Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What the Equifax Breach Means to You

On September 7th, the U.S. credit reporting company Equifax announced they had suffered a massive data breach some months earlier.

Equifax’s handling of that breach has since been termed a “dumpster fire” by noted journalist Brian Krebs. Their instructions, website, and tools to help you determine if you’ve been impacted have been nothing short of a total mess. The term I’d use instead of dumpster fire isn’t appropriate for a family publication.

All indications are that if you’ve ever had a credit report, your information is likely part of this mess. Even if you’re not sure, it’s best to assume it.

So. What now?

Become a Patron of Ask Leo! and go ad-free!

It’s not about passwords

Most of the breaches I discuss are serious because they include account IDs and (hopefully hashed) passwords. The theory is that attackers could use that information to access your existing accounts.

When that’s the case, the general advice is to change the passwords on any affected accounts and make sure that you’re not using the same password on multiple accounts.

While the latter is always important advice (even when you’re not the subject of a breach), changing your passwords won’t help in this case.

Passwords weren’t involved.

It’s about personal information

Dumpster FireThe stolen information is said to include:

  • Names
  • Social Security numbers
  • Birthdates
  • Addresses
  • Driver’s license numbers

In addition, some people had their credit card numbers and credit report dispute documents (which include personal identifying information) stolen as well.

The hackers apparently have had access to all this information for a couple of months.

Why this is bad, very bad

Two words: identity theft.

Consider just the first four items in the list above: names, Social Security numbers, birthdates, and addresses. That’s generally enough to open a credit card account in your name — a credit card account hackers could use and that the credit card company will think is your responsibility.

There are more scenarios beyond just credit cards. Most probably involve getting credit or loans in your name without your consent or knowledge. You are then faced with having to contest those charges, and may have trouble using your credit legitimately, since the hackers will have tarnished your good reputation in the eyes of banks and creditors.

What you can do next

The single most important thing you can do is simply pay attention. Pay attention to your bills, credit cards, paper junk mail, and to what looks like spam that lands in your inbox.

Watch all your monthly bills for unexpected charges. This isn’t limited to credit cards, but any charge for which you are notified via paper or electronic mail. If they’re not legitimate, contact the company immediately.

Monitor your credit cards closely. In my opinion, simply reviewing the paper statement once a month isn’t enough. I enable online access and check more frequently — every few days or at least once a week. In addition, I use credit card services that notify me by text or email each time a charge over a certain amount is made. If I can, I set it to any charge over $1, so I know exactly what’s happening. If you see something suspicious, contact the credit card company immediately.

Open the junk mail in your physical mailbox. Often the first notification that something is amiss is a statement or welcome letter from an account you’ve never heard of. You’ve never heard of it because you didn’t open it — the identity thief did. If it looks like someone opened an account in your name you did not authorize, contact the company immediately.

Watch the spam that lands in your inbox (#1). What you think is spam, because it’s about a company or an account you don’t have, could potentially be “legitimate” in that it’s actually from the company mentioned, and you do have an account with them … an account opened by an identity thief. If you suspect that’s the case then contact the company immediately.

Watch the spam that lands in your inbox (#2). Phishing attempts are likely to be on the rise. Using the stolen information, hackers craft even more convincing (yet fake) emails trying to get you to fall for their schemes. Pay extra close attention to all email that leads you to log into your bank, credit card company, or any other website that deals with your personal information. Never click on the link to those sites in email, but instead go to those sites using your own links and bookmarks.

If you find you are the victim of identity theft, even for just a single account, it’s important to contact law enforcement as well. Many of the remedies and mitigations rely on police or other formal report being filed.

What you might consider

Part of the mess that is Equifax’s handling of this situation revolves around a tool on their website set up to help people determine whether or not they are impacted by the breach. As I write this, it’s poorly constructed and exceptionally uninformative. I honestly can’t recommend using it just yet.

The traditional response to identity theft is to set up a credit lock or credit monitor on your credit reports. It’s a hassle you have to do yourself with each of the three major credit reporting companies: Equifax, TransUnion, and Experian. There are two problems:

  1. How can we trust Equifax to get it right, in light of this massive breach?
  2. Depending on where you live, it may or may not be free. In my state (Washington), I’m required to actually be a victim of identity theft, with a corresponding police report to prove it.

I have to admit I’m seriously considering it anyway. I’m also paying attention to any activity on any of the free credit reporting sites, such as Credit Karma. (Important: there are many misleading “free credit report” sites out there. The official site to get your free annual credit reports, as confirmed by the FTC, is annualcreditreport.com.)

