11
Sep 17

The Equifax Breach: What You Should Know

It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you — the consumer — are ultimately responsible for protecting your financial future, this is it. Here’s what you need to know and what you should do in response to this unprecedented breach.

Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.

Q: What information was jeopardized in the breach?

A: Equifax was keen to point out that its investigation is ongoing. But for now, the data at risk includes Social Security numbers, birth dates, addresses on 143 million Americans. Equifax also said the breach involved some driver’s license numbers (although it didn’t say how many or which states might be impacted), credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

Q: Was the breach limited to Americans?

A: No. Equifax said it believes the intruders got access to “limited personal information for certain UK and Canadian residents.” It has not disclosed what information for those residents was at risk or how many from Canada and the UK may be impacted.

Q: What is Equifax doing about this breach?

A: Equifax is offering one free year of their credit monitoring service. In addition, it has put up a Web site — www.equifaxsecurity2017.com — that tried to let people determine whether they were affected.

Q: That site tells me I was not affected by the breach. Am I safe?

A: As noted in this story from Friday, the site seems hopelessly broken, often returning differing results for the same data submitted at different times. In the absence of more reliable information from Equifax, it is safer to assume you ARE compromised.

Q: I read that the legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach. Is that true?

A: Not according to Equifax. The company issued a statement over the weekend saying that nothing in that agreement applies to this cybersecurity incident.

Q: So should I take advantage of the credit monitoring offer?

A: It can’t hurt, but I wouldn’t count on it protecting you from identity theft.

Q: Wait, what? I thought that was the whole point of a credit monitoring service?

A: The credit bureaus sure want you to believe that, but it’s not true in practice. These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

Q: Well then what the heck are these services good for?

A: Credit monitoring services are principally useful in helping consumers recover from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place.

Q: What’s the best way to do that?

A: File a security freeze — also known as a credit freeze — with the four major credit bureaus.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including EquifaxExperianInnovis and Trans Union.  It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Consumers Union has a useful breakdown of state-by-state fees.

Q: But what if I need to apply for a loan, or I want to take advantage of a new credit card offer?

A: You thaw the freeze temporarily (in most cases the default is for 24 hours).

Q: What’s involved in thawing my credit file? And do I need to thaw it at all three bureaus?

A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes the phone with the company from which you hope to gain the line of credit (or research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours, but hiccups in the thawing process sometimes make things take longer. It’s best not to wait until the last minute to thaw your file.

Q: It seems that credit bureaus make their money by selling data about me as a consumer to marketers. Does a freeze prevent that?

A: A freeze on your file does nothing to prevent the bureaus from collecting information about you as a consumer — including your spending habits and preferences — and packaging, splicing and reselling that information to marketers.

Q: Can I still use my credit or debit cards after I file a freeze? 

A: Yes. A freeze does nothing to prevent you from using existing lines of credit you may have.

Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?

A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.

Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.

An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.

Q: Why would I pay for a security freeze when a fraud alert is free?

A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.

Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?

A: It depends on your state. Some states allow bureaus to charge $5 for a temporary thaw or a lift on a freeze; in other states there is no fee for a thaw or lift. However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services. Again, Consumers Union has a handy state-by-state guide listing the freeze and unfreeze laws and fees.

Q: What about my kids? Should I be freezing their files as well? Is that even possible? 

A: Depends on your state. Roughly half of the U.S. states have laws on the books allowing freezes for dependents. Check out The Lowdown on Freezing Your Kid’s Credit for more information.

Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?

A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them. Avoid other sites that offer “free” credit reports and then try to trick you into signing up for something else.

Q: I just froze my credit. Can I still get a copy of my credit report from annualcreditreport.com? 

A: According to the Federal Trade Commission, having a freeze in place should not affect a consumer’s ability to obtain copies of their credit report from annualcreditreport.com.

Q: If I freeze my file, won’t I have trouble getting new credit going forward? 

A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.

Q: Can I have a freeze AND credit monitoring? 

A: Yes, you can. However, it may not be possible to sign up for credit monitoring services while a freeze is in place. My advice is to sign up for whatever credit monitoring may be offered for free, and then put the freezes in place.

Q: Beyond this breach, how would I know who is offering free credit monitoring? 

A: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.

Q: I see that Trans Union has a free offering. And it looks like they offer another free service called a credit lock. Why shouldn’t I just use that?

