It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you — the consumer — are ultimately responsible for protecting your financial future, this is it. Here’s what you need to know and what you should do in response to this unprecedented breach.
Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.
Q: What information was jeopardized in the breach?
A: Equifax was keen to point out that its investigation is ongoing. But for now, the data at risk includes Social Security numbers, birth dates, addresses on 143 million Americans. Equifax also said the breach involved some driver’s license numbers (although it didn’t say how many or which states might be impacted), credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
Q: Was the breach limited to Americans?
A: No. Equifax said it believes the intruders got access to “limited personal information for certain UK and Canadian residents.” It has not disclosed what information for those residents was at risk or how many from Canada and the UK may be impacted.
Q: What is Equifax doing about this breach?
A: Equifax is offering one free year of their credit monitoring service. In addition, it has put up a Web site — www.equifaxsecurity2017.com — that tried to let people determine whether they were affected.
Q: That site tells me I was not affected by the breach. Am I safe?
A: As noted in this story from Friday, the site seems hopelessly broken, often returning differing results for the same data submitted at different times. In the absence of more reliable information from Equifax, it is safer to assume you ARE compromised.
Q: I read that the legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach. Is that true?
A: Not according to Equifax. The company issued a statement over the weekend saying that nothing in that agreement applies to this cybersecurity incident.
Q: So should I take advantage of the credit monitoring offer?
A: It can’t hurt, but I wouldn’t count on it protecting you from identity theft.
Q: Wait, what? I thought that was the whole point of a credit monitoring service?
A: The credit bureaus sure want you to believe that, but it’s not true in practice. These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.
Q: Well then what the heck are these services good for?
A: Credit monitoring services are principally useful in helping consumers recover from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place.
Q: What’s the best way to do that?
A: File a security freeze — also known as a credit freeze — with the four major credit bureaus.
Q: What is a security freeze?
A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.
Q: What’s involved in freezing my credit file?
A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union. It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.
Q: How much is the fee, and how can I know whether I have to pay it?
A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Consumers Union has a useful breakdown of state-by-state fees.
Q: But what if I need to apply for a loan, or I want to take advantage of a new credit card offer?
A: You thaw the freeze temporarily (in most cases the default is for 24 hours).
Q: What’s involved in thawing my credit file? And do I need to thaw it at all three bureaus?
A: The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes the phone with the company from which you hope to gain the line of credit (or research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours, but hiccups in the thawing process sometimes make things take longer. It’s best not to wait until the last minute to thaw your file.
Q: It seems that credit bureaus make their money by selling data about me as a consumer to marketers. Does a freeze prevent that?
A: A freeze on your file does nothing to prevent the bureaus from collecting information about you as a consumer — including your spending habits and preferences — and packaging, splicing and reselling that information to marketers.
Q: Can I still use my credit or debit cards after I file a freeze?
A: Yes. A freeze does nothing to prevent you from using existing lines of credit you may have.
Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?
A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online, fill out a short form, and answer a handful of multiple-choice, out-of-wallet questions about your credit history. Assuming the application goes through, the bureau you filed the alert with must by law share that alert with the other bureaus.
Consumers also can get an extended fraud alert, which remains on your credit report for seven years. Like the free freeze, an extended fraud alert requires a police report or other official record showing that you’ve been the victim of identity theft.
An active duty alert is another alert available if you are on active military duty. The active duty alert is similar to an initial fraud alert except that it lasts 12 months and your name is removed from pre-approved firm offers of credit or insurance (prescreening) for 2 years.
Q: Why would I pay for a security freeze when a fraud alert is free?
A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.
Q: Hang on: If I thaw my credit file after freezing it so that I can apply for new lines of credit, won’t I have to pay to refreeze my file at the credit bureau where I thawed it?
A: It depends on your state. Some states allow bureaus to charge $5 for a temporary thaw or a lift on a freeze; in other states there is no fee for a thaw or lift. However, even if you have to do this once or twice a year, the cost of doing so is almost certainly less than paying for a year’s worth of credit monitoring services. Again, Consumers Union has a handy state-by-state guide listing the freeze and unfreeze laws and fees.
Q: What about my kids? Should I be freezing their files as well? Is that even possible?
