Q&A: What to know, what to do about Equifax data breach
How to prevent ID theft in wake of massive exposure of records
By Fred O. Williams | Updated: September 15, 2017
The massive data breach at Equifax announced Thursday exposed potent information for identity theft, experts said. So millions of U.S. consumers should take steps to protect themselves from having their identity hijacked to open new accounts, collect government benefits or obtain medical services.
“Unfortunately this is very rich data that thieves can use in a variety of ways,” said Eva Velazquez, CEO of the nonprofit Identity Theft Resource Center in San Diego.
Social Security numbers, birth dates, addresses and in some cases driver’s license numbers were exposed for about 143 million in the U.S., Equifax announced Thursday.
In addition, about 209,000 people’s credit card numbers were accessed, and 182,000 people’s credit dispute documents, which contained personal information. Equifax said it will notify those people by mail if they are affected.
Here are questions about the data breach and what you can do to protect yourself. The information is drawn from Equifax, the Identity Theft Resource Center, the U.S. Federal Trade Commission, and the National Consumer Law Center.
Q. Were my
identifying details taken in the hack?
A. Equifax has set up a website to check whether you have been affected. Enter your last name and the last six digits of your Social Security number to find out. Initially, on Thursday, the form confused many users with responses that did not clearly say whether they were exposed. By Friday the form was modified to be more clear. People whose data was exposed are invited to return to sign up for ID theft monitoring at a future date, before Nov. 21 when the offer expires. The rolling enrollment period is to manage the volume of sign-ups and minimize delays, the company said.
Q. Equifax is
offering one year of free identity theft protection. Will signing up for that
keep my identity safe?
A. The service provides some protection from identity theft, but is not a complete shield. The service provides copies of your Equifax credit report and alerts you to changes in your credit file at the three main credit bureaus; Equifax, Experian and TransUnion. Such alerts can be red flags of ID theft, if applications for credit are made, or new accounts are opened, without your knowledge.
The service also monitors hacker websites for your Social Security number, as an added way of assessing your risk. It provides insurance for out-of-pocket expenses if your identity is hijacked, and locks access to your Equifax credit report for the creation of new financial accounts.
Q. Will I start getting billed for the credit monitoring at the end of the one-year free period?
A. People signing up for service now see a notice that they do not need to provide their credit card information at sign-up, and will not be billed for the credit monitoring service after the one-year period ends.
Q. What else should I
do to keep identity thieves from using my name, Social Security number and
other identifying information to open accounts?
A. Experts say consider freezing your credit report at the three main reporting bureaus – whether your data was exposed in the breach or not. A three-bureau freeze blocks access to your credit file, so thieves can’t open an account and run up debts under your name. It will also be difficult for you to apply for legitimate credit, without first unlocking the report. There are charges for the freeze, which vary from state to state. Here are links to the credit report freeze at Equifax, Experian and TransUnion.
Equifax has announced it will waive charges for credit freezes for U.S. consumers during the free enrollment period for its credit monitoring services – that is, until Nov. 21. It also said on Twitter that it will refund fees people paid for Equifax credit freezes since the breach was disclosed.
TransUnion, another big-three credit bureau, offers a lock on its credit reports as part of a free service called TrueIdentity. The service requires no credit card to begin, but users face multiple attempts to upsell them into other products.
Short of a freeze, routine measures will provide some protection, or at least inform you when ID theft has occurred. Everyone is entitled to check their full credit report from each of the big three bureaus once a year. Experts recommend to check one report every four months, to spread your monitoring effort out during the year. Get your free reports through AnnualCreditReport.com (you can also check your credit report for free at CreditCards.com.)
You can also set up a fraud alert at the credit bureaus to alert creditors that your identifying data has been hacked. This should cause lenders to contact you to confirm any applications for credit they receive are genuine.
Q. Will signing up for
Equifax’s credit monitoring block me from getting payments from a class-action
lawsuit against them?
However, the ban on customer
lawsuits still appears on Equifax’s general Terms of
Use for products
purchased on its main website “and all other websites owned or operated by
Equifax and its affiliates.” Consumer lawyers say this language could
potentially be used to dispute people’s right to take the company to court, or to
collect damages in a class-action lawsuit. As a guard against this possibility,
people signing up for TrustedID credit monitoring may opt-out of Equifax’s
arbitration requirement. To do so, you must send an opt-out letter within 30
days of signing up for the service. Opting out should not affect your credit monitoring service. Here are the instructions to opt out:
“To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration.”
Q. Apart from opening
new accounts, what else can ID thieves do with data they got?
A. Experts say to file your taxes early as a prevention from tax return fraud. ID thieves may claim to be you and file a false tax return seeking federal benefits.
Also be on the watch for medical identity theft. In this scam, thieves get medical treatment and potentially insurance benefits by using your name. The FTC has information about spotting and fighting medical identity theft here.
Time to check
statements, accounts regularly
While freezing your credit reports is the strongest protection from ID theft, its scope is limited to credit fraud such as new credit cards opened in your name, or the hijacking of existing accounts with new addresses and contact information.
As data breaches become common, U.S. consumers should expect to devote more time to checking their transaction statements and protecting their accounts, Velazquez said. “It is definitely time for a national conversation about security versus convenience,” she said.
Editor’s note: this article has been updated to reflect Equifax’s statement that it will not charge people for credit monitoring at the end of the one-year free period. The company has also stated that it will not block people from joining lawsuits against Equifax if they take advantage of the free credit monitoring. A further update reflects Equifax's statement that it will temporarily waive fees to freeze U.S. consumers' credit reports.
- Equal Credit Opportunity Act: Protection from credit discrimination – An August 2017 discrimination settlement against American Express highlights why regulators and consumers need to be more wary ...
- Credit freeze costs come under fire – Following the data breach at Equifax, consumers, lawmakers ask: Why should we pay for credit bureau's blunder? ...
- How credit freezes work, what they cost – Credit freezes can be great tools for protecting yourself against identity theft, experts say, but they're not for everyone ...