About 143 million consumers’ sensitive information has been compromised in what was one of the worst data breaches to date in size and potential impact on consumers. Credit reporting agency Equifax announced the breach Thursday, more than a month after detecting the intrusion.
Equifax is one of the three national credit reporting agencies (the others being TransUnion and Experian) and collects a wide variety of consumers’ sensitive and personally identifiable information (PII). The information on credit reports determines credit scores and is used in lending decisions, among other things.
The breach exposed the names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers of about 44 percent of the current American population. Hackers also took the credit card numbers for about 209,000 U.S. consumers and dispute documents for 182,000 U.S. consumers.
In its announcement, Equifax said “criminals exploited a U.S. website application vulnerability to gain access” to the files. In addition to the millions of U.S. consumers affected, the company says the criminals had access to limited personal information of some U.K. and Canadian residents.
The Atlanta-based reporting agency said the thieves had access to the data from mid-May through July 2017, but it didn’t discover the breach until July 29. Equifax announced the breach more than a month after discovering it and hiring a cybersecurity firm to investigate.
The company says it’s also working with law enforcement authorities and that its investigation will be complete soon. Equifax has not said who they believe attacked their database.
What the breach means for consumers
The breach isn’t the largest to date, but it’s close. In 2016, Yahoo announced an attack that affected 500 million users. Another breach, announced just a few months later, involved 1 billion users. In those breaches, hackers stole users’ phone numbers and passwords.
The Equifax breach could be worse in impact, given the sensitive nature of the consumer data the company has on file. In its release, Equifax said it had found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” That doesn’t necessarily mean the information hasn’t been misused or that it won’t be misused, as signs of identity theft may not immediately show up on a credit report.
“If you were going to rate this breach from one to 10, this is a 10. The amount of sensitive info that is contained in the Equifax database is staggering,” says Adam Levin, founder of CyberScout and author of “Swiped,” a book on how and why consumers can protect themselves from identity theft.
When this level of information has been compromised, it “opens up the door for thieves to commit many different other types of identity theft. Not just financial, but criminal, government, medical theft as well,” says Eva Velasquez,the president of Identity Theft Resource Center.
Levin adds, when Social Security numbers are part of a database that’s been exposed, all of the individuals who have their numbers in that database will need to be “looking over their shoulders for the rest of their lives.” The Social Security Administration rarely changes someone’s Social Security number.
What to do now
First, don’t panic.
“People really feel violated when things like this happen,” says Velasquez. “Direct your energy from being angry or upset and feeling powerless to actually doing something and taking some steps to feel more empowered.”
Levin says the breach may add to “breach fatigue” — how the drastic rise in security breach causes consumers to believe breaches are inevitable and react to them apathetically instead of with urgency.
“But it shouldn’t,” Levin says. “It should be a clarion call. Unfortunately, as consumers we have to think of this as as if we’re alone. The government has failed us. The financial industry has failed us, and frankly we have failed ourselves. It’s important that we develop a culture of privacy and security.”
Find out if you are one of the impacted
Given the increasing threat and frequency of data breaches, everyone should be proactive in detecting identity theft. For this breach in particular, Equifax set up a website to see if you’re one of the people affected and how to enroll in the free year of credit monitoring it’s offering victims.
Visit equifaxsecurity2017.com and click on “Potential Impact.”
You’ll see a page with a large, rectangular button that says “Check Potential Impact” and a few lines of text.
The text explains that if you click on the link that says “Check Potential Impact,” you’ll be taken to a form that asks you to provide your last name and the last six digits of your Social Security number.
Based on that information, you’ll then be shown a message that says whether your personal information may have been impacted by the breach.
Regardless of the message you see, Equifax will give you the option to enroll in a credit monitoring service from TrustedID Premier. Beware: if you enroll, you’ll have to agree to waive some of your rights to sue Equifax. The arbitration clause is written in all caps in the company’s terms of service, but consumers may miss the language. The Washington Post reported earlier Equifax on Friday updated its terms to incorporate a way out of the arbitration clause.
