Updated 10/4/17 2:44 p.m. PDT — updated info on TransUnion’s TrueIdentity free credit freeze;
reply to reader comment about a fourth credit bureau, Innovis.
Updated 9/15/17 5:49 p.m. PDT — new date for expiration of free credit-freeze offer from Equifax
Updated 9/14/17 5:07 p.m. PDT — New Info re TransUnion’s TrueIdentity program
It’s almost certainly the worst data breach in U.S. history in terms of the amount of damage likely to be done and the number of people likely to be hurt. Hackers have stolen the sensitive personal information of 143 million U.S. consumers (plus an undisclosed number of Canadian and U.K. residents) from Equifax, one of the “Big Three” credit-rating bureaus (the other two being Experian and TransUnion).
What Was Stolen, When, and Why
The amount of data isn’t the main issue, though; it’s the types of information they got, including Social Security numbers, birthdates, home addresses, driver licenses, credit-card documents, and other sensitive personal information that can be used to steal your identity; open accounts in your name; file false tax returns in your name and steal your tax refunds; ruin your credit; and more. As USA Today noted in a blistering editorial, “A breach at one of the nation’s three major credit bureaus is far more dangerous than the typical retail credit card breach. It's easy enough to get a new credit card, but you can’t change your birth date or easily get a new Social Security number.”
The hack occurred beginning as early as mid-May. Equifax didn’t discover it until July 29, and didn’t make it public until Thursday, Sept. 7. During the interim, three top Equifax officials sold off millions of dollars worth of company stock. The company claims the executives — its Chief Financial Officer, U.S. Information Solutions President, and Workforce Solutions President — were unaware of the data breach that had been discovered a few days before they sold those holdings.
After revealing the breach, Equifax made the situation worse by urging people to sign up for a free year of a credit-monitoring service (far short of what’s needed), after which they would be prompted to pay for continuing the service. The Web site Equifax set up to supposedly tell you whether your data was stolen and to sign up for the free year of monitoring itself has security flaws. Moreover, when registering to find out whether your data has been stolen, you can get different answers with the same information entered on different Web browsers; in tests, entering nonsense information (“123456” for Social Security number, “Test” for name) produced a message saying your data might have been affected. (The site is EquifaxSecurity2017 — I do not recommend registering at that site.) My recommendation: Assume your data was stolen, and act accordingly. Even if you weren’t a victim in this breach, taking action now may protect you against the next one.
What You Need to Do
I won’t mince words. This is very bad. It’s not possible to put the genie back into the bottle: Your information is out there, criminals will try to use it, and there is no 100% secure defense.
But there are things you can do to make yourself a less-easy target. With luck, that will prompt the bad actors to move on to someone else and leave you alone.
Based on recommendations from sources I trust, here are steps to take:
1. Freeze your credit
The best, most effective action you can take is to place a security freeze on your credit files at the Big 3 bureaus, according to Consumer Reports and others. This will block most requests for your credit information, preventing thieves from setting up new accounts in your name. You must do this with all three credit bureaus, and there is a charge (varies from state to state, typically $10, waived for verified victims of ID theft and often reduced or waived for people 65 or older). Note that if you want your credit report shared — to open a new account, get a new job, rent a new home, make a major purchase — you will need to lift the freeze temporarily or permanently or just for the specific inquirer, which may involve additional fees. (Some people trying to buy the new iPhone (including as upgrades), for example, have been delayed because they needed to unfreeze their credit first.
It’s a pain, and can get expensive, but not nearly as painful or expensive as having your identity stolen, which can be very costly and take years to unravel. Order separately at Equifax, Experian, and TransUnion. (I was unable to freeze my credit with Experian online or on the phone; I am required to send a written request by certified or overnight mail.)
TransUnion offers a free alternative to credit locking called TrueIdentity. It lets you lock and unlock your credit report at will. TrueIdentity seems as useful as a credit freeze without the fees and with less hassle. I haven’t been able to find any reliable reviews of the service, but it’s what I’m doing for the time being.
