It’s likely you’ve heard of the massive data breach finally announced by Equifax this last week, potentially compromising some 143 million consumers. In layperson’s terms: these 140,000,000 people just had their whole credit histories stolen. As if that’s not bad enough, credit card numbers for almost 209,000 U.S. consumers were accessed, along with documents that contained personally identifying information for another 182,000 individuals. To put this in perspective, this data breach could impact two-thirds of American consumers. So if you think you don’t need be concerned, rethink that.
This data breach potentially comprised names, addresses, dates of birth, social security numbers, and in some instances driver’s license numbers of millions of people. This means that the potential for identity theft is huge. As Avivah Litan, security analyst at technology research firm Gartner says, identity thieves can link this information to “over a billion passwords stolen elsewhere to piece together a more complete profile of you” to commit financial crimes.
What does this mean? Your identity can easily be stolen and used to apply for new credit, driver’s licenses and other forms of ID. It can even used to file fraudulent tax returns. Think your life is crazy now, just ask anyone who has ever had their identity stolen what a special kind of hell that is. It is a whole different kind of insanity, and pretty much one of the most horrible experiences ever. I’m not gonna lie—this is a damn long blog post, but it contains information that can protect you and your family, so pull up a chair and slog through it.
Understanding Your Relationship to Equifax
Here’s the thing to know as you think about your relationship with Equifax: You are not Equifax’s customer, you didn’t hire the credit bureau and they likely don’t care much about keeping you happy, or keeping you as a customer. You are a consumer. You buy things, and you want to buy more things. Sometimes you do that by way of applying for and using credit. Equifax collects your data based on credit applications you have submitted over the years, and maintains a credit record on you. You’re the product. You’re a consumer, not a customer. Equifax doesn’t have your back, and they’re not really going out of their way to offer up any protections. Chances are good that if something bad happens to you as a result of this breach, you can sue them, but that could be a long, expensive battle. Want to stop using Equifax? Stop using credit. Not quite so easy, is it?
What Equifax Did, or Didn’t Do, That is Such a Gigantic Mistake
To illustrate the callousness with which Equifax treated this horrific breach, note that this whole thing was entirely preventable. Hackers entered the Equifax system in mid-May by way of a vulnerability that was discovered in March, and for which a patch quickly made available. In short, had the IT team at Equifax been doing their jobs, this data of 143 million people would have likely been protected.
Even more callous, is that while this breach that first occurred in May was discovered by Equifax on July 29th, it was not reported nor were consumers notified until some 45 days later, on Thursday, September 14, 2017. Equifax and other credit bureaus have both an ethical and a obligation to protect the highly sensitive consumer data to which they are privy, and Equifax failed this standard, on pretty much all fronts. As an aside, this is the second breach suffered this year alone by Equifax—according to WaPo, Bloomberg reported an earlier breach, in March of 2017 that is supposedly unrelated to this one. Comforting, I know.
Who is Affected? Is it Me?
Short answer: Heck yes. Have you opened a checking account, applied for credit of any kind, purchased a cell phone, applied for utility services, gotten a loan for a car, applied for a mortgage, rented a house or apartment, applied for a job, or applied to get into a school at any time in the last seven years or more? Chances are good that you’re affected. Your complete financial history, everything you’ve ever applied for, purchased, wanted to purchase but were denied, etc., is a part of every credit bureau’s records on you, sent by every lender and every creditor you’ve ever done business with. They are truly the Big Brothers of our society—unless you’ve been operating completely off the grid, which most of us suck at, they know everything about a whole lot of consumers.
To find out if you’re on the lucky list, go to the Equifax website, scroll to the very bottom and hit the red “Potential Impact” button. It’ll ask you to input your name and the last six digits of your SSN. Honestly, even if it appears you weren’t affected, it’s important not to feel as if you’ve dodged a bullet. Be more diligent than ever before, get copies of your credit report, and check all your accounts, asap and weekly, at a minimum.
Now, what can you do to protect yourself? Here are some important steps you can take:
Initiate an Extended Fraud Alert [it’s a pain, suck it up and do it anyway]
Here’s the thing, you and 139,999,999 other friends in the U.S. are victims of identity theft. Do this even if your name doesn’t show up on that Equifax list because, well, who knows? There is much information we don’t yet have, and if you’re in the Equifax database (and you are), your identity is potentially stolen. Act like it is.
