You’ve probably seen headlines like this over the past few days:
Equifax® Says Cyberattack May Have Hit 143 Million Customers1
Credit agency Equifax announced one week ago that it suffered a data breach affecting 143 million U.S. consumers. The announcement prompted me to check if we had been hacked. Our personal responses from Equifax were:
Greg: Based on the information provided, we believe that your personal information may have been impacted by this incident.
Angela: Based on the information provided, we believe that your personal information was not impacted by this incident.
I let the Target hack slide and Verizon. We use Verizon and have shopped at Target. But, I didn’t do anything. I’ve now frozen our credit and I’ll tell you why I did it, how you can do the same and what to do now. This is a huge breach. I suggest you don’t ignore it.
Every year, it seems more and more companies are falling victim to hackers. Even large organizations like Verizon®, Walmart®, and Target® aren’t immune. But the recent cyberattack on Equifax is especially noteworthy. As one of the three largest credit-reporting companies in the United States, Equifax stores a lot of private information. In this case, names, addresses, birthdates, Social Security numbers and even driver’s license numbers were stolen.
What can hackers do with someone’s name, birthdate, address and Social Security number? The answer is chillingly simple: take the victim’s identity and use it for themselves.
Fortunately, there are steps you can take to protect yourself.
What to Do After a Data Breach
In a situation like this, there are both reactive and proactive steps to take. Let’s cover reactive steps first.
You may be asking yourself, “How do I know if I have personally been affected by Equifax’s data breach?” Equifax has created a website, www.equifaxsecurity2017.com, where you can check if your personal information has been compromised. You can also enroll in a free credit-monitoring service provided by Equifax.
However, I would exercise caution before going there. The website asks you to provide the last six digits of your Social Security Number to perform the check. Given their recent history, it’s reasonable to be wary of providing Equifax more personal information.
In addition, a report by the Washington Post suggests that “enrolling in the Equifax checker program … potentially restricts your legal rights. Buried in the terms of service is language that bars those who enroll … from participating in any class-action lawsuits that may arise from the incident.”2 This was not particularly important to me.
It’s not my place to tell you whether to use the website or not, and indeed, the Federal Trade Commission’s official position is that “if a company responsible for exposing your information offers you free credit monitoring, take advantage of it.”3 But whether you choose to use Equifax’s checker website or not, there are additional steps the government suggests you take:3
- Get a free credit report from www.annualcreditreport.com. Check for any accounts or charges you don’t recognize.
- Consider contacting your financial institution and placing a “credit freeze.” This makes it harder for someone to open a new account in your name. I’ve done this. I’ll show you how below.
- File your taxes as early as possible—before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job.
- Don’t believe anyone who calls and says you’ll be arrested unless you pay for taxes or debt—even if they have part or all of your Social Security number, or say they’re from the IRS. I just had two last week.
- Watch for signs of identity theft. Warning signs include withdrawals from your bank account you can’t explain, failure to receive expected bills, and merchants refusing your checks.
Changing your online passwords and signing up for a third-party credit-monitoring service are also prudent steps.
For more information, I recommend visiting www.identitytheft.gov.
Freeze your credit
If you have not done so already, it is imperative that you freeze your credit immediately at each of the three credit bureaus.
A security freeze, also called a credit freeze, locks your credit file at each bureau with a special PIN that only you know. That PIN must be used in order for anyone to access your credit file, or add new credit in your name.
(Note: As of now, Equifax does not believe that security PINs were accessed by hackers. If you had a security freeze in place at Equifax before the hack your PIN should still be protected. But that could change.)
Credit bureaus rarely emphasize freezing your credit file because it’s not in their best interest, or their clients—banks and other companies that grant credit. Instead, they recommend “credit monitoring,” a largely useless and ineffective service that charges you money to tell you when your open, or unfrozen, credit file has been accessed.