A: Depends on your state. Roughly half of the U.S. states have laws on the books allowing freezes for dependents. Check out The Lowdown on Freezing Your Kid’s Credit for more information.
Q: Is there anything I should do in addition to placing a freeze that would help me get the upper hand on ID thieves?
A: Yes: Periodically order a free copy of your credit report. By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them. Avoid other sites that offer “free” credit reports and then try to trick you into signing up for something else.
Q: I just froze my credit. Can I still get a copy of my credit report from annualcreditreport.com?
A: According to the Federal Trade Commission, having a freeze in place should not affect a consumer’s ability to obtain copies of their credit report from annualcreditreport.com.
Q: If I freeze my file, won’t I have trouble getting new credit going forward?
A: If you’re in the habit of applying for a new credit card each time you see a 10 percent discount for shopping in a department store, a security freeze may cure you of that impulse. Other than that, as long as you already have existing lines of credit (credit cards, loans, etc) the credit bureaus should be able to continue to monitor and evaluate your creditworthiness should you decide at some point to take out a new loan or apply for a new line of credit.
Q: Can I have a freeze AND credit monitoring?
A: Yes, you can. However, it may not be possible to sign up for credit monitoring services while a freeze is in place. My advice is to sign up for whatever credit monitoring may be offered for free, and then put the freezes in place.
Q: Beyond this breach, how would I know who is offering free credit monitoring?
A: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.
Q: I see that Trans Union has a free offering. And it looks like they offer another free service called a credit lock. Why shouldn’t I just use that?
A: I haven’t used that monitoring service, but it looks comparable to others. However, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to steer people away from securing a freeze on their file. I notice that Trans Union currently does this when consumers attempt to file a freeze. Your mileage may vary, but their motives for saddling consumers with even more confusing terminology are suspect. I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).
Q: I read somewhere that the PIN code Equifax gives to consumers for use in the event they need to thaw a freeze at the bureau is little more than a date and time stamp of the date and time when the freeze was ordered. Is this correct?
A: Yes. However, this does not appear to be the case with the other bureaus.
Q: Does this make the process any less secure?
A: Hard to say. An identity thief would need to know the exact time your report was ordered. Unless of course Equifax somehow allowed attackers to continuously guess and increment that number through its Web site (there is no indication this is the case). However, having a freeze is still more secure than not having one.
Q: Someone told me that having a freeze in place wouldn’t block ID thieves from fraudulently claiming a tax refund in my name with the IRS, or conducting health insurance fraud using my SSN. Is this true?
A: Yes. There are several forms of identity theft that probably will not be blocked by a freeze. But neither will they be blocked by a fraud alert or a credit lock. That’s why it’s so important to regularly review your credit file with the major bureaus for any signs of unauthorized activity.
Q: Okay, I’ve got a security freeze on my file, what else should I do?
A: It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link.
Q: Anything else?
A: ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.
To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.
To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.
Same question asked earlier by Paul Primmer:
Does the security freeze need to be done for both husband and wife separately?
Yes.
It is interesting to watch this from the Canada side, since we have no information about the number of Canadian’s impacted by this and no website where we can register, like people in the US can. As well, we do not have a Credit Freeze option in Canada. ChexSystems does not support Canada. Once again Canadians, can look through the glass and see what the US is doing, but “we can’t get that here”. (Sometime that pays off for us, in other cases, we are additional collateral damage to bad choices in the US.) The results is we expect we will have our credit card compromised when we travel to the USA, because the companies there can not make the change to Chip and PIN. I’ve been thru 3 credit cards this year, and each time was after less than 5 days in the USA.
I’m not sure how our Canadian Privacy information made it into a US database, maybe it is only dual citizens, but who knows… cause no news from Equifax.
If you freeze your Equifax account and forget your pin you just need your last name, date of birth and social security number and they will send a new pin to the email address your registered. This seems like information someone could find if they don’t already have it.