An alternative is a more restrictive credit freeze, which is something embraced by Brian Krebs, and something I’m now also considering.

Stay Alert

As I said above, it’s important to pay attention to what’s happening to your money and your credit. With random threats, breaches, and hacks happening periodically, that’s good advice even without the Equifax mess.

More details about the Equifax breach will no doubt come to light in the coming days, hopefully along with more concrete ways to determine if you’re impacted. Keep your eyes on the news and other information sources to keep up-to-date.

Updates

2017-09-14: I did end up freezing my credit with Equifax and Experian, and signing up for the free tier of TransUnion’s “TrueIdentity”, which also allows you to “lock” access to your credit profile. The process was not painful, and all accomplished online. Equifax was free, having removed the fee for a credit lock until the end of the month at least, and I paid Experian $11 (the fee is based on what state you live in). If you freeze your credit: DO NOT LOSE THE PIN you’re assigned. Seriously, I can’t overstate the importance of having that PIN should you need to unlock your credit for any reason.

2017-09-14 #2: I also just received my first spam mentioning the Equifax breach specifically. It’s likely a phishing attempt in the guise of a free credit report offer. Never respond to or act on unsolicited requests like that. They are almost certainly bogus. Instead, go to known resources — such as those I’ve listed above — yourself.

Podcast audio

Play

51 comments on “What the Equifax Breach Means to You”

  1. Whatever you do, don’t take advantage of Equifax’s free credit monitoring. The fine print signs away your rights to participate in a class action suit against them.

    I checked my Social Security number on Equifax’s website, and they said if didn’t appear to be breached. I’m sure that’s a lie as I’ve had a pretty good amount of activity on my credit card accounts this year including opening and closing accounts etc., all of which involve hard enquiries.

    Reply
    • I read another article stating that waiving your rights to class action wouldn’t hurt much as class action suits generally only yield two figure paybacks. I once collected on a class action suit and collected the grand sum of nine dollars and change. I don’t expect a class action suit as this is almost guaranteed to bankrupt Equifax. If everyone freezes their Equifax accounts, all of the banks and rental agencies will go to the competition.

      Reply
    • I too tried the Equifax site to see if I was affected. The thing I noticed was that the result came back almost instantly. It seems unlikely that they could search a database of any size and return a result that fast. I’m very suspicious. They may be checking only the 200K or so names in one particular area of the breach.

      Reply
      • The fact that results came up instantly are not an indication of a fake search. As long as the file is indexed by name and last 4 digits of your Social Securtiy number the search would only take milliseconds.Where my mistrust comes in is the fact they covered this up for so long.

        Reply
  2. This past month I’ve noticed a huge surge in phishing e-mails coming in from .biz, .trade, .club, and a few other domain groups, to the point I asked my Host if they could block entire domain extensions on the incoming side. I wonder if this is related to the data theft?

    Reply
  3. so much of this is because of all the info EVERY company wants. Doctors office, 1st they want is your SS #. It’s right there on your medicare card, your drivers license. Paying bills? Yes, again, SS#. When i first got my SS card, my dad drummed it into my head to protect that number. I whited out my SS on medicare card. went to get the new, secure drivers license that will be required by 2020 since needed a change of address anyway. Had my passport. paid bills. birth certificate. Did i get the new license? Nope. They wanted my SS, oart was my birth cert could not be used because it had my maiden name on it!! Do other woman cart their marriage licenses around with them? And yes, got a bit excited here but this just happened to me so it’s ver fresh.

    Reply
    • I never give my SS number to anyone. Doctors and dentists ask on their forms but I leave it blank and they never ask for it. It’s my understanding that you can’t legally be required to provide it except to employers or financial institutions. Those are folks that have to report your earnings to the government. Anyone else, forget it.

      Reply
  4. One thing that I believe would mitigate this problem is if banks and credit reporting agencies would implement two-factor authentication. If the credit reporting agencies would have an option for you to register (a) cell phone number(s) and email addresses where anyone wanting to access your credit report would then have to enter an authorization code which you give them.

    Reply
  5. Be advised that for a married couple each one must do the freeze individually @ each of the credit reporting agencies. Equifax, Experian, Transunion & there is a fourth. It’s called Innovis.

    Reply
  6. You an check at the Equitax website to see if your data was on nvolved in the breech. If not (like my wife and I) there is nothing to do or get worried about.