Some drawbacks, which weren’t dealbreakers for me: After creating my account on Sept. 14, 2017, I kept getting log-in errors, even after I had supposedly successfully changed my password. That night I got an e-mail from TransUnion with the Subject "You're In!" with small print saying I’d be charged $19.95/month. I phoned the next day; the customer service representative fixed the problem with my login, and then confirmed I wasn’t signed up for any services that cost money. (Apparently, the e-mail was a mistake.) As of Oct. 4, I haven’t been charged anything. I don’t like that the sign-up process required giving my mobile phone number; I gave my voicemail number instead. The agreement for the service says I “agree to receive targeted offers by TransUnion and other parties in exchange for receiving the product at no charge” (another good reason not to give my actual cell number); I can deal with that. It also requires binding arbitration of disputes, not as crucial an issue for a free product, but I’ll exercise my right to reject binding arbitration anyway. (“Within 60 days of signing up, write to TransUnion Interactive, 100 Cross Street, Suite 202, San Luis Obispo, CA 93401 with your current username and a clear statement of your intent, such as I reject the arbitration clause in the TransUnion Interactive Service Agreement.”)
This is a free option, and easier than a credit freeze, though it provides weaker protection. You sign up at just one of the three credit bureaus; they are required to notify the other two. I did mine at Experian (not trusting Equifax to keep anything secure right now).
A fraud alert lasts 90 days and can be renewed. When you sign up, put a note in your calendar every 90 days to renew it.
A fraud alert can make it harder to open new accounts in your name, according to the Federal Trade Commission (FTC). Businesses “see a ‘red flag’ on your account and know to take extra steps to verify your identity.” Of course, thanks to Equifax’s security breach, a thief may be able to answer a business’s questions correctly; a savvy business will try something like phoning you at the number shown in your credit report. (The thief may have your phone number, but probably doesn’t have your actual phone.) A fraud alert entitles you to a free copy of your credit report (though you may already have one coming — see next section). A fraud alert is probably unnecessary if you’ve ordered a credit freeze from all three bureaus.
3. Review and correct your credit report
By law, you are entitled to review your credit report from each of the three bureaus once a year at no charge. This doesn’t include your credit score — the numerical ratings that indicate how credit-worthy the companies think you are — but it does include all of your credit accounts and their current payment status, as well as your address and other identifying information. Best practice is to request the free report from just one of the credit bureaus every quarter, so you can keep on top of the info without paying for additional reports. For example, check Equifax’s now; Experian’s in four months; TransUnion’s in eight months; and then in a year, you’ll be due for another free report from Equifax. If you’ve recently requested your free report from any or all of the bureaus, filing a fraud alert (see previous section) apparently entitles you to a new free report.
If you find anything amiss, follow the bureau’s procedures for correcting the information. That will also help protect against the Equifax hack because your information will now be different from what the thieves stole, which may result in failure when they try to steal your identity later.
The official Web site for requesting your free report is annualcreditreport.com. Imposters are legion, and may come with strings attached or even be fraudulent; use only this site, which is sponsored by the three bureaus and recommended by the FTC.
It should go without saying that this breach makes it all the more critical to carefully review credit and bank accounts as well as other financial statements (e.g., mortgage bills) immediately upon receipt to make sure there are no fraudulent transactions. Particularly with credit accounts, reporting fake charges promptly is necessary if you don’t want to be held liable for them.
I check my accounts at least weekly online to make sure nothing is amiss. (Don’t log in on a public wireless network unless you use a VPN — virtual private network — to shield your data, and make sure your computer has up-to-date antivirus software to make sure nobody is spying on you when you type in your passwords. And, of course, have strong passwords, and a different one for each account; if one account is breached by hackers, they won’t automatically be able to get into others.)
One way identity thieves profit is by filing a tax return in your name and then collecting your refund. To reduce the chance of this occurring, file your tax return as early as you can, improving the chance that yours will be filed before someone else submits a fake one in your name.
The Way Things Are Now
I have already seen reports from several friends that their credit-card accounts have been hacked in the past few days. While I can’t say for sure this is a result of the Equifax calamity, it’s quite plausible.
This is all a massive pain, and we’re just getting started. I’m sorry to say, this breach represents the shape of things to come. If you have been lax about online security until now, it’s time to “harden your defenses,” knowing that nothing will keep you entirely safe, but at least you can reduce the likelihood you’ll be subjected to headaches and heartache down the road.