A: I haven’t used that monitoring service, but it looks comparable to others. However, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to steer people away from securing a freeze on their file. I notice that Trans Union currently does this when consumers attempt to file a freeze. Your mileage may vary, but their motives for saddling consumers with even more confusing terminology are suspect. I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

Q: I read somewhere that the PIN code Equifax gives to consumers for use in the event they need to thaw a freeze at the bureau is little more than a date and time stamp of the date and time when the freeze was ordered. Is this correct? 

A: Yes. However, this does not appear to be the case with the other bureaus.

Q: Does this make the process any less secure? 

A: Hard to say. An identity thief would need to know the exact time your report was ordered. Unless of course Equifax somehow allowed attackers to continuously guess and increment that number through its Web site (there is no indication this is the case). However, having a freeze is still more secure than not having one.

Q: Someone told me that having a freeze in place wouldn’t block ID thieves from fraudulently claiming a tax refund in my name with the IRS, or conducting health insurance fraud using my SSN. Is this true?

A: Yes. There are several forms of identity theft that probably will not be blocked by a freeze. But neither will they be blocked by a fraud alert or a credit lock. That’s why it’s so important to regularly review your credit file with the major bureaus for any signs of unauthorized activity.

Q: Okay, I’ve got a security freeze on my file, what else should I do?

A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link

Q: Anything else?

A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.

To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.

To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request. 

Tags: , , , , , ,

241 comments

  1. The SSecurity field is not encrypted on the Equifax site. Seriously??
    No wonder Equifax experienced a hack.. encrypted SS #s is pretty easy.. This is unbelievable..

    • Quote:

      “Banks could wean themselves off their heavy dependence on credit bureaus. More important, regulators should recognize that using single scores results in information loss and poorer lending decisions. But politically, readily available credit has become the antidote to stagnant real wages. You can’t promise the modern version of a chicken in every pot unless consumers can spend more. The preferred economic model since the Reagan era has been to let them borrow more rather than increase wages. The 2008 crisis showed that the US and many other advanced economies had hit the limits of that paradigm. The cost of trying to keep it on life support has been low growth, ever rising levels of income inequality, and political instability. Equifax is a tiny example of the many problems with our financial system that were papered over rather than fixed. So if were it to fail under the weight of litigation, that might force some overdue changes. “

  2. I tried to obtain my “free annual credit report” from Equifax, using the website established for that purpose. I filled in the necessary
    information and requested the Equifax data. The program then went to Equifax and just sat there. No info was displayed. Nothing
    was downloaded. It may be because there is heavy traffic to the site
    doing the same thing but I finally gave up after 15 minutes.
    I now wonder if this attempt will count as my “free” request for the
    year to Equifax?

    • The credit agencies are being very clever. This incident is a huge profit opportunity for them.

      When you try to set a freeze , for a CHEAP one-time fee, they redirect you to setting up a lock that will cost you around $240 per year forever.

      Try to set up a freeze and you will immediately see what I mean.

  3. Thank you for clearing up the lock vs freeze confusion. I saw that at the TransUnion site and it was so vague and misleading I decided to check back here on the subject.

    • The TransUnion lock and freeze option are both same. While I agree with most of the comments from the article, I felt the comment about lock and freeze was made without proper knowledge.

      How do I know this? I worked for TransUnion for years!

      • Thanks for chiming in here, Nick. Maybe you can help answer some questions and add some transparency to a situation that is frankly pretty dismal. I think public trust in what credit bureaus have to say about anything — especially the security of our data or the integrity of the services they are offering people — is at an all time low.

        I’m not sure how anyone could reach any other conclusion than the reason Trans Union and other bureaus are adding a confusing term to compete with credit freezes is because they simply don’t want people getting credit freezes. And the only conclusion one could come to as to why they don’t want people getting them is that freezes will cost the bureaus money (even though bureaus get away with charging for them), while a credit lock costs the bureaus less and maybe even makes them money. Am I right? If not, please explain. Thank you.

        • A likely possibility is that Trans Union knew that anyone getting a credit freeze would probably never come back to purchase any other credit monitoring options. So, give away the credit lock for free, and then there is at least the possibility that some people will choose a more expensive credit monitoring option. Experian could have done the same thing, but they charge for the credit lock—so the more savvy customers are going to put a credit freeze in place with Experian, and be done with them. In my experience, Experian’s online credit freeze would not go through, which makes me wonder if they are making it difficult in hopes of getting customers to buy their services. The Trans Union offer is better, and I wish that Equifax and Experian had followed their lead.