    Reply
    • Are you kidding! The fact that Equifax was breached renders their assurance that you were not affected worthless. These folks have no idea what they are doing. Security was an after thought. Read Brian Krebs articles about their “security” at the Argentina branch.

      Reply
    • It’s actually unclear if that’s the case. Their website has been SO screwed up I think it’s a mistake to believe the results. Safer to assume the worst.

      Reply
  7. Relax everyone. This is nothing new and nothing worse than any other “breach”. Besides, Equifax (and the other credit agencies) are in the business of selling your information, so what does it matter if someone else stole your information from Equifax? I t’s out there anyway. Also, just because they claim that 143 million accounts were stolen, it doesn’t mean that 143 million accounts have actually been subjected to identity theft. This is just the beginning: supposedly this breach occurred in March and it’s only now that we find out about it. And as one would expect from any good corporate management, team the “143 million” number is very likely a lie and a gross underestimate. There are rumors out there that if your check your information on the Equifax site at different times you’ll get different results as to whether your information was subject to this hack.

    Leo’s suggestions for checking your accounts and not responding to solicitations are good ones. With almost any financial institution (bank, investment, credit card) you can set up alerts for be informed of any account activity or anomaly. These types of alert systems are far better and quicker than any third party company claiming to do “monitoring”. Besides, all that monitoring is going to tell you is that you’ve already be violated.

    About “monitoring” companies: It should go without saying that the more information you put out there (online), the more at risk you are. When you send your SSN to a monitoring company or a site such as Credit Karma, you are broadcasting you SSN to the entire internet (… yes, don’t get too complacent with https and the cute little pad lock symbol on the website address). When you call Equifax to put on a credit freeze, you are giving someone in the Philippines your vital information.

    Reply
    • “nothing worse than any other “breach”. ”

      I disagree with this statement. Most breaches are of credit card numbers which impose no financial loss on you even if fraudulent charges are made. Also, you can get a new card number fairly easily.

      In this case those pieces of information that specifically identify you were stolen (SS number, birth date) and you can’t get new ones. You are stuck. Once they are out there you can never get them back.

      I agree that the information is already out there but the assumption is that you gave it to responsible people who have secured it. Granted, this may be a bad assumption but generally your info has not been collected into a large database and made available in a single place with no security until Equifax accomplished that trick.

      Reply
    • This is much different than any other breach. A breach where credit card numbers or account passwords are stolen can be remedied by changing your credit card numbers and/or passwords. This breach includes stolen names, Social Security numbers and birthdays which can’t be changed, unless this breach forces the government to reissue everyone a new Social Security number at a cost of billions (never gonna happen). With those three pieces of information, a fraudster can open almost any kind of account in your name. I know, it was done to me by an ex-friend.

      As for your Social Security number being out there, if you haven’t inadvertently given it to the wrong people, only financial institutions would have lists of Social Security numbers. For older people, what I say isn’t fully true, because previously, some states used Social Security numbers as driver’s licence numbers, and some universities used Social Security numbers as student ID numbers etc. But there were no major breaches resulting from any of those.

      Seriously this is big.

      Reply
      • The SSN is not a secret and it was never intended to be a security “feature”. Let’s see now, who has your SSN (including the last 4 digits)? The IRS has your SSN, of course. Did you panic when in 2015 the IRS was hacked, and then again in 2017? Your bank has your SSN and so does every bank you’ve ever used. Your cable company, your phone company and your doctors (typically) have it. The mortgage company for every house you’ve owned or every apartment you’ve rented (unless you’ve only rented from your grandma). Every one of your credit card companies has your SSN. Certainly the credit agencies and all their affiliates have your SSN. All government agencies have it (or have access to it if they want it). Your state government has it. Your every employer has it. It’s on your Medicare card! Your schools and school financial aid organizations have it. Every insurance company you’ve used has your SSN. Every car dealership where you’ve financed a car. Etc., etc.

        What other recent data breaches have there been involving SSN? Many. Anthem Health Insurance, IRS, Government’s OPM. Here is an interesting compilation of 2016 breaches involving SSN http://www.idtheftcenter.org/images/breach/2016/ITRCBreachStatsBreachExposingSSNSummary2016.pdf (of course, this is information from the Internet, so caveat emptor).

