It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you — the consumer — are ultimately responsible for protecting your financial future, this is it. Here’s what you need to know and what you should do in response to this unprecedented breach.
Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.
Q: What information was jeopardized in the breach?
A: Equifax was keen to point out that its investigation is ongoing. But for now, the data at risk includes Social Security numbers, birth dates, addresses on 143 million Americans. Equifax also said the breach involved some driver’s license numbers (although it didn’t say how many or which states might be impacted), credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
Q: Was the breach limited to Americans?
A: No. Equifax said it believes the intruders got access to “limited personal information for certain UK and Canadian residents.” It has not disclosed what information for those residents was at risk or how many from Canada and the UK may be impacted.
Q: What is Equifax doing about this breach?
A: Equifax is offering one free year of their credit monitoring service. In addition, it has put up a Web site — www.equifaxsecurity2017.com — that tried to let people determine whether they were affected.
Q: That site tells me I was not affected by the breach. Am I safe?
A: As noted in this story from Friday, the site seems hopelessly broken, often returning differing results for the same data submitted at different times. In the absence of more reliable information from Equifax, it is safer to assume you ARE compromised.
Q: I read that the legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach. Is that true?
A: Not according to Equifax. The company issued a statement over the weekend saying that nothing in that agreement applies to this cybersecurity incident.
Q: So should I take advantage of the credit monitoring offer?
A: It can’t hurt, but I wouldn’t count on it protecting you from identity theft.
Q: Wait, what? I thought that was the whole point of a credit monitoring service?
A: The credit bureaus sure want you to believe that, but it’s not true in practice. These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.
Q: Well then what the heck are these services good for?
A: Credit monitoring services are principally useful in helping consumers recover from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place.
Q: What’s the best way to do that?
A: File a security freeze — also known as a credit freeze — with the four major credit bureaus.
Q: What is a security freeze?
A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.
Q: What’s involved in freezing my credit file?
A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union. It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.
Q: How much is the fee, and how can I know whether I have to pay it?
A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Consumers Union has a useful breakdown of state-by-state fees.
Q: But what if I need to apply for a loan, or I want to take advantage of a new credit card offer?
A: You thaw the freeze temporarily (in most cases the default is for 24 hours).
Q: What’s involved in thawing my credit file? And do I need to thaw it at all three bureaus?
A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes the phone with the company from which you hope to gain the line of credit (or research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours, but hiccups in the thawing process sometimes make things take longer. It’s best not to wait until the last minute to thaw your file.
Q: It seems that credit bureaus make their money by selling data about me as a consumer to marketers. Does a freeze prevent that?
A: A freeze on your file does nothing to prevent the bureaus from collecting information about you as a consumer — including your spending habits and preferences — and packaging, splicing and reselling that information to marketers.
Q: Can I still use my credit or debit cards after I file a freeze?
A: Yes. A freeze does nothing to prevent you from using existing lines of credit you may have.
Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?
A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.
Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.
An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.
Q: Why would I pay for a security freeze when a fraud alert is free?
A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.
Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?
A: It depends on your state. Some states allow bureaus to charge $5 for a temporary thaw or a lift on a freeze; in other states there is no fee for a thaw or lift. However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services. Again, Consumers Union has a handy state-by-state guide listing the freeze and unfreeze laws and fees.
Q: What about my kids? Should I be freezing their files as well? Is that even possible?
A: Depends on your state. Roughly half of the U.S. states have laws on the books allowing freezes for dependents. Check out The Lowdown on Freezing Your Kid’s Credit for more information.
Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?
A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them. Avoid other sites that offer “free” credit reports and then try to trick you into signing up for something else.
Q: I just froze my credit. Can I still get a copy of my credit report from annualcreditreport.com?
A: According to the Federal Trade Commission, having a freeze in place should not affect a consumer’s ability to obtain copies of their credit report from annualcreditreport.com.
Q: If I freeze my file, won’t I have trouble getting new credit going forward?
A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.
Q: Can I have a freeze AND credit monitoring?