It may seem like a pain, but call your local police department and report the identity theft so that you’ll have a physical record of it. This is an important step and, even better, it makes the next things I’m going to tell you to do FREE and/or in some cases potentially free.
Once you’ve created an Identity Theft Report with your local police department, you can then place an extended fraud alert at no charge on your credit file. A fraud alert is different than a credit freeze. It’s a notice that you put on your credit report warning prospective lenders and your current lenders that they are required to take reasonable steps to verify your identity before granting credit because you’ve been a victim of identity theft. You do this by requesting an extended fraud alert at one of the three big credit bureaus, who will then pass the alert to the other two. You’ll need to place a separate alert with Innovis.
Because of the Identity Theft Report, you can get an extended fraud alert on your credit file. This is key, because an extended alert allows you to get two free credit reports from each of the credit bureaus within twelve months—which essentially means that you can get up to 16 free credit reports at no charge per year. Even better, the credit reporting companies are required to take your name off of marketing lists for prescreened credit offers for five years (yay!). This extended fraud alert lasts for seven years. It’ll take a little time, but trust me, this is worth doing.
Freeze Your Credit – Right Now!
As I mentioned earlier, you are officially a victim of identity theft as a result of this breach. And it’s official once you’ve filed that police report. The next fastest way to protect yourself (after doing the fraud alert above), and the option that affords you the most security, is to freeze your credit files with the three major credit reporting bureaus, and if you really want to be safe, add a freeze with Innovis. And yes, you really need to do that right now. The only reason to NOT do this immediately is if you’re in the middle of waiting for approval on a mortgage loan or some other really big deal you’re trying to finance and waiting for approval on. Otherwise, freeze it now.
Freezing your credit means that nobody, including you, can inquire into your credit until this freeze is lifted—and it can only be lifted by you. It’s important to know that freezing doesn’t affect your current accounts in any way and it doesn’t affect credit the job that credit monitoring companies can do for you, if you’re paying for that service. And when you’re ready to unfreeze your accounts, you can do that. It costs about $30 to unfreeze all three when and if you need to finance something but it’s worth it in the long run.
Here is who you need to call to freeze your credit, right now:
TransUnion – 1-888-909-8872
Equifax – 1-800-349-9960
Experian – 1-800-397-3742
Innovis – 1-800-540-2505
You can do this online but all of these sites are so busy with frantic consumers that they are slow and often unreliable. The freezing process is done by way of an automatic system, so it’s much quicker. At least that was my experience when I did it for our accounts.
Final note here, yes, you need to call all three credit bureaus, and also call the fourth (Innovis, listed above), don’t stop at just one! Did I mention you should do this right now—are you getting a sense of how important this is?
Know that a freeze might not stop the misuse of your account and doesn’t protect you against all kind of identity theft. It’s a protection you can take, but it’s not foolproof. In some states, victims of identity theft can place a freeze for free, and in others, you have to pay a fee. That’s where having that report on file can save you money so if you weren’t listening when I suggested you do that, rethink that.
Here’s an easy checklist from the FTC which easily outlines the simple steps to take to initiate a fraud alert and place a credit freeze: Extended Fraud Alerts and Credit Freezes
Enable Two-Factor Authentication, Everywhere
If two-factor authentication isn’t already part of your standard operating procedure, change that. It’s an extra layer of security that you can put in place that requires not just one password alone, but a separate step (the “second factor”) that is usually a code texted to your mobile device that you need to also enter in order to access your accounts. Set this up for your banking, credit card, social media, email, and other accounts that afford access to sensitive information. Before you laugh at the mention of social media as an account that contains sensitive information, email and social media are accounts hackers love most, because they contain a treasure trove of personal information. Don’t believe me, read: Corporate Email and Social Accounts: Hackers’ Delight.
Two-factor authentication. Do it.
Lock Down that Phone and Email, Be Smart About Wifi
Our smartphones are the key to just about everything most of us do these days. For sure, make certain your phone is locked at all times and that your email account is secured by the strongest password possible and also secured by two-factor authentication. That way, when you log in from some place not familiar, you’ll be required to enter a code texted to your mobile device. This tiny little step can prevent a hacker from getting access to your device and/or your email. And if you’re in the habit of using unsecured wifi, like in a coffee shop or airport or some other public place and do dumb things like logging into your email, credit card accounts, bank accounts, social media accounts and the like, stop that. Get a hotspot, use your phone as a hotspot, or wait to do that stuff until you’re on secure wifi connections.