        I’m not saying that bad things won’t happen if bad guys target YOU and steal your identity information, but you have to put it into perspective. YOU are not hacked until YOU are, in fact, hacked. In the mean time, this is Equifax’s problem – until the next major database is hacked.

        Reply
  8. Thanks Leo – good information as usual. We also live in Washington state. According to Washington state law, there is no charge to freeze, unfreeze, or temporarily lift a freeze your credit if you are age 65 or older, or a victim of ID theft. I’m under 65, and I paid $10 to freeze my credit on each agency. My wife is over 65, and her cost was $0 at all three agencies.

    Reply
  9. i just placed a freeze on my credit with experian. now i find out it don`t cover all 3 bureaus anymore.
    gotta pay the other two for a freeze too. this is gonna generate some cash for them all.
    i wouldn`t be at all surprised if a different company has a breach next year.

    Reply
  10. Several years ago both my wife and I placed freezes with all three credit bureaus. Fortunately for us, it is free in New Jersey. Every once in a while I will check to see if the credit freeze is working by applying for a credit card. So far, each time I apply I get a response from the issuing bank that they cannot verify (me). That means the freeze is working.

    Reply
  11. . Why do they let people open accounts so easily, without contacting me first. I will sue any company that allows an account to be opened in my name that easily. They should be locked up.

    Reply
  12. Thank you, Leo!!! I was vacillating between freezing vs. waiting while checking my credit cards, and you convinced me to go the freeze route and I feel better already. I did the main three – someone up above said there is another (Innovis). Did you freeze that one too?

    Reply
  13. From nytimes.com:
    Equifax confirmed that the breach involved a bug in Apache Struts, and identified the specific vulnerability. This security weakness was publicly identified in March and a patch to fix it had been available since then. That means Equifax could have worked to plug the hole using readily available instructions two months before the breach occurred but did not. Within three days of the vulnerability being revealed, public reports said that hackers were already exploiting the bug on websites. Had Equifax followed the advice of the community of software developers who oversee Struts, “this breach would not have occurred,” said Oege de Moor, the chief executive of the security firm Semmle. Mr. de Moor said that the publicly available instructions for patching the bug were “clear and simple.”

    But let’s continue cutting rolling back regulatory oversight because we know that is just needless red tape …

    Reply
  14. Three points.
    The first is a question. Does this just affect US & Canada folks or other counties as well (I know most of your readers are Americans, but there is a world outside that continent)
    Second “But let’s continue cutting rolling back regulatory oversight because we know that is just needless red tape” The finance industry is the most supervised industry in the world, and still comes up with appalling stuff-ups because the style of supervision is inappropriate to detect the basic faults of omission: Equifax failed to patch software. The style of industry supervision doesn’t cover that.
    Third Consider sourcing your credit card from a bank that is NOT the one in which you hold your savings – so if the card is hacked there is no track back to your deposit account

    Reply
    • I believe this would only affect the US, Canada and UK. Other countries have their own financial reporting agencies. Some other countries may use Equifax, but no other countries were reported to have been affected by the breach.

      Reply
  15. Is clicking on an UNSUBSCRIBE URL in an email as dangerous as clicking on other URLs? I usually NEVER click on URLs in unsolicited emails and frequently delete emails from friends that only contain URLs, but I was getting inundated by numerous daily spam emails since my credit card was hacked on 7-26. I now know I was affected by the Experian breach, but thought that since my credit card company immediately canceled my card on 7-26 that everything would be fine. Experian wouldn’t issue a credit report to me online in August, stating that I had to mail in additional information. Now I will be freezing my reports, but was wondering specifically if clicking on an unsubscribe URL is just as bad as any other URL in a spam email? Any thoughts would be appreciated.

    Reply
    • In my opinion, an UNSUBSCRIBE URL would have the same danger as any URL in emails of dubious origin. Spam emails might be expecting these to be clicked, and therefor they might be more dangerous. I usually do some detective work to try to verify that it is an actual and legitimate URL before clicking, or just delete the email untouched.

      Reply
      • That spam from legitimate companies may not legally be spam, but by definition, it’s spam. If it is a legitimate company, it would only send you emails if you’ve requested it or purchased or used one of their products or services. Of course, it’s safe to unsubscribe from those. Unfortunately, in some cases, it’s hard to distinguish.

        Reply
        • I’m not talking about the legal definition of spam in that comment. In fact, I posted a link to that same article in an other comment. I’m saying that the definition of Spam is unsolicited email. If I didn’t ask for it, it’s spam, regardless of any laws the lobbyists manage to get the politicians to vote for through campaign donations. I follow those criteria when marking an email as spam. I don’t like legal spam either, and it’s my right to mark it as spam.

