• Home
  • What We Do
  • Examples
  • About
  • Blog
  • Tweet!
  • Zoom Running
  • Contact
Your Attention, Please! communications

The Equifax Hack: How To Protect Yourself

9/13/2017

4 Comments

 
Updated 10/6/17 — added reference and links to people facing delays buying iPhones because of their credit being frozen
Updated 10/4/17 2:44 p.m. PDT — updated info on TransUnion’s TrueIdentity free credit freeze;
    reply to reader comment about a fourth credit bureau, Innovis.
Updated 9/15/17 5:49 p.m. PDT — new date for expiration of free credit-freeze offer from Equifax
Updated 9/14/17 5:07 p.m. PDT — New Info re TransUnion’s TrueIdentity program


It’s almost certainly the worst data breach in U.S. history in terms of the amount of damage likely to be done and the number of people likely to be hurt. Hackers have stolen the sensitive personal information of 143 million U.S. consumers (plus an undisclosed number of Canadian and U.K. residents) from Equifax, one of the “Big Three” credit-rating bureaus (the other two being Experian and TransUnion). 
Picture
​
​What Was Stolen, When, and Why

 
The amount of data isn’t the main issue, though; it’s the types of information they got, including Social Security numbers, birthdates, home addresses, driver licenses, credit-card documents, and other sensitive personal information that can be used to steal your identity; open accounts in your name; file false tax returns in your name and steal your tax refunds; ruin your credit; and more. As USA Today noted in a blistering editorial, “A breach at one of the nation’s three major credit bureaus is far more dangerous than the typical retail credit card breach. It's easy enough to get a new credit card, but you can’t change your birth date or easily get a new Social Security number.”
Picture
​The hack probably was made possible by Equifax failing to patch security holes in its software, security expert and former Homeland Security official Paul Rosenzweig writes in Scientific American. “The real loser here is you and me. We have no privacy left.” And, he adds, the cost of protecting our data is increasingly borne by us, the consumers, not the companies that hold the data. (This is not the first time Equifax has been hacked due to lax security, victims allege.)
 
The hack occurred beginning as early as mid-May. Equifax didn’t discover it until July 29, and didn’t make it public until Thursday, Sept. 7. During the interim, three top Equifax officials sold off millions of dollars worth of company stock. The company claims the executives — its Chief Financial Officer, U.S. Information Solutions President, and Workforce Solutions President — were unaware of the data breach that had been discovered a few days before they sold those holdings.

​Equifax Compounds the Problem
 
After revealing the breach, Equifax made the situation worse by urging people to sign up for a free year of a credit-monitoring service (far short of what’s needed), after which they would be prompted to pay for continuing the service. The Web site Equifax set up to supposedly tell you whether your data was stolen and to sign up for the free year of monitoring itself has security flaws. Moreover, when registering to find out whether your data has been stolen, you can get different answers with the same information entered on different Web browsers; in tests, entering nonsense information (“123456” for Social Security number, “Test” for name) produced a message saying your data might have been affected. (The site is EquifaxSecurity2017 — I do not recommend registering at that site.) My recommendation: Assume your data was stolen, and act accordingly. Even if you weren’t a victim in this breach, taking action now may protect you against the next one.
Picture
Perhaps worst of all, for the first couple of days, the site’s Terms of Service contained a clause that said by signing up for the free monitoring, users were giving up their right to sue over the data breach. That “binding-arbitration” clause has been removed as of this writing, but people who signed up before it was removed may need to write to Equifax within 30 days of signing up to get their legal rights back. (Write to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, including your name, address, and Equifax User ID, as well as a clear statement that you do not wish to resolve disputes with Equifax through arbitration.)


What You Need to Do
 
I won’t mince words. This is very bad. It’s not possible to put the genie back into the bottle: Your information is out there, criminals will try to use it, and there is no 100% secure defense.
 
But there are things you can do to make yourself a less-easy target. With luck, that will prompt the bad actors to move on to someone else and leave you alone.
 
Based on recommendations from sources I trust, here are steps to take:
​1. Freeze your credit

The best, most effective action you can take is to place a security freeze on your credit files at the Big 3 bureaus, according to Consumer Reports and others. This will block most requests for your credit information, preventing thieves from setting up new accounts in your name. You must do this with all three credit bureaus, and there is a charge (varies from state to state, typically $10, waived for verified victims of ID theft and often reduced or waived for people 65 or older). Note that if you want your credit report shared — to open a new account, get a new job, rent a new home, make a major purchase — you will need to lift the freeze temporarily or permanently or just for the specific inquirer, which may involve additional fees. (Some people trying to buy the new iPhone (including as upgrades), for example, have been delayed because they needed to unfreeze their credit first.