Brian, good article. People are going to hate me for this, but there is a 5th Bureau you should file a freeze with, and personally just as important in my opinion. A security freeze is free, but can only be done by mail, secured fax, or by calling; there is no online way to freeze account. Link for freeze info:
SageStream – https://www.sagestreamllc.com/security-freeze/
They are used by “credit card issuers, retailers, and wireless telephone service providers and auto lenders” and not mentioned a large number of online and payday loan companies. The online lenders (OL) are who I would care most about as you could possibly stack a large number of 15K loans at once using the information obtained from the Equifax issue. If they could hit 10, that’s 150K.
Oh, and if you have a cell phone plan, you were probably run through their system or one of the ID:Analytics products.
For the benefit of SageStream, I will say they do have a network of online lenders (OLN) to cut down on the stacking issue, being able to tell a lender that someone just took out a loan 5 min ago someplace else. The issue is not everyone is part of the network.
Full disclosure, I use to work at ID:Analytics, the parent of SageStream, when it was a subsidiary of Lifelock. For a little while after Symantec bought out Lifelock in Feb of this year, I was also there.
–Dave
So, Dave,
There are now six CRAs?
Experian
TransUnion
Equifax
Innovis
ChexSystems
and now SageStream?
Is it it possible to get an accuarate count on exactly how many effing CRAs we need to deal with?
There are *lots* of credit reporting agencies, and filing a freeze with all of them would take a ton of time. Equifax, Experian, and TrensUnion are the “big three;” the rest are smaller/more niche and may or may not be worth freezing. Here’s a list from the Consumer Financial Protection Bureau: http://files.consumerfinance.gov/f/201604_cfpb_list-of-consumer-reporting-companies.pdf
Sagestream seems to be the main credit reporting agency for Bank of America, so not exactly “niche.”
http://www.latimes.com/business/lazarus/la-fi-lazarus-credit-optics-sagestream-20160802-snap-story.html
Hey, Krebs,
Do me a favor and calculate the revenue boost to the big three just by charging $10 for a credit freeze.
I already posted a pdf on one of my domains for the benefit of my clients, no links here coz this your playground.
At least, check my numbers.
Equifax really have no clue about who is compromised. So, let’s assume every SSN.
One can freeze a child’s SSN for free per law – though the protocol is hard to fathom.
We assume therefore, 240 million people needing to freeze at the mid-price of $10 per person per CRA.
This is a $2.4 Billion windfall per big three CRA.
Moving forward, assume 120 million people need to thaw at least once per year.
$1.2 Billion of ongoing revenue, per CRA – Forever.
If anyone want’s to check my math, please do so.
BUT,
How is it that a credit freeze is not blackmail?
Blackmail is “not exposing compromising or injurious personal information for a fee”.
I have to pay a fee to not have my personal financial information compromised? Is this not injurious to my financial security? Blackmail is not defined as exposing embarrasing info. Can someone please explain how this is not blackmail?
Gary
Most states require the credit bureaus to initiate a credit freeze at no cost if you’re the victim of identity theft. It’s not clear what sort of documentation is required to prove you’re the victim of ID theft, or that you’re “likely to be the victim of identity theft”. Given the scale of the Equifax breach, and the publicity surrounding it, I think it’s safe to assume that everyone has good reason to believe they’re at risk. Doesn’t it follow that everyone should be able to start a credit freeze at no cost?
However, you are correct that if people need to pay to lift and restart a freeze once or twice a year, that’s going to be a significant windfall for these companies. It definitely is grating that these companies compile our most sensitive information, essentially without our consent, and we have to PAY to protect ourselves from their negligence. We need a better system.
Technically in Colorado they are allowed to charge $10 to lift the freeze. But after having a freeze with all 3 for over 2 years, I have never actually been charged for a temporary lift. When I tried to mail a check because I locked myself out through the online system once, the company didn’t cash the check.
So it might be quite the payday, but I don’t know that they are actually charging the fees in practice.
Years ago many of us put a security freeze with the CRA’s and felt some safety in ‘knowing’ that it would be difficult for a bad guy to commit fraud using our identity.
However, I just checked the Equifax web site and it appears that all a bad guy needs to unfreeze it is the information that was just exfiltrated from Equifax. (In addition to filling in the web form fields with the PII, they ask for some ‘proof of identification’ which is a copy of an easily–since it will be a scanned copy—forged document containing the PII.)
What good is a freeze if the bad guy can simply use the PII to unfreeze it and then use the PII and credit score to commit fraud?