A: Yes, you can. However, it may not be possible to sign up for credit monitoring services while a freeze is in place. My advice is to sign up for whatever credit monitoring may be offered for free, and then put the freezes in place.
Q: Beyond this breach, how would I know who is offering free credit monitoring?
A: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.
Q: I see that Trans Union has a free offering. And it looks like they offer another free service called a credit lock. Why shouldn’t I just use that?
A: I haven’t used that monitoring service, but it looks comparable to others. However, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to steer people away from securing a freeze on their file. I notice that Trans Union currently does this when consumers attempt to file a freeze. Your mileage may vary, but their motives for saddling consumers with even more confusing terminology are suspect. I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).
Q: I read somewhere that the PIN code Equifax gives to consumers for use in the event they need to thaw a freeze at the bureau is little more than a date and time stamp of the date and time when the freeze was ordered. Is this correct?
A: Yes. However, this does not appear to be the case with the other bureaus.
Q: Does this make the process any less secure?
A: Hard to say. An identity thief would need to know the exact time your report was ordered. Unless of course Equifax somehow allowed attackers to continuously guess and increment that number through its Web site (there is no indication this is the case). However, having a freeze is still more secure than not having one.
Q: Someone told me that having a freeze in place wouldn’t block ID thieves from fraudulently claiming a tax refund in my name with the IRS, or conducting health insurance fraud using my SSN. Is this true?
A: Yes. There are several forms of identity theft that probably will not be blocked by a freeze. But neither will they be blocked by a fraud alert or a credit lock. That’s why it’s so important to regularly review your credit file with the major bureaus for any signs of unauthorized activity.
Q: Okay, I’ve got a security freeze on my file, what else should I do?
A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link.
Q: Anything else?
A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.
To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.
To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.
Looks like it might not be a good idea to do the credit freeze online at Eqifax; http://www.zdnet.com/article/equifax-freeze-your-account-site-is-also-vulnerable-to-hacking/
The problem is with their credit monitoring system. This is different than freezing your credit report.
Brian,
Would you update your ( great) 2015 article given the recent events. Specifically,
In addition to the four agency credit freezes, periodic credit reports, permanent opt out at optoutprescreen.com and either an alert or freeze at ChexSystems….what else are you recommending these days?
Regarding ChexSystems are you recommending the permanent freeze option ( in 2015 you mention only the alert option).
There’s so many “rocks” to turn over in this process of securing yourself. Any objective, detailed recommendations would be welcome as before.
Banking wise….is there a major bank that has applicable safe guards that can be applied by the customer to secure their accounts safety maximally?
Best in Breed?
Thanks in Advance….
Frank
Great advice, however when attempting to freeze at equifax, we get this page:
System Currently Unavailable – Error 500
We’re sorry. We cannot process your security freeze request online at this time. Please try back later.
To make a security freeze request with the other national consumer credit reporting agencies, please contact Experian and TransUnion:
Experian,P.O Box 9554, Allen, TX 75013 (888)379-3742
TransUnion,P.O Box 6790, Fullerton, CA 92834 (888)909-8872
Thank you for giving Equifax the opportunity to assist you.
Equifax Information Services, LLC
How do I find out if my info was breached?
Until Equifax fixes their website or sends our letters it seems like they’ll keep returning random answers. Like my example: John Doe who has the last digits SSN of 123456 was “At Risk”. What a fucking joke.
I would think this would illegal I know for sure it’s unethical to tell someone that their personal data is at risk, when it’s not. You are causing basically causing terror and panic incident. Think if people that are freezing their credit and have to spend money because they think their credit could be at risk.
It’s aggravating to think there’s about a 50/50 chance that my SSN was handed out and I didn’t even have a choice to use Equifax.
The fact that Equifax and other credit bureaus can store so much sensitive data and do the bare minimum when an accident happens is ridiculous and outrageous.
Your answer is in the above article. Lost of other great advise too!
Brian,
Thanks as always, concise, informative information on a very confusing and disturbing state of affairs.