        • Hi Brian, please raise awareness of the fact that their ‘complementary measures’ are only being offered to US citizens and not those affected from the UK and other countries.
          Absolutely awful, the whole website is targeted at US citizens only.

          thanks for the work you do.

          Max.

  4. Thanks for brilliant reporting and providing useful, actionable
    information.

    I established credit freezes on three of the four credit reporting bureaus using the telephone numbers provided in your post – thanks. It was a relatively seamless (two out of the three were completely automated) exercise. I left Equifax for my last call and suppose I shouldn’t have been surprised: Only after inputting personal information through 8 or nine menus did the auto voice advise: “the system is not available at this time to process your request. Please call back later”. I was infuriated.

    Equifax has left such a bad impression, from the onset of the breach, to delays in public notification, to whatever may charitably be called senior management misjudgements in their personal stock sales, and now its feeble attempts to remediate this disaster, I wonder if it can survive as a company.

  5. And the Equifax online freeze form currently is broken:

    System Currently Unavailable – Error 500

    We’re sorry. We cannot process your security freeze request online at this time. Please try back later.

    • Not exactly broken, just overwhelmed with freeze requests. Keep at it. It took me about 25 attempts to finally get an Equifax freeze on my wife and myself. The other listed credit bureaus were not nearly this difficult.

  6. your link to the consumer’s union guide to freezes is not accurate… here the correct link: http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection-2/

    Keep up the great work!

  7. Thanks for the great article, as always.

    FYI, your link to Trans Union’s freeze is to the http version of the URL. It is promptly redirected, but still…

  8. Thank you so much for your reporting and advice–top of the line.

  9. I set up a freeze on the three major credit bureaus; only TransUnion required me to establish an account with a password. Unbelievably, their system would not accept a password containing any special characters; my initial attempts to create passwords with special characters were all rejected. Once I dumbed down t0 alphanumeric characters, my password was accepted.

    This is how a major credit bureau thinks about security!

  10. Thanks for all the advice. I set up freezes at the other three bureaus. When I went to set up a freeze today at Equifax, I entered my data and after processing for a few seconds I got an error saying I needed to send ID verification to their office via mail. Thinking this may have been a transient issue, I decided to try one more time. This time, the site indicated that I already have a freeze set up, though I never was given the opportunity to set up a PIN.

    So, I guess now I may or may not have a freeze at Equifax, and if I do, I have no ability to lift it. By comparison, setting up a freeze at all the other bureaus was painless. They are really doubling down on their own incompetence here.

    • I had that happen a couple of years ago, although I won’t swear it was Equifax. I actually let the matter drop until a couple of months ago when I ran across the letter I had drafted. I sent it to them and they responded promptly, telling me the freeze was in place and providing me with a PIN.

  11. If I do a credit freeze, will it impact my govt security clearance renewal? Since they check my credit every so often?

    • Former Clearance Holder

      Ask your security office? Equifax’s answer doesn’t match what I read of dealings with Federal agencies.
      Equifax’s answer concerning government agencies:
      equifaxsecurity2017.com/trustedid-premie item 2

  12. How did they get our data in the first place without consent?

    • Consent for “Our data”?!? What part of that data are *you* the author of? Your name was created by your parents, your street address is public record, the SSN was created by the Social Security Administration, the credit card numbers are created by the card issuers, the payment history is provided by the financial institutions. Other than the PIN/password you select when you set up an account with them, you don’t own the copyright on ANY of the data they have on your file. Sorry to burst your bubble, but that’s the way the law looks at it.

  13. It seems most states allow a free freeze if you are victim of identity theft. If Equifax marks your data as being breached does this count as a victim of identity theft, since your data has not technically been used yet? Seems like a joke that they are charging you to protect yourself….