It seems the freeze is an illusion of safety.
But, in that case, wouldn’t then it just fall back to the usual “check your credit report every so often anyway” for suspicious activity?
There can be some concern in initiating those CRA freezes seeing as how insecure the credit data handling landscape can be here even at the CRA’s themselves, as highlighted by the Equifax breach.
Perhaps could have even been an inside job? Allegations can go many ways.
Brian, it’s hard to believe that personal data stored at Equifax wouldn’t have been encrypted and or some masking of the sensitive data. I’m shocked if the data was in the clear…
Why are you shocked by this? Most large processing system included credit card processors don’t have their data encrypted (logically). Full disk encryption doesn’t cut it – this is how many of them pass their audits btw.
If Equifax can be negligent enough to allow our personal data to be accessed by others, why should we assume they would encrypt that data?
The trouble with encrypting data is that it must be decrypted before use, which means the crypto key must be available on the server. If the server is compromised, so is the key. Encryption is great for protecting data in storage and during transmission, but less good for protecting data that’s in regular use.
Besides, if a CRA is so negligent as to allow our personal data to be accessed, why should we assume that they encrypted the data?
Is the information needed by the credit agencies to thaw or remove a freeze, the same information that was stolen?
Sorry, i realize niw that my question was poorly worded. What I meant to ask was:
If I “forget” my pin to thaw or remove the freeze, is the information used to get a new pin the same as the information that was stolen?
Also, could a criminal put a freeze on my credit using the stolen information? I would not be able to unfreeze my credit. What would happen then?
For the new PIN, here is what they say:
“If you lose the PIN that was issued to you when you added the Security Freeze to your credit file, you may request a new one in writing.
Please provide proof of identification, such as a copy of your driver’s license, passport, birth certificate or other proper identification forms.”
In their list of documents, they include a w2 or 1099 which would be easy to forge… and what monkey do they have validating what is sent anyway? “looks good to me, okay I’ll unfreeze your account…”
For freezing/unfreezing via web or mail, it looks like the same id process is used.
It depends on what you’re doing.
Most of the time, most Americans (and really most people) aren’t applying for new credit.
If you already have a credit relationship with an entity, they won’t be blocked by a freeze.
Fun examples:
1. If you have an American Express card (EU, US, CA, …), and you move to another country, you can use their “Global Transfer” to have them consider your credit history with them in order for them to determine whether to extend you credit (instead of checking w/ the local credit bureaus, with which you won’t yet have a history).
2. If you have a credit card w/ say TD Bank, and you want to apply for a loan from them, they’d be able to consider giving you a loan because of their preexisting credit relationship with you.
I don’t have statistics on how often people buy new cars in the US (or Canada for that matter). But at this time, the loan rates are probably low enough (and sometimes I’ve heard getting a non car loan is better than a car loan anyway) that going w/ your existing bank would be “good enough”. You can probably threaten to leave (taking your business elsewhere) to get a better deal. You should also be able to quote rates to them and negotiate. Sure, you couldn’t easily go elsewhere, but they don’t know that, and IMO the banks are more or less equal.
You could probably also try getting your loans from credit unions [1] instead of banks. Many credit unions are more or less corporations like banks. Some are chartered specifically for a certain Public Benefit. * disclaimer: I don’t have any actual experience w/ this pathway, but you should be able to talk to a credit union and ask them about their protocol (“they want your business, they’ll [try to] earn your trust” * this was someone’s motto, I can’t remember which company).
At the end of the day, there will always be some way to unfreeze your credit. And someone will hack that system (just as someone will hack it to freeze someone else’s credit). But freezing is better than nothing.
Just keep in mind: freezing is (sadly) not a substitute for checking your credit reports annually (from memory the best practice is quarterly, on rotation amongst the big 4). But, freezing will raise the bar a little, and make you a harder target than others.
[1] https://www.thebalance.com/credit-union-loans-315401
Good luck trying to place a credit security freeze with Equifax because their website is overloaded returning a 500 Error:
“System Currently Unavailable – Error 500
We’re sorry. We cannot process your security freeze request online at this time. Please try back later.
