a credit card, I ignored it.

    Since I never received the promised “free” notification, I filled out another request (about a week after the first one). Sure enough, 15 minutes later, I received another invitation to join IdProtection: 30 days free, $19.99 after that.

    It appears that Equifax uses the email address from the request for their free one year service to solicit business to generate revenue from the very people they damaged.

    This is more than haphazard, ill-conceived, or clumsy, as Mr Krebs described the “dumpster fire.” This is spiteful, calloused and devious.

    I’ll leave it to you to air your own conclusions and expletives.

  18. I’m trying to determine if PINs from old security freezes on Equifax credit files have been compromised.

  19. I have not been able to get any communications with equifax, but even more importantly, I have not been able to get a PIN from Equifax. I finally decided to go ahead and freeze my credit without a PIN because by then, I thought they would send it to me “after” I executed a freeze. Still no luck, and EquiFax won’t respond to voice or email communications. What the hell is going on. Have they gone home?
    Does anyone have any info on PIN’s from EquiFax?????

    Mike

  20. why is it us the consumer who have to pay the price. we have nothing to do with the breach, but we have to hire and pay lawyers to clear our good name and standing. what’s wrong with this picture. we never had to worry as much back in the day before computer age.

  21. My parents are senior citizens, the internet is foreign to them. Are there forms they could get to freeze their accounts without having internet? or forms I could just print and send to them, instead of filling stuff out online and then printing?

  22. An exhaustive write-up. No wonder I always check this website first whenever I hear about a data breach or cyber crime. Never disappoints.

  23. Thanks for the link to the Consumers Union list.

    I already knew I could PLACE a freeze for free (over the age of 65 in PA), but I had wondered if there would still be a charge for a temporary thaw (they call it a “Lift”). Apparently so, according to CU’s table. However a Removal is free.

    This seems to be the case in a number of states. So, now my question is, “How often is one permitted to Place & Remove a Freeze for FREE, if only a ‘Lift’ has a cost?”.

    The question may be moot in PA. According to http://consumersunion.org/pdf/security/securityPA.pdf

    “The consumer reporting agency is not allowed to charge a fee to victims or seniors 65 years of age or older for placing, removing for a specific period or party, or removing a security freeze on a credit report.” So, their table may be incorrect in that regard.

    Unfortunately, I don’t know how to find a similar document for other states. I believe I just stumbled onto the one for PA, when I googled “how long does a credit freeze last”. The answer to that is also the last line in CU’s “FAQ about security freeze”:

    “A freeze generally lasts until you remove it, though a few states place limits on the duration of a credit freeze (e.g. Kentucky, Pennsylvania, and South Dakota – 7 year duration)”

  24. Thoughts on TrueIdentity by TransUnion? I’m concerned with signing up simply because Norton flags it as a potentially malicious site.

  25. Like a lot of people I tried to put an initial freeze on at Equifax at their online site and after giving all the information I got an error 500. Going back and trying again it tells me that my credit is frozen. I keep trying but it always says the same thing. Anybody have any answers or any advice?

  26. Regarding the following:
    Q: So should I take advantage of the credit monitoring offer?
    A: It can’t hurt, but I wouldn’t count on it protecting you from identity theft.
    But does taking advantage of this offer mean you waive the right to participate in a class-action suit? (That’s what we’re hearing…).
    Thanks!

    • That question is also address in the above Q&A:

      Q: I read that the legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach. Is that true?

      A: Not according to Equifax. The company issued a statement over the weekend saying that nothing in that agreement applies to this cybersecurity incident.

  27. are you in search of a hacker and reliable and no trace to you on whatsoever you want to do? then contact
    contact:+1(714-455-4842)
    whatsapp number +1(334)-384-6327
    .they will give you the best work

  28. While reviewing the ChexSystems website to add a Security Alert I noticed that in addition to that they offer a Security Freeze as well.

    So what is the difference between filing a Security Freeze with ChexSystems vs the four major credit bureaus individually?

    Thanks!

Leave a comment