It’s a pain, and can get expensive, but not nearly as painful or expensive as having your identity stolen, which can be very costly and take years to unravel. Order separately at Equifax, Experian, and TransUnion. (I was unable to freeze my credit with Experian online or on the phone; I am required to send a written request by certified or overnight mail.)
Picture
Free alternatives: Equifax is waiving its fee for credit freezes through Nov. 21; I've frozen my credit report with that company.

TransUnion offers a free alternative to credit locking called TrueIdentity. It lets you lock and unlock your credit report at will. TrueIdentity seems as useful as a credit freeze without the fees and with less hassle. I haven’t been able to find any reliable reviews of the service, but it’s what I’m doing for the time being.

Some drawbacks, which weren’t dealbreakers for me: After creating my account on Sept. 14, 2017, I kept getting log-in errors, even after I had supposedly successfully changed my password. That night I got an e-mail from TransUnion with the Subject "You're In!" with small print saying I’d be charged $19.95/month. I phoned the next day; the customer service representative fixed the problem with my login, and then confirmed I wasn’t signed up for any services that cost money. (Apparently, the e-mail was a mistake.) As of Oct. 4, I haven’t been charged anything. I don’t like that the sign-up process required giving my mobile phone number; I gave my voicemail number instead. The agreement for the service says I “agree to receive targeted offers by TransUnion and other parties in exchange for receiving the product at no charge” (another good reason not to give my actual cell number); I can deal with that. It also requires binding arbitration of disputes, not as crucial an issue for a free product, but I’ll exercise my right to reject binding arbitration anyway. (“Within 60 days of signing up, write to TransUnion Interactive, 100 Cross Street, Suite 202, San Luis Obispo, CA 93401 with your current username and a clear statement of your intent, such as I reject the arbitration clause in the TransUnion Interactive Service Agreement.”)
TransUnion does offer the paid Credit Freeze option, too. And remember: This option must be requested from each of the three credit unions, so the one-time cost could be $20 total ($10 each from TransUnion and Experian, with Equifax waiving its fee until Nov. 21, 2017).
Picture
2. Initiate a fraud alert
 
This is a free option, and easier than a credit freeze, though it provides weaker protection. You sign up at just one of the three credit bureaus; they are required to notify the other two. I did mine at Experian (not trusting Equifax to keep anything secure right now).
​

A fraud alert lasts 90 days and can be renewed. When you sign up, put a note in your calendar every 90 days to renew it.
 
A fraud alert can make it harder to open new accounts in your name, according to the Federal Trade Commission (FTC). Businesses “see a ‘red flag’ on your account and know to take extra steps to verify your identity.” Of course, thanks to Equifax’s security breach, a thief may be able to answer a business’s questions correctly; a savvy business will try something like phoning you at the number shown in your credit report. (The thief may have your phone number, but probably doesn’t have your actual phone.) A fraud alert entitles you to a free copy of your credit report (though you may already have one coming — see next section). A fraud alert is probably unnecessary if you’ve ordered a credit freeze from all three bureaus.
 
​

3. Review and correct your credit report
 
By law, you are entitled to review your credit report from each of the three bureaus once a year at no charge. This doesn’t include your credit score — the numerical ratings that indicate how credit-worthy the companies think you are — but it does include all of your credit accounts and their current payment status, as well as your address and other identifying information. Best practice is to request the free report from just one of the credit bureaus every quarter, so you can keep on top of the info without paying for additional reports. For example, check Equifax’s now; Experian’s in four months; TransUnion’s in eight months; and then in a year, you’ll be due for another free report from Equifax. If you’ve recently requested your free report from any or all of the bureaus, filing a fraud alert (see previous section) apparently entitles you to a new free report.
 
If you find anything amiss, follow the bureau’s procedures for correcting the information. That will also help protect against the Equifax hack because your information will now be different from what the thieves stole, which may result in failure when they try to steal your identity later.
 
The official Web site for requesting your free report is annualcreditreport.com. Imposters are legion, and may come with strings attached or even be fraudulent; use only this site, which is sponsored by the three bureaus and recommended by the FTC.

Picture
4. Review your accounts regularly
 
It should go without saying that this breach makes it all the more critical to carefully review credit and bank accounts as well as other financial statements (e.g., mortgage bills) immediately upon receipt to make sure there are no fraudulent transactions. Particularly with credit accounts, reporting fake charges promptly is necessary if you don’t want to be held liable for them. 

​I check my accounts at least weekly online to make sure nothing is amiss. (Don’t log in on a public wireless network unless you use a VPN — virtual private network — to shield your data, and make sure your computer has up-to-date antivirus software to make sure nobody is spying on you when you type in your passwords. And, of course, have strong passwords, and a different one for each account; if one account is breached by hackers, they won’t automatically be able to get into others.)

5. File your taxes early
 
One way identity thieves profit is by filing a tax return in your name and then collecting your refund. To reduce the chance of this occurring, file your tax return as early as you can, improving the chance that yours will be filed before someone else submits a fake one in your name.
 