To make a security freeze request with the other national consumer credit reporting agencies, please contact Experian and TransUnion:
Experian,P.O Box 9554, Allen, TX 75013 (888)379-3742
TransUnion,P.O Box 6790, Fullerton, CA 92834 (888)909-8872
Thank you for giving Equifax the opportunity to assist you.”
I tried the fraud alert on the other reporting agency sites too and got the same “Server busy, try again later” error at all of them. But I kept trying and it finally took (at Transunion) after about the 50th try. Persistence pays off!
No thanks, Equifax. I think you’ve “assisted” enough already.
If you can’t get through using the automated phone or website forms, just mail your request. Here are some templates to use:
https://www.in.gov/attorneygeneral/files/SecurityFreezeLettersFinal.pdf
The only one missing from the above is Innovis. Be sure to include a copy of your driver’s license and utility bill and a check for each one, except Equifax, which is waived.
On a separate note. What I have been reading on other news sites leads me to think that few people understand how to protect themselves. Some examples are people who put a freeze on Equifax and not the other three bureaus, assuming because only Equifax was hacked, the others do not need to be frozen. Regarding IRS filing fraud, many people seem to think that it only impacts people who are owed refunds. “Just make sure that you don’t overpay the IRS,” was one comment. Of course Krebs’ readers know better, but outside of this site, the news media is doing a terrible job of advising people.
Thanks for the info! What about payment though? I live in a state which requires payment for freezing. I wonder if mailing a check with the request would be sufficient or if it would have to be paid via credit card?
A personal check is fine. I didn’t see a way to use a credit card if you mail in the form.
Brian, thank you so much for being a needed credible voice during this Equifax mess. The increasing evidence of utter incompetence is staggering. This company needs to die a public death.
If hackers were in Equifax’s systems and copied all those records, how do we know they didn’t diddle with the rest of them? If Confidentiality was breached because of sloppy security, how about Integrity? Did they do anything to mitigate that risk like restore from backup or audit the records for accuracy to reassure the customers paying for this data? If not, how can their customers trust their credit reporting data anymore? This compromises the credibility of their product compared to their competitors, how are they going to survive as a business once their customers realize this?
A couple of things: Your website links at the top of the page are inactive.
Your link to the CA Attorney General site was fascinating and a real shock to see just how many breaches there are. One caught my eye, on 7/31 Delaware North (who used to run National Parks logistics out here). I suspect that they don’t take the requirement to notify too seriously: https://oag.ca.gov/system/files/Sample%20Letter_4.pdf
Cheers
Graham, I’m going to bet that you’re using adblock and that you are blocking ads on my site. If that’s the case, please add an exception for this site. There is zero third-party content served on this site, and the handful of ads that you see running here are all hosted in-house and have been vetted by me personally. If you add an exception for this site, I think you find that those links at the top of the page will work.
I know companies often have you sign, even digitally-sign, agreement to checks and sometimes list the name of the data housing organization.
Check with the card issuer.
I am a banker in Nebraska. In light of the Equifax breach I decided to freeze my credit. I went onto Experian and no problem. I tried to go onto Equifax and they are overloaded, so will have to go back. Went to Transunion and they have a credit freeze or a credit “lock” the lock says it is free and you have control over locking and unlocking instantly. So it sounds the same as a freeze but without the hassle and time of a freeze. Do you know about this? Is the lock as good as the freeze?
Here’s what Brian had to say about TransUnion’s Credit Lock in his article above – and I agree. I was able to finally find the link to place a freeze but only after running a gauntlet of attempts by Transunion to get me to sign up for the Credit Lock service.
“I haven’t used that monitoring service, but it looks comparable to others. However, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to steer people away from securing a freeze on their file. I notice that Trans Union currently does this when consumers attempt to file a freeze. Your mileage may vary, but their motives for saddling consumers with even more confusing terminology are suspect. I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).”
Hi Brian,
Great article. Quick Question for you:
is it still common sentiment that PRBC isn’t a credit bureau to worry about freezing?
I notice on one of your articles (embrace the credit freeze) a comment saying it’s not debt related so don’t worry about it.