I took your advice months ago on security freezes after my ID was stolen. Amazingly enough, in my case it was not the end as the perpetrators removed my freeze twice. So I was able to create a sort of two-step verification where I have a verbal passcode as well. So I have a PIN and a passcode that HAS to be delivered over the phone to a CSR supervisor.
Even with that I know after years of dealing with this that there is no way out, and reform of this failing system is the only way out. Eventually some smart start up type is going to create an answer, uutil then take cover because this is only the beginning.
My story in case anyone is interested.
http://www.interactivehank.com/blog/?p=1047
Henry
The Consumers Union article you cite is from 2014 and some of the information in that article is no longer accurate.
So, what I’m hearing is, nothing is safe, really.
Thanks Brian.
It’s not event 1 year for me in California and my profile has been gifted to opportunists.
Sad to see incompetence at this level / every level.
Looks like breaches are becoming a farting contest – which executive can top other nincompoops running enterprises.
I am a US citizen living in Spain. Equifax has no provisions for entering a foreign address for their application to freeze. Any advice on this and if my chances of being affected are different because of my foreign address in Spain?
Brian: You touched on this initially but any update? Do we know if the breach affected Equifax PINs for those who froze their credit several years ago?
I telephoned Equifax this morning but of course their call center agents know absolutely less than the consumers affected.
I was told by Equifax on 9/9 (Saturday) that freeze PINs were not compromised. Hopefully, that is true.
Thanks, Ed. Once the excitement settles, I suppose I will see if I can have Equifax regenerate a new PIN just to be safe. Plainly these clowns are not to be trusted.
Equifax have provided absolutely nothing for us Brits.
I called Equifax and they offered free access to credit report for life (but cannot provide freeze for non-US customers).
Thanks Brian for the two additional points of ChexSystems and optoutprescreen.com . I froze my data at all four bureaus yesterday and did the two opt outs today.
Several updates on this:
1. My Social Security does not work — of course.
2. I placed a freeze on 3 CB’s online, but it’s impossible to do it at Transunion either online or by phone. One phone call got me to India, I gave them the personal info, communication got bad and I hd to disconnect.
3. The degree of negligence, incompetence and disregard by companies who were allowed to collect all our info without permission is mindboggling.
4. There is abolutely nobody who gives a damn about it.
5. We will again watch the spectacle of a hypocrite Congress “grilling” CEOs, a long process of lobbying and political contributions and ultimately no solution.
It’s not just the credit system that’s broken, it’s the American system. If the govt does not care about 143 Americans getting fleeced and the destruction of its own SSN is a doomed system.
I am doing some research but so far it seems that in Canada you can not get a security freeze put in place.
Anybody out there know for sure, thanks
No one cares is true, but in case your interested Senator Schatz of Hawaii has sent a letter to CEO of Equifax you can read here:
https://www.schatz.senate.gov/imo/media/doc/Senator%20Schatz_Letter%20to%20Equifax%20re%20data%20breach%209-11-17.pdf
I would encourage us all to send letters as well.
Mr. Richard Smith
Chief Executive Officer
Equifax, Inc.
1550 Peachtree Street, N.W.
Atlanta, GA 30309
I am sorry, but letters won’t do it.
What is happening to us is the direct result of corruption in DC, where politicians in the pocket of corporations allow them to do whatever they want, despite warnings of what will happen, and when it does happen they write letters, “grill” CEOs and do nothing to address the fundamental problems.
Don’t get fooled by politicians play the “tough” act after the fact. They are responsible for where we are today. Anything short of collective action by the public is useless and won’t produce anything.
Don’t get fooled by letters — they are meaningless.
The reality is that what we have today is the direct result of DC corruption, where politicians in the pocket of corporations do nothing to protect the public, enable its exploitation and when the consequences come home to roost, they write letters, pummel their chests in defense of the public, make speeches and “grill” CEOs, but do nothing to address the mess.
Just watch.
I tried the Consumer Union link you posted in your article and it brought me to a Oops Nothing found page. Perhaps they changed the link since you posted, adding a -2 at the end. I searched and did find it at http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection-2/
They did change it, overnight it seems because it worked about 24 hours ago. I updated the link.