Equifax cleared up the confusion Friday afternoon by adding the following information to its FAQs section on equifaxsecurity2017.com:
However, New York State Attorney General Eric Schneiderman still found the addition “unacceptable.”
— Eric Schneiderman (@AGSchneiderman) September 8, 2017
Consumers can be excluded if they let Equifax know within 30 days in writing they would like to be excluded from the arbitration clause, but must first accept the agreement.
If you choose to enroll, you’ll be given an enrollment date. There’s quite a backlog of people enrolling, so you have to take it upon yourself to return to the site on your enrollment date. In short: You have to take your protection into your own hands. Equifax isn’t doing it for you.
Sign up for credit monitoring
Equifax is offering one year of free credit monitoring through TrustedID Premier to all U.S. consumers, regardless of whether they were affected by the data breach. There are five services under the program:
- Get a free copy of your Equifax credit report.
- Sign up for credit monitoring and automated alerts to be notified of key changes to your credit report on any of the major big three reporting agencies.
- Put a freeze on your Equifax credit report.
- Scan suspicious sites for use of your Social Security number.
- Get up to $1 million of identity theft insurance to help you pay for any costs you may incur if someone commits identity fraud against you.
Even if you don’t want to enroll in Equifax’s service, you should enroll in a credit monitoring service, like free options offered through Credit Karma, Discover, Mint, Wells Fargo, and Capital One® — there are lots of ways to keep tabs on your credit.
Some identity theft protection services like the ones offered through myFICO, charge a monthly fee to monitor your credit year-round and provide identity theft insurance.
Regularly review your credit reports
You’re entitled to a free annual credit report from each of the major credit bureaus, which you can get through annualcreditreport.com. Carefully check your credit report for any accounts or recent activity you don’t recognize.
Make a plan to respond to identity theft
Detecting identity theft as soon as possible is crucial to minimizing the damage and stress it can cause — that’s where credit monitoring and reviewing your credit reports comes in. But the next step is just as important: Know what to do when it happens.
You can dispute errors on your credit report, file a police report documenting the identity theft, and do the legwork of resolving any problems it causes. You can also pay for identity theft insurance or identity theft resolution services (some employers offer this as a benefit, so check with your human resources department). Here’s a guide on identity theft resolution, so you know what to do in case you see anything suspicious. Even if you don’t see anything out of the ordinary, you should continue to remain vigilant in monitoring your credit activity.
Freeze your credit report
Velasquez says a credit security freeze is an option impacted consumers should look at. It prevents any application for new credit without first verifying your identity. If you want to apply for new credit, you’ll have to “thaw” your credit reports. The credit bureaus charge a fee, which varies by state, every time you freeze and thaw your credit report.
“While that does create some added inconvenience, the level of protection is worth it,” says Velasquez.
Be alert for unusual activity
Now is the time to practice what Velasquez calls good “identity hygiene.”
“Being vigilant about your identity is just a part of the world that we live in,” says Velasquez. “ If being involved in a data breach is the catalyst that brings that to the top of your mind, then we can see that as a positive.”
Velasquez recommends consumers act proactively and remain cognizant of anything that may involve using or verifying their identity. For example, if you receive a notice from a government agency about benefits or some weird explanation of benefits, pay attention to it.
Even after you do things like enroll in credit monitoring and freeze your credit, continue to do your best to watch out for signs of abuse. Don’t wait until you start receiving strange calls from government agencies and debt collectors.
When tax season rolls around, file your return as soon as possible. Identity thieves frequently use Social Security numbers to get fraudulent refunds, and if they file before you do, it will further complicate your tax-filing process.
At the least, go through your financial statements regularly (the more often, the better) to look for anything out of the ordinary. While protection is top of mind, sign up for any alerts you can set up on your mobile banking app to receive transaction notifications.