I don’t know. But you remind readers of an interesting point and big part of any change in the law that needs to come in response to this breach: There are dozens of credit reporting bureaus that aren’t anywhere near as big as the big three or four. Any kind of reform of the system that seeks to streamline things for consumers really needs to bear this in mind.
Thank you for your great work in helping people on Cybersecurity.
Best,
-Min
Well, now that it’s the day that I’m supposed to be signing up for trusted premier – it’s not even available on the site they say to go to. I just get another form with another date to try. Zero trust in Equifax now. Glad I already had a credit freeze!
P.S. Thanks so much Brian for being a voice of sanity in this time of big business stupidity!
Brian,
First, thank you for your reporting, and also giving people the opportunity to vent, discuss and inform.
I believe some of your readers may be interested to hear the Sen Ron Wyden of Oregon has today announced a Bill to prevent CRAs from charging a fee to freeze/unfreeze credit reports.
I urge everyone to contact their Senator to support this bill.
Although we really need a central repository to which the CRAs should defer (we shouldn’t need to contact nearly 40 of them one by one), this bill is a least good start.
Thanks for the great info – question do I need to be worried if my credit was frozen prior to the Equifax Breach?
For now, I’m not freezing anything. Here’s why:
* Doesn’t protect existing lines of credit.
* Doesn’t protect against any of the many other ways our information can be misued aside from opening new lines of credit.
* Given the enormous volume of freezing and unfreezing that can occur on a daily basis, it’s likely that the procedures currently in place, which were not created with this transaction volume in mind, will eventually fail at some point or themselves be attacked.
* Freezing can cause unanticipated problems for consumers when an automated system is unable to receive a credit report, as your readers are discovering.
Of course it’s understandable that people want to do ‘something’ quickly to protect themselves. However, the present solution provides a false sense of security while causing inconvenience, uncertainty and ongoing nickle-and-dime expenses. And as currently constituted we will be freezing and unfreezing our credit reports for the rest of our lives (and beyond, until our executors settle our estates.)
Credit reporting agencies or the government need to step up and provide a more comprehensive and reliable solution. Until that happens, vigilant monitoring of all our financial and legal records – not only credit reports – combined with quick action on our part when something doesn’t look right, is the best course of action. That’s my plan.
Steven, these arguments are so misleading as to suggest that you are not a disinterested commentator. They all involve logical fallacies, not least, the “generalizing” fallacy, where you suggest that because freezing does not offer complete protection at no cost, people should reject it, even though in fact it is their only good option at this point as the first line of defense. Monitoring is useful, but it is remedial, not preventative. Also, I take umbrage at your suggestion that freezing may cause “unanticipated” problems; this is classic fear-mongering. The inconveniences that it causes are mostly, although not entirely, controlled, predictable, and manageable. The exception here is where credit cards and drivers’ licenses used to place freezes were compromised, and that lies at the door of Equifax’s malfeasance.
The best reason not to freeze an account is that it costs $10 to do it, and to undo it. Not because this is a meaningful amount of money–but only because that fee goes to the beast that should be starved, and is, by definition, acceding to blackmail. If an individual can get the freeze for free, it is the obvious way, first, to protect oneself even minimally, and second, to harm these predatory gossip-mongers by denying them the value of one’s information.
I had freezes in place, at the big three, and I’m glad. This breach may vitiate the utility of those freezes if the credit bureaus continue to use the accessed information as authentication; and if so, that will be yet another cause in the class action lawsuit.
Personally, I think what we are seeing is the tip of the iceberg. More information will surface in the pre-trial process.
Equifax just fell into the piranha tank.
I have tried every day for 3 days repeatedly to place a freeze on my data for ALL 4 credit reporting agencies. After filling out data over and over again not one site has put the freeze through. Phone calls are also useless, probably due to the volume. This is all a huge sick joke at the expense of consumers.
Phone calls have always been useless. I put my freezes on years ago; there was no way to talk to them when the process failed to yield a pin (probably due to NoScript on Firefox. Still worth it). If “people” are calling the credit bureau for any reason, it will be bad for the credit bureau. It’s not as if you are there to help them, give them real money, or cause them anything but problems. A farmer has better grounds to go see what all the mooing is about than Equifax has to answer your phone call.
Is creating a Social Security account online a good idea to protect yourself ? Considering someone else can create one with your number and information?