In essence, they tell you that you may have a credit breach problem AFTER the fact, which isn’t protection against identity theft. The same is true for LifeLock, a company that has been repeatedly fined by the government for unfair and deceptive trade practices. We don’t recommend anyone use LifeLock.
A security freeze gives you complete control of your credit file. Unlike credit monitoring or fraud alerts, a security freeze stops an identity theft from happening rather than alerting you to potential fraud after it has happened.
How to do it
To set up a security freeze you must contact all three of the credit bureaus individually. This process can be done online or over the phone. You will be asked some questions to confirm your identity but it only takes a few minutes.
We recommend beginning with Experian and Transunion as Equifax’s website is currently receiving high traffic.
You can freeze your credit by using the following phone numbers and links:
- Equifax: 866-349-5191
Freeze your credit - Experian: 888-397-3742
Freeze your credit - Transunion: 888-909-8872
Freeze your credit
Depending on your state, freezing your credit can cost anywhere from $0 to $10 at each bureau. For Colorado, I only had to pay $10 to Experian. Proven identity theft victims can have this fee waived. (If you need to lift the freeze you will have to pay the same fee.)
After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
To lift your freeze you simply contact the bureau used by the lender and provide your PIN to lift the freeze for a certain period of time. This can be done online or over the phone. It may take a few days for the freeze to be lifted so be sure to do it a few days in advance.
Other Proactive Steps to Take
Whether your personal information was exposed or not, there are some basic steps everyone should take to protect their identity. Here are just a few:
- Delete your saved payment methods from online shopping sites. You will have to reenter your billing information each time you make a purchase, but it will protect your payment information if your account is breached or someone gains access to your login.
- Review statements and credit reports regularly. Look for unauthorized charges or small amounts appearing on statements. Check your credit report regularly. Federal law allows you to get a free credit report every 12 months to review. Make sure all information is correct.
- Don’t make impulsive decisions based on fear. If you receive an email or phone call stating that it’s from your bank or the government, and that you’re in trouble, don’t provide the sender with any personal information. Typically, the government will not contact you by email or phone. They will contact you by mail. Your bank will never ask you to provide information through email either. If you’re concerned about the credibility of a call or email from your bank, contact the nearest branch and ask them.
- If someone contacts you saying they’re a relative in trouble and need your help, ask them something that only your relative would know. Or ask a trick question that reveals they’re lying, such as “How’s your dog Scruffy? Did he get better?” when you know that relative doesn’t have a dog. If they say, “Oh he’s doing much better,” then you know they’re a fraud and you should immediately hang up.
- Keep all personal documents in a safe place. Don’t carry them around with you, especially not your Social Security card.
- Don’t open emails from senders you don’t recognize, no matter how interesting the subject line.
- Choose a different way to pay. Many merchants accept alternative ways to pay for goods and services, including Google® Wallet, Apple Pay®, or PayPal®. These services provide an extra layer of protection because they keep your credit card information stored but do not actually provide it to retailers when you pay. I know this is questionable for many of us. We have not chosen to take this step yet.
- Don’t use your bank cards online unless the site is secure and reputable. Make sure you are purchasing from a reputable company and website. Don’t trust a site just because it claims to be secure. Use credit cards so you can dispute the charges if something goes wrong. You can still be reimbursed for fraud on a debit card but the process often takes longer and your money is already gone.
- You may also take this additional step. Request a new card. Call the number on the back of the card. Explain to them, “Because of the Equifax credit breach, I would like you to treat my credit card number as having been stolen and send me a card with a new number.” There should not be a fee as your card was compromised by Equifax, not by your negligence. If you have more than one card, you may not want to cancel them all at once. After the old credit card has been cancelled and before you have received the new credit card you may need to have a credit card for convenience. Additionally, some automatic payments may fail. I have not taken this step personally.
None of these steps are foolproof, but by taking concrete steps to protect yourself, your identity, and your money, you make it much, much harder for hackers and scammers.
As always, please let me know if you have any questions or concerns. My team and I are always happy to be of service in any way we can.
Building Your 2nd Half,