          Reply
        • ‘I don’t like legal spam either, and tit’s my right to mark it as spam.’ – Sure. Of course it’s your right. My point is simply that the best way to stop unwanted emails – whether solicited or unsolicited – from legitimate companies is to unsubscribe.

          Reply
      • As a blanket statement I disagree. If I never signed up myself, and never did business with them, then it’s still pure spam and must be treated as such. (I get this kind of stuff frequently.) If it’s someone you did business with, or they have some legitimate reason to have your email, then you can consider “unsubscribe” … but even then, if their emails become obnoxious, or they claim 7 working days to remove you from their list … “spam” it is.

        Reply
  16. Perhaps Equifax could explain why their Information Security Chief had only a college degree in Music. They tried to scrub that fact from various websites, then let her and the IT chief retire. The incompetence at Equifax goes all the way to the top.

    Reply
    • If enough people set up a lock with Equifax, I imagine banks and credit card companies will switch to other credit reporting companies and could put Equifax out of business.

      Reply
        • I understand that many will block all 3 or 4, but since it’s free and many have a specific fear of Equifax, there will be a whole lot more freezing Equifax. In any case, with millions freezing their accounts, the whole consumer financial business industry will probably take a hit.

          Reply
    • “… The incompetence at Equifax goes all the way to the top” is an understatement! The first I heard of the breach was a news report that the SEC is investigating several of Equifax’s executives for insider trading because they dumped their stock before the breach was announced!

      Reply
    • Leo said this in response to someone else’s question about lifelock:

      “Years ago LifeLock was able to automate the process of freezing your credit for you at all three of the credit bureaus. They didn’t like that and forced legislation to prevent LifeLock from providing that valuable service.

      Now, to be honest, I’m not sure *exactly* what LifeLock does, if they can’t do that. My approach has been to simply freeze my credit myself.”

      Reply
    • All LifeLock can do is to tell you, after the fact, that your information has been hacked or used. The complete level of monitoring is not provided except for the most expensive plan, so if you go for the lower cost plan you’re not getting much for your money (except a false sense of security). Even for the expensive plan they cannot guarantee complete coverage. For LifeLock to even pretend to do any type of monitoring you’ll have to give them all your financial information: all account numbers, passwords, SSN, date of birth, email addresses, etc. So, you would be putting all your vital information into yet another database that can be mined and hacked. Some of you may remember that a few years back LifeLock CEO’s identity was hacked several times! He was informed of his misfortune.

      Not to be too negative about all this, let me offer some suggestions:
      – You should always keep a comprehensive record of all your accounts and company phone numbers in one place, because you don’t want to scramble in a panic if things get stolen, such as if you lose your wallet. For example, scan all the items in your wallet.
      – Set notification alerts with all your financial institutions. These are much better and quicker that a monitoring company.
      – As has been said before, check your accounts regularly.
      – If you do find an actual breach, file a police report at the location where it happened. File an FTC report. Report it to the IRS. Contact all your financial companies and ask to freeze or close your accounts. With some companies you can ask to get a security password for future transactions instead of SSN.
      – Of course, you can also freeze your credit with the credit agencies.

      Now, if there was a company that did all these protective services for you, only then it would be worth it. But for any third party company to do all this they would need power of attorney from you. Would you want to do that?

      Reply
      • Good point about giving all of your information to a company like LifeLock. If their CEO’s identity was stolen several times, I’d doubt their ability to keep my information safe. Best solution would be for financial reporting agencies to offer two-factor authentication.

        Reply
    • It is frustrating when people post a question such as John G’s on this site. In the first place, why wouldn’t you use the web to check out the TrustedID monitoring service reviews before signing up. And after that, why wouldn’t you check out who else might have received an email such as yours. If you trust the internet enough to sign up for services where you hand over your identity information, you should trust it enough to do some research on it. Besides, in the email that you received there is a phone number to call if you have questions.

      The reviews for TrustedID (an Equifax service) are not good, especially at this time. For example, look at this: https://www.nextadvisor.com/blog/2017/09/22/we-signed-up-for-equifaxs-trustedid-premier-and-heres-what-happened/

      Reply
    • Impossible to say from the information you’ve provided. It could be … but these days it could also be phishing. Examine carefully where the link goes before you click on it.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.