I have tried for days by phone & on line to put a freeze on Equifax. when I finally got through by automated phone I was told I already have a freeze but I did not put a freeze on. I do not have a pin # because “I DID NOT PUT THE FREEZE ON” What stops the thief who has all my personal information from putting a freeze on my credit, getting a pin number & they now have control of my credit. I cant get anyone from Equifax on the phone to discuss this with. How can I fix it?
Do you think it would be possible to file an IRS Form 14039
Identity Theft Affidavit and just check the box that says “I don’t know if someone used my information to file taxes, but I’m a victim of identity theft”? Then just explain with the Equifax breach you believe you may be a target for identity theft? It’s not clear whether the IRS would reject any request for an ID.
Good luck getting your report or freezing right now.
The freeze page for Experian lands you at “we couldn’t find that page,” and I was not able to get any reports, either because the service was “unavailable at this time” or “Due to the Equifax data breach we are experiencing extremely high volumes and cannot fulfill your request at this time. We sincerely apologize and ask that you try again later.”
Hooray for good data security.
Once your credit reports have a security freeze in place, is there any indication or confirmation of the freeze if you pull a copy of your own credit report?
My understanding is that you can still view your own credit reports once a security freeze is active from, say AnnualCreditReport.com. Given the lax nature of Equifax, it would be helpful to see something like “Security Freeze Active” on your credit report in order to confirm that Equifax has actually put the security freeze in place. If not, is calling the credit bureaus the only other way to confirm that a security freeze is active? It would be nice to have something in writing.
Brian,
There is another bureau, Google. They are collecting your accounts information from Gmail.
I googled “Pay DishTV bill” and they listed all of my bills for the past three months and the pay amount.
I had no idea they were keeping a bureau account on me. This is creepy and in my opinion a data breach. Anyone could have borrowed my computer and seen these results without having to use a password.
Regards.
This is really surprising. I’m not a Dish TV customer, but googling “Pay DishTV bill” comes up with a similar list for me. I wonder if Google is tracking our bills via gmail bill notices.
To be honest, I would be glad if Google took over for Equifax. Google understands security far better, and I don’t think Google would have been hacked–not to mention that Google offers excellent security standards such as U2F security keys as a second factor.
I have never put my SS# online for any reason. Now I find that getting my credit reports requires this, especially from the Annual Credit Report site, that does all three bureaus, but does not offer a way to contact them via phone.
Won’t putting my SS#, address, all other required information, online just put me at greater risk for future breaches?
signed up for the free TransUnion TrueIdentity service. the “TransUnion Credit Report Control Lock” looks like it is NOT the full Credit Freeze. If you look at their information, it reads like the transunion credit lock still allows creditors, lenders, employers, landlords to view your credit report, but the Lock will block “others”. It’s like you get it locked, but you don’t have to unlock it for typical situations of getting loans, new job, new place to rent. they do not specifically mention the situation of getting new credit cards? does that apply to creditors still being allowed to look at your credit report when there is a credit lock? or do credit cards come under “others” that are blocked??? (note: equifax has their Equifax Credit Report Control Lock” and Experian has their “Experian CreditLock” and my current guess is they are the same as the equifax credit lock.) here’s a cut & paste for the “Transunion Credit Report Lock” :
Credit Lock
Credit Lock gives you the ability to lock & unlock your TransUnion credit report at the touch of a button — putting you in control of your credit.
Status: LOCKED
Unlock My TU Credit Report
About this feature
Creditors, lenders (when you apply for a loan), landlords and employers can request and view your credit report.
Locking your TransUnion Credit Report blocks others from looking at it, which may serve as a critical step in preventing an identity thief from applying for credit in your name.
Credit Lock is part of your subscription* and carries no additional charge.
You can’t use Credit Lock if you have a security freeze on your TransUnion Credit Report.
Activating your Credit Lock service:
Monday-Saturday, 2 a.m.-11 p.m. Central Time
Sunday, 5 a.m.-11 p.m. Central Time
*If you decide to cancel your subscription, the Credit Lock benefit will not be available to you and your credit report will be unlocked.
How does a credit freeze affect married individuals? Does each person in the marriage need to file a freeze?