Equifax Data Breach: What to do

Here we go again: Another massive data breach, reminding us how vulnerable we are to thieves seeking our personal information and identity. Last week, credit monitoring company Equifax announced that a “Cybersecurity Incident” had exposed names, Social Security numbers, birth dates, addresses and, in some cases, driver's license and credit card numbers, from a whopping 143 million Americans. “Incident” sounds a little tepid for the magnitude of this event, but more critically, consumers who were instructed to go to the Equifax emergency web site, equifaxsecurity2017.com to determine if their information had been compromised, ran into a brick wall: After entering the required information, people could not get confirmation about whether or not they were affected.

According to Equifax, as of September 8, "That issue is now resolved, and we encourage those consumers to revisit the site to receive a response that clarifies their status."

Additionally, the protection service (“TrustedID”), which came under immediate scrutiny, was also updated. Initially, consumer advocates warned that the terms of the service could potentially restrict your legal rights, by preventing enrollees from participating in any class-action lawsuits that may arise from the incident. The company responded by stressing that there would be "NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT...we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

The free service has other issues, according to credit expert John Ulzheimer, “You’re only going to get it free for one year” and chances are, your liability is going to last longer. Additionally, it “only applies to your Equifax credit report, and not your credit reports at Experian and TransUnion. That’s like locking one of the three doors to your house.”

If you are a victim of this (or any) breach, here’s what to do -- the whole process took me about an hour to complete:

  • Contact one (under Federal law, each is obligated to notify the other two) of the three credit bureaus Equifax (800-766-0008), Experian (888-397-3742) and TransUnion (800-680-7289) to put a free fraud alert on your credit report. You should also contact a fourth, lesser known company Innovis. The alert makes it harder for an identity thief to open more accounts in your name, but experts note that alerts usually just slow down the process of criminals opening accounts in your name, they don’t prevent it. The alert lasts 90 days but you can renew it, and the alert entitles you to a free credit report from each of the three companies.
  • If someone has used your information to make purchases or open accounts, file a complaint with the Federal Trade Commission and print your Identity Theft Affidavit. Use that to file a police report and create your Identity Theft Report.
  • Place a credit-freeze on your credit file, which generally stops all access to your credit report. Unfortunately, you need to contact all three companies to freeze your file. Here are the links: Equifax; ExperianTransUnion and Innovis. Important note about a freeze: If you need to access credit, you have to unfreeze your records, which can take a few days. The availability of a credit freeze depends on state law or a consumer reporting company’s policies. Some states charge a fee for placing or removing a credit freeze, but it’s free to place or remove a fraud alert.

I hate to make you paranoid, but after interviewing pros, like Ulzheimer and professional hacker Kevin Mitnick, I am convinced the question is not if your information will be compromised, but when. Criminals are actively stealing your passwords, buying and selling your data and reading your emails. There is no single way to protect your coveted identity, but here are five best practices to employ to keep the criminals at bay.

1) Guard your information:

  • Refrain from providing businesses with your Social Security number just because they ask for it. Give it only when required. (Medicare recipients take note: your SSN is printed on your Medicare card, so be careful with it!)
  • Don’t give personal information over the phone, through the mail or on the Internet unless you have initiated the contact or you know with whom you are dealing. This is especially important to communicate to older relatives or friends, who are prime targets of fraudsters
  • Beware of over-sharing on social media, where criminals are finding treasure troves of information. Because they are explicitly targeting children under the age of 18, it’s important for parents to talk to their kids and explain why it is so dangerous to share too much personal information on line

2) Protect your Password: You know the drill: you should be changing logins and passwords monthly and sign up for two-factor authentication for those sites that use frequently.

3) Shop carefully: Stop sending your credit card information on unsecured wireless networks and when making purchases, use a credit card, which has more fraud protections under federal law than debit cards or online payment services.

4) Review credit card statements: Before you pay, be sure that you spend a few minutes to make sure that there are no fraudulent charges. While you’re at it, enroll in a credit card notification program, where the bank alerts you to charges over a set amount.

5) Review your (and your kid’s, for reasons mentioned above) credit report every 12 months at annualcreditreport.com. You want to make sure that nothing fishy has cropped up. If you find an error, report it immediately and stay on top of the process.