On September 7th, the U.S. credit reporting company Equifax announced they had suffered a massive data breach some months earlier.
Equifax’s handling of that breach has since been termed a “dumpster fire” by noted journalist Brian Krebs. Their instructions, website, and tools to help you determine if you’ve been impacted have been nothing short of a total mess. The term I’d use instead of dumpster fire isn’t appropriate for a family publication.
All indications are that if you’ve ever had a credit report, your information is likely part of this mess. Even if you’re not sure, it’s best to assume it.
So. What now?
It’s not about passwords
Most of the breaches I discuss are serious because they include account IDs and (hopefully hashed) passwords. The theory is that attackers could use that information to access your existing accounts.
When that’s the case, the general advice is to change the passwords on any affected accounts and make sure that you’re not using the same password on multiple accounts.
While the latter is always important advice (even when you’re not the subject of a breach), changing your passwords won’t help in this case.
Passwords weren’t involved.
It’s about personal information
The stolen information is said to include:
- Social Security numbers
- Driver’s license numbers
In addition, some people had their credit card numbers and credit report dispute documents (which include personal identifying information) stolen as well.
The hackers apparently have had access to all this information for a couple of months.
Why this is bad, very bad
Two words: identity theft.
Consider just the first four items in the list above: names, Social Security numbers, birthdates, and addresses. That’s generally enough to open a credit card account in your name — a credit card account hackers could use and that the credit card company will think is your responsibility.
There are more scenarios beyond just credit cards. Most probably involve getting credit or loans in your name without your consent or knowledge. You are then faced with having to contest those charges, and may have trouble using your credit legitimately, since the hackers will have tarnished your good reputation in the eyes of banks and creditors.
What you can do next
The single most important thing you can do is simply pay attention. Pay attention to your bills, credit cards, paper junk mail, and to what looks like spam that lands in your inbox.
Watch all your monthly bills for unexpected charges. This isn’t limited to credit cards, but any charge for which you are notified via paper or electronic mail. If they’re not legitimate, contact the company immediately.
Monitor your credit cards closely. In my opinion, simply reviewing the paper statement once a month isn’t enough. I enable online access and check more frequently — every few days or at least once a week. In addition, I use credit card services that notify me by text or email each time a charge over a certain amount is made. If I can, I set it to any charge over $1, so I know exactly what’s happening. If you see something suspicious, contact the credit card company immediately.
Open the junk mail in your physical mailbox. Often the first notification that something is amiss is a statement or welcome letter from an account you’ve never heard of. You’ve never heard of it because you didn’t open it — the identity thief did. If it looks like someone opened an account in your name you did not authorize, contact the company immediately.
Watch the spam that lands in your inbox (#1). What you think is spam, because it’s about a company or an account you don’t have, could potentially be “legitimate” in that it’s actually from the company mentioned, and you do have an account with them … an account opened by an identity thief. If you suspect that’s the case then contact the company immediately.
Watch the spam that lands in your inbox (#2). Phishing attempts are likely to be on the rise. Using the stolen information, hackers craft even more convincing (yet fake) emails trying to get you to fall for their schemes. Pay extra close attention to all email that leads you to log into your bank, credit card company, or any other website that deals with your personal information. Never click on the link to those sites in email, but instead go to those sites using your own links and bookmarks.
If you find you are the victim of identity theft, even for just a single account, it’s important to contact law enforcement as well. Many of the remedies and mitigations rely on police or other formal report being filed.
What you might consider
Part of the mess that is Equifax’s handling of this situation revolves around a tool on their website set up to help people determine whether or not they are impacted by the breach. As I write this, it’s poorly constructed and exceptionally uninformative. I honestly can’t recommend using it just yet.
The traditional response to identity theft is to set up a credit lock or credit monitor on your credit reports. It’s a hassle you have to do yourself with each of the three major credit reporting companies: Equifax, TransUnion, and Experian. There are two problems:
- How can we trust Equifax to get it right, in light of this massive breach?
- Depending on where you live, it may or may not be free. In my state (Washington), I’m required to actually be a victim of identity theft, with a corresponding police report to prove it.
I have to admit I’m seriously considering it anyway. I’m also paying attention to any activity on any of the free credit reporting sites, such as Credit Karma. (Important: there are many misleading “free credit report” sites out there. The official site to get your free annual credit reports, as confirmed by the FTC, is annualcreditreport.com.)
An alternative is a more restrictive credit freeze, which is something embraced by Brian Krebs, and something I’m now also considering.
As I said above, it’s important to pay attention to what’s happening to your money and your credit. With random threats, breaches, and hacks happening periodically, that’s good advice even without the Equifax mess.
More details about the Equifax breach will no doubt come to light in the coming days, hopefully along with more concrete ways to determine if you’re impacted. Keep your eyes on the news and other information sources to keep up-to-date.
2017-09-14: I did end up freezing my credit with Equifax and Experian, and signing up for the free tier of TransUnion’s “TrueIdentity”, which also allows you to “lock” access to your credit profile. The process was not painful, and all accomplished online. Equifax was free, having removed the fee for a credit lock until the end of the month at least, and I paid Experian $11 (the fee is based on what state you live in). If you freeze your credit: DO NOT LOSE THE PIN you’re assigned. Seriously, I can’t overstate the importance of having that PIN should you need to unlock your credit for any reason.
2017-09-14 #2: I also just received my first spam mentioning the Equifax breach specifically. It’s likely a phishing attempt in the guise of a free credit report offer. Never respond to or act on unsolicited requests like that. They are almost certainly bogus. Instead, go to known resources — such as those I’ve listed above — yourself.