Thanks for all of this info once again Brian…. FYI, I did the security freeze 2 years ago and have had ZERO problems…
So the bottom line is:
EQUIFAX fucks up,
EQUIFAX apologizes,
EQUIFAX provides me free monitoring (which is widely known not to prevent/deter a criminal),
I order a Credit Freeze with all credit bureaus and incur approx. $60 expense out of my own pocket
I incur further fees to unlock/re-lock my credit report over the next few years
How is it that EQUIFAX isn’t liable for these fees to freeze/thaw/refreeze? Isn’t there a regulatory body governing credit bureaus?
The fact that I am now forced to pay $100+ over the next few years because of an error EQUIFAX made is unacceptable.
THERE IS NO REGULATION ANYMORE — FREE MARKETS BABY!
And “free markets” for corporations destroy America.
I have American Express “Credit Secure”. Do I need to Freeze my 4 Credit Co. accounts? Thank you. Frank
Two items that should be updated in the article:
I see links in two places to a Consumer Reports listing of relevant fees for each state. That link currently leads to a “page not found” error screen.
According to another news story I read somewhere yesterday, Equifax claims they’ve changed their PIN to a random number rather than a time stamp.
In a fast-evolving situation like this, it seems that an article like this might need frequent revision. I’m sure we’re all grateful for the work you put into this, Brian, and thanks for the great article and website.
An update on Equifax’s incident-related website (https://www.equifaxsecurity2017.com/) dated 9/11/17 notes the following:
Adjusted our PIN Generation for Security Freezes
We understand and appreciate that consumers have questions about how a PIN is currently generated for a consumer initiating an Equifax security freeze solution. All consumers placing a security freeze will be provided a randomly generated PIN.
I set up my freeze today and was assigned a 10-digit number.
FReezing your credit with the credit bureaus only prevents approval f new credit applications in your name being opened. It does not prevent fraudulent use of existing credit cards whose numbers were obtained by the hackers. THe only way to prevent that from occurring is to contact your credit card issuers and request that they cancel your existing cards and issue you new account numbers. I am in the process of doing that now.
The top guys at Equifax especially those that sold their stock when they found out about the breach…….we should require them to publish their full names, their spouse name, their children name, all of the ssn’s their addresses, income, their children’s school, all of their relatives and their SSN, their parents, cousins…… and let’s publish all of their data. Clearly it is pretty scummy ….did they really believe the SEC would not check that immediately. You sat right their and took the money to do a job and did not do your job
Is the option to lock/unlock from TransUnion equal to doing a credit freeze with them? It is a free service and is supposed to give me the ability to lock and unlock my credit report myself.
There is another consumer reporting agency that you may wish to lock as well, ChexSystems. Link provided below for your convenience:
https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/information/
Credit freezes should be totally free. It is the only way they can be trusted with our data and they should provide the only valid way to protect it without charging us to do the right thing!
The Consumer Reports site is now missing entirely
I just did security freezes with Experian, TransUnion and Equifax. The first two had me create an account and charged $10. Equifax did neither of those things but gave me a confirmation number and said I had been processed. I checked the site against the one you gave and they were the same. Is it possible Equifax is letting us freeze for free?
Thanks for all you do Brian!
What happens if the hackers have no interest in identity theft, and instead, just want to be malicious and freeze your account, keeping you from every obtaining credit. They now have the information to do so, don’t they?
So you have to pay them to not do what they should never have been doing in the first place, and even then they still keep doing other thing they should never be doing. Nice scam they got there.
here it is, the hypocrisy and corruption in all its glory:
Equifax Lobbied for Easier Regulation Before Data Breach
In months before hack, Equifax was lobbying lawmakers, agencies to limit legal liability of credit-reporting companies
https://www.wsj.com/articles/equifax-lobbied-for-easier-regulation-before-data-breach-1505169330
And I wouldn’t be surprised if they did it while they knew they were breached and held the info back.