On September 7, 2017, Equifax, one of the three major credit bureaus, announced it had suffered a data breach that impacted approximately 143 million consumers. The actual breach happened months earlier—between mid-May through July 2017. Hackers were able to gain access to an estimated 143 million consumers' personal information, including names, birth dates, addresses, social security numbers, and driver's license numbers.
On top of that, hackers were able to access credit card information for 209,000 consumers and dispute documents (which contained additional personal information) for another 182,000 consumers.
How Big Is the Equifax Data Breach?
If we're only looking at the numbers, the Equifax data breach isn't the largest. The record for most consumers affected by a data breach goes to Yahoo, which had 500 million customers affected by a breach that occurred in 2014 and 1 billion customer records compromised in 2013. However, in terms of the type of information compromised and the fact that it's a credit bureau that suffered an attack, this might be the most significant data breach in history.
Social security numbers are perhaps the most important piece of identifying information that we have. With it, thieves can open credit cards, apply for a mortgage, buy a car, start a business, file taxes, apply for government benefits, pretty much pretend to be you, and leave the real you to deal with the fallout. Or, they can sell your information or post it online for others to use.
Swift action and continued monitoring are key for all of us to protect ourselves as much as possible. Here's what everyone should do after the Equifax data breach.
Find Out If You Were Affected
Equifax has set up a website where consumers can attempt to find out whether they were affected. You'll have to enter your last name and the last six digits of your social security number at EquifaxSecurity2017.com to find out whether your information has potentially been compromised. (That is, if you're willing to put more of your information in the hands of the company that had 143 billion consumer records stolen.)
You won't get a hard "yes" or "no" on whether you've been affected. Instead, if you enter your personal information into the form, you'll get one of two messages:
- They believe that your personal information may have been impacted by this incident.
- They believe your personal information was not impacted by the incident.
Because Equifax isn't offering up a definite answer, either way, it's in everyone's best interest to behave as though their information was indeed compromised in the breach.
Pull Your Credit Reports
The delay between the actual data breach and the timing of Equifax reporting it to the public gave hackers more than enough time to use the information. There's a chance that some consumer information has already been used.
Start by pulling copies of the three credit reports to see if your information has already been used. Check for any accounts you didn't open, suspicious usage on current accounts, or inquiries you didn't initiate (especially if they occurred after May 2017). If you see any of these things, especially accounts you didn't open, take steps to clear up the identity theft.
File a police report and complete an ID theft affidavit. Both these documents are important for blocking these fraudulent accounts from your credit report and for taking action to ensure your identity isn't compromised further.
Freeze Your Credit Reports
Freezing your credit report is the best course of action whether you were one of the 143 million whose records were exposed or not because, honestly, there's no way to know for sure.
A security freeze is currently the strongest option available for preventing fraud. Once you place the security freeze on your credit report, businesses cannot access your credit report to approve any new applications. Unless they're willing to approve the application without credit data—or they use a source outside the three major credit bureaus—thieves won't be able to get accounts in your name.
The federal government made placing a security freeze free as of September 21, 2018. You can also unfreeze your credit file for free.
You'll have to temporarily unfreeze your credit report each time you want to apply for credit. If you don't want to freeze all three credit reports each time, you can contact the company to find out which bureau they use and then unlock just that bureau's credit report. The credit bureaus will supply you with a PIN or password that you can use to verify that it's you who's lifting the freeze.
Strongly consider placing a security freeze on your credit report even if Equifax says they don't believe your information was compromised. Data breaches are becoming increasingly common. As banks crackdown on credit card fraud with stronger technology, like EMV chips, thieves are more likely to seek other ways to steal customer data. If your personal information hasn't already been compromised in this or another data breach, it may only be a matter of time.
Data breaches of this magnitude make headline news because of the size of the company and the number of records stolen. Smaller data breaches may go undetected or unreported. Placing a security freeze is one of those things you can do to protect yourself just in case—kind of like having car insurance.
Why Not Place a Fraud Alert?
A fraud alert is another option for combating identity theft and fraud, but it doesn't offer nearly as much protection as a security freeze.
An initial fraud alert is free, lasts for 90 days, and only requires you to alert one of the credit bureaus. That credit bureau will then let the other two bureaus know to place a fraud alert on your credit files with them as well.
The fraud alert is simply a notification on your credit report that warns businesses to take additional steps to confirm your identity before granting credit. Businesses can still check your credit, and since they're not legally required to abide by the fraud alert, some may choose to grant the application anyway.
You can place an extended fraud alert on your credit report, which will last seven years instead of only 90 days. Still, you'll have to prove that you've been a victim of identity theft by providing a police report and identity theft affidavit.
Monitor Your Credit
Monitoring your credit allows you to react to newly opened fraudulent accounts or other suspicious credit activity and prompts you to take additional steps to prevent future fraud. Note that credit monitoring is useful in keeping up with changes to your credit, but it only allows you to respond to identity theft. Prevention saves you the time, money, and energy of having to work with law enforcement and the credit bureaus to clear up instances of identity theft.
A Few Other Options for Keeping Tabs on Your Credit
Credit Karma provides free monitoring of your Equifax and TransUnion credit reports, and Credit Sesame offers free monitoring of your TransUnion credit report.
If you're willing to pay for a credit/identity monitoring solution, check out LifeLock. Plans start at $11.99 a month but for one bureau only. Their three-bureau monitoring plan is $34.99 per month. Each plan offers a type of identity theft insurance and social security number alerts.
Identity Guard's Total Plan is $19.99 per month and offers three-bureau credit monitoring along with threat alerts, account takeover alerts, address monitoring, and more.
Don't rely solely on credit monitoring to keep up with changes to your credit. Review each of your credit reports from the major bureaus at least once a year. You'll get one set for free by ordering through AnnualCreditReport.com.
Watch Your Credit Card Accounts
While compromised social security numbers get the majority of the attention, don't ignore your credit accounts. Equifax reported approximately 209,000 consumers had their credit card information compromised. With little indication of who those consumers might be or how they can identify themselves, we should all be watchful of our credit card statements. Check your accounts often and report any suspicious charges to your credit card issuer right away.