 
The Way Things Are Now

I have already seen reports from several friends that their credit-card accounts have been hacked in the past few days. While I can’t say for sure this is a result of the Equifax calamity, it’s quite plausible.
 
This is all a massive pain, and we’re just getting started. I’m sorry to say, this breach represents the shape of things to come. If you have been lax about online security until now, it’s time to “harden your defenses,” knowing that nothing will keep you entirely safe, but at least you can reduce the likelihood you’ll be subjected to headaches and heartache down the road.
4 Comments
Ama Zenya
9/14/2017 10:26:53 pm

Thank you, Steve!

Reply
Amber
9/19/2017 09:13:36 am

Wow ... I just got the following comment on this blog, which I am publishing with the contact info redacted. This is an obvious scam. Others, however, may not be so obvious, so let me emphasize: *Nobody* can increase your credit score in the manner described here. Most likely, this person is attempting to get you to reveal your Social Security number and other private information in the *guise* of helping with your credit, and will then use that for identity theft.

I don't think my readers are gullible enough to fall for this particular person's grammatically challenged post, but did want to point out that *any* service offering to "repair your credit score" in any fashion other than improving how you handle credit (e.g., make payments on time, don't borrow too much) is almost certainly a scam.

=======

amber has just posted a comment on your blog post, The Equifax Hack: How To Protect Yourself, and you need to approve it:
I saw people commenting and giving testimonies about this hacker Dark Web.also found same stories on YouTube and I have to use him so i can confirm if he's legit or not.I need his assistant to help me increase my credit score.to be sincere this guru help me help to delete all the negatives collections on my credit report and increase my credit score to 800 excellent plus within 72 hours.before i confirm his legit and i enjoy what i paid for.am now free from fake hackers out there because have already made him my permanent hacker.If you need his assistance kindly contact him on his email so you can also share yours testimony just like i did. [e-mail address omitted]

Reply
Lisa Ro.
10/4/2017 12:08:47 pm

Just read your excellent blogpost:) You forgot Innovis — you need to do a credit freeze with them as well.

Reply
Steve Freedkin link
10/4/2017 12:42:18 pm

Hi, Lisa.

Thanks for bringing Innovis to my attention! The “Big Three” (Equifax, Experian, TransUnion) get all the attention, but Innovis is the fourth nationwide credit bureau — sort of.

Here’s what I mean by “sort of.” While Innovis collects a lot of the same types of information as the Big Three, Innovis doesn’t generate a numerical “credit score” that attempts to rate your creditworthiness. Some sources say Innovis serves mostly to help companies evaluate their existing customers rather than new customers. If that’s true, then Innovis reports would be unlikely to contribute to identity theft or other fraud that might result from the Equifax data breach.

Other sources, though, do consider Innovis to be essentially the nation’s fourth nationwide credit bureau, and encourage freezing your Innovis credit report.

Fortunately, Innovis doesn’t charge anything to freeze or unfreeze your credit report. Both actions can be completed quickly and easily online, using this form: https://www.innovis.com/securityFreeze/

Out of an abundance of caution, I’ve frozen my Innovis credit report. If you want to play it extra-safe, you might do likewise.

Some sources of information about Innovis:

Consumerist, published by the very reputable Consumer Reports, says, “Unlike the other bureaus, Innovis lives almost exclusively to build mailing lists that creditors use to determine offers.” Consumerist urges people to check their Innovis reports and submit corrections if necessary. https://consumerist.com/2008/10/04/dont-ignore-the-fourth-credit-reporting-agency-innovis/

The Smart Credit Blog, published by 14-year-old credit technology company ConsumerDirect, says Innovis is used to manage accounts of existing customers rather than primarily to grant new credit; I don’t know anything about this blog’s credibility: https://blog.smartcredit.com/2011/06/20/who-is-innovis-are-they-a-fourth-credit-bureau/

CreditReporting.com, published by a 23-year-old credit reporting company that belongs to the credit industry association, describes Innovis as “a fourth national credit bureau.” http://www.creditreporting.com/innovis.html

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    Whozat?

    Steve Freedkin, proprietor of Your Attention, Please! communications, has a background as a journalist, nonprofit manager, activist, and entrepreneur. He works mostly with people in business for themselves (therapists, artists, consultants, etc.), for whom he provides online promotion (SEO), Web upgrades and updates, and social-media presence (LinkedIn, Twitter, Facebook, Yelp, and the like).

    Archives

    December 2022
    June 2021
    April 2020
    March 2018
    October 2017
    September 2017
    February 2017
    September 2016
    August 2016
    January 2016
    October 2015
    September 2015
    December 2014

    Categories

    All

    RSS Feed

Your Attention, Please! communications
Web sites, social media, online promotion, computer and technical support, writing, editing, publicity, and more
Mail: 5111 Telegraph Ave. #274  •  Oakland, CA 94609-1925  •  Voicemail: (510) 595-4626  •  info@your-attention-please.com