Use Strong Passwords—Always
I unintentionally upset my stepmother a few months ago because I set up a new account for her and made her password a secure one. I can’t help it, it’s like second nature to me to be a password freak. It was much different than the easy to guess, easy to break one she’d been using for the last ten years, across all her devices and password-secured accounts. She was so unhappy about the new, hard to guess, harder to remember (that’s the point, people) password that she even cried. I relented and used the password she wanted, but when and if her accounts are hacked, she’ll know I tried. There’s only so much a person can do—some battles cost too much to win. But seriously, if you care about protecting your financial information, your personal information, your private information, use a secure password, and don’t use the same password every place. It really is that simple, and it really is that important. If you want an easy solution, use a password management app like LastPass, 1Password, or Dashlane and quit making them up yourself. Some day, you might be grateful for going this route. Read: The Best Password Managers for Protecting Your Data Online.
Sign up for Credit Monitoring
Equifax is offering free credit monitoring to all U.S. customers but really, at this point, I’m not sure I’d trust them. In fact, I’m sure I don’t. There are plenty of credit monitoring services out there. Do your homework, find one you like, pay for it. I’ve included a list here from research firm NextAdvisor that might help: Credit Monitoring Service Reviews and Ratings (2017).
File Your Tax Returns Quickly
If you’re a procrastinator and haven’t yet filed your 2016 tax returns, get it done. More importantly, make it a point to get those returns filed early every year. Credit freezes and fraud alerts won’t stop identity thieves from filing fraudulent tax returns and the IRS is not going to take any time to see if a SSN is “verified.” If someone files a tax return with your SSN before you can file it yourself, you have a long battle and many headaches in store.
Also know that the IRS is not in the business of making phone calls, they send certified letters. If you get a call from someone claiming to be from the IRS, especially if they ask for a SSN or any other information, it’s a scam. Those have been prevalent these days, well before this Equifax business, so it’s something to know about and especially something to maybe warn your elderly parents about.
Protect Your Valuable Documents
So now that your identity is potentially compromised, you’ve got to actually monitor your credit, your bank accounts, your credit card accounts, and pay attention to all this stuff you’ve been taking for granted, here are a couple more things to keep in mind. Your birth certificate and your passport have never been more important documents than they are today. If you’ve only got one copy of a birth certificate, get a second. Just in case. Keep one in a fireproof box in your house and the other at your parents’ house, in a safe deposit box, or in your office. The same is true if you’re a Naturalized American—keep your Naturalization papers and birth certificate safe.
If you don’t already have a passport, there’s no better time to get one than tomorrow. Getting one, even if you’re not planning on leaving the country, will prevent someone else from using your identity and getting one. Crazy, isn’t it? But something worth thinking about.
What About the Kids?
Do you need to worry about your kids’ identities being stolen? If they are under the age of 18 and have SSNs, it makes sense to ask, but if they’ve not applied for credit, there’s no reason to worry. That said, if you’ve got kids over the age of 18, chances are good they have applied for credit and that they might not be interested in jumping through these many hoops to protect their identities. Nag them until they do. Says the parent of four, two grown, two not. And if you’d like me to do it for you, happy to oblige—I’m a professional when it comes to that.
What if I’m Canadian? Or British?
News is just now coming out about Canadians affected by the Equifax data breach and The Guardian and other sources report that some 400,000 UK residents have also experienced compromised personal data. The nuances of steps to take to protect yourselves are different in both Canada and the U.K. so I’m going to leave it to you to find that information on your own rather than run the risk of misinforming. Read for more info:
Equifax hack puts data of 400,000 U.K. customers at risk
Equifax says 100,000 Canadians affected by cybersecurity breach
Bottom line, this data breach could affect you in a big way. It’s a big roll of the dice and a little naive to think it won’t affect you. In today’s world, personal data is the currency of the Dark Web, and there is more information for sale there than you can imagine. Don’t assume you’re safe, take steps to make sure you are and that you’re protected as much as humanly possible moving forward.
Hopefully this information helps. If you have questions, please ask and I’ll do my best to answer or find a resource that can. Go, do, be safe.
Other resources on this topic:
What Retirees Should Do in Wake of Equifax Data Breach
Equifax says its overwhelmed. Customers say they’re getting the runaround
Massachussetts AG sues Equifax over massive data breach