  14. Thank you for this informative information. I was in the hands of DC government and these fraudulent doctors in DC and due to them I am currently disabled and not able to afford $60 right now so I was wondering what are my alternatives to putting on a freeze and for those that possibly can’t afford $60 at this present time I was one of the ones whose information was breached and there is no information for DC residents on what we can do to file a formal complaint and also a possibility of a lawsuit so if you can give us some direction here in DC that would be greatly appreciated

  15. Hey Brian,

    What are your thoughts on freezing my 3 year old’s credit file? Am I being too paranoid? What would be the cons? Would the act of creating a freeze for him initiate a file being opened on him, which could then be sold opening him up to mail spam, fraud, etc. earlier than normal?

    Thanks for the great work that you do.

    -Chris

  16. Above it says:
    “ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. ”

    But the chexsystems’ site seems to be a place where you can “Place Your Security Freeze at Chex Systems, Inc.”

    Is that what you mean, Brian? Put a security freeze at Chexsystems, too?
    (that makes five places for a security freeze)
    Thanks.
    Mac

  17. I tried requesting my annual credit reports at Experian, TransUnion and Equifax (from https://www.annualcreditreport.com/index.action)

    All 3 of them weren’t able to give it to me. One of them (Experian) seemed to count my attempt as my one per twelve months, even though I didn’t get a report back. The other two said they weren’t able to give it to me at this time.

    Wondering if other people are having this problem, perhaps due to the amount of people requesting their info due to the breach

    • Jason,
      Yes, I had the same problem, to the point where I stopped going to annual credit report dot com, because the site failed unless I lifted all three freezes beforehand, which is too much extra effort.

  18. What is the 4th credit reporting company? I only know of three? Please list all 4 for us.

  19. I assume this freeze must be done for both husband and wife so the cost is times two?

  20. Seriously…. They have a breach and now I attempt a freeze and Equifax servers respond with ‘System Currently Unavailable – Error 500’. Wonderful infrastructure

  21. You were so right Brian on the freeze advice all along! Only was to get a freeze now is to call each of the 4 bureaus, get in the hours long “customer service” ques on hold (use speaker on cell phone while you do other tasks) and do it verbally, be sure to write down your confirmation #’s and pins, and demand a written credit report be mailed to you from each one. I was “impacted” (a nice euphemism for yet screwed again) by the Equifax breach and also tried to place freezes online for days. Forget it. Fact it, this will be a big boost to the Big 3 credit companies’ bottom line this year and forever more with the ridiculous on/off fees they’ll rake in. Trying to file a police report in my city is insanely difficult, you have to provide them with written documentation of the incident from the entities involved (good luck getting THAT from these bureaus!) and the police aren’t really interested in dealing with it – just a bunch of unproductive paperwork for them. No hope of actually accomplishing anything. I just paid the freeze fees figuring it’s a better alternative than getting compromised for really big bucks. Good luck everyone! Perhaps our intrepid Congressional leaders, their family and friends will get compromised and feel the pain, and finally get off their butts to help the people who put them in office!

  22. Thank you Brian for being the voice of sanity! How can we protect ourselves from Social Security and IRS fraud from this debacle? I’ve already claimed my SS info with account/password set up at the their site, but what the heck do I do about the IRS accepting fake returns in my name?

  23. FYI: I did the credit freeze maybe a year ago. It was quite easy and didn’t cost me anything since I’m a senior citizen. The part about ChexSytems is new, so I’ll have to fill out their form.

    It’s nice to have the credit freeze in place now so I don’t have to panic.

  24. This Equifax thing is infuriating. First, their lax security caused a major security breach. Second, they waited SIX WEEKS to say anything about it. Third, some of the key execs sold off their stock after they learned of the breach, but before they notified the victims. That smacks of SEC fraud! Fourth, all of the major credit monitoring services are so overwhelmed with consumers trying to freeze their credit that it’s impossible to get through and actually freeze our credit! It’s maddening. And it’s taking untold hours of American consumer time to try to clean up the mess. The public should be outraged, and Equifax execs should be facing prison time.

    • Yeah, seems a bit dishonest doesn’t it, that the Equifax execs sold stock before this was public?

      Hmm…you would think there would be a Federal agency that would have some jurisdiction over something like that.

  25. As consumers we should be able to purge our data from their system.

  26. At the very least, As consumers we should be able to purge our data from their system.

  27. This advice must be having some effect. I received system errors at both TransUnion and Experian while trying to freeze my report(s).

  28. Flipping idiots….

  29. very interesting lets have a security breach and sell credit monitoring at a higher price see if people notice. NO matter now much money we spend to have our credit monitored it can still be hacked.

Leave a comment