Q&A: What to know, what to do about Equifax data breach

How to prevent ID theft in wake of massive exposure of records

alt text

The massive data breach at Equifax announced in September 2017 exposed potent information for identity theft, experts said. So millions of U.S. consumers should take steps to protect themselves from having their identity hijacked to open new accounts, collect government benefits or obtain medical services.

“Unfortunately, this is very rich data that thieves can use in a variety of ways,” said Eva Velazquez, CEO of the nonprofit Identity Theft Resource Center in San Diego.

Social Security numbers, birth dates, addresses and in some cases driver’s license numbers were exposed for about 143 million in the U.S., Equifax announced Sept. 7. Since then the company has revised upward the total number affected to 147.9 million in the U.S., as of March 2018. The number of driver's licenses exposed is between 10 million and 11 million, according to news reports citing company sources.

About 209,000 people’s credit card numbers were accessed, and 182,000 people’s credit dispute documents, which contained personal information. Equifax said it will notify those people by mail if they are affected.

Here are questions about the data breach and what you can do to protect yourself. The information is drawn from Equifax, the Identity Theft Resource Center, the U.S. Federal Trade Commission, and the National Consumer Law Center.

Q. Were my identifying details taken in the Equifax hack?

A. Equifax has set up a website to check whether you have been affected. Enter your last name and the last six digits of your Social Security number to find out. 

If you are among the Americans whose personal data was exposed but not a Social Security number, Equifax will mail written notices to you, the company has said.

Q. Enrollment expired Jan. 31, 2018 for Equifax's offer of a year of identity theft protection. What else is the company doing to help keep my identity safe?

A. On Jan. 31, Equifax rolled out a free mobile and desktop application called Lock & Alert that lets users control access to their credit report. The app is available to anyone with an Equifax credit report, whether they were affected by the breach or not.

The tool allows you to shut off access to your credit report by pushing a button, blocking fraudsters from opening new accounts in your name.

When applying for credit, you can temporarily turn access to your report back on. In that way the service is similar to a credit report freeze available under most state laws. However, as the terms state, the service is not the same as a credit freeze available under state law.

Q. I signed up for the year of credit monitoring before the enrollment offer expired. Will I start getting billed for it at the end of the one-year free period?

A. People signing who signed up for the service will not be billed for it after the one-year period ends, the company has said. 

Q. What else should I do to keep identity thieves from using my name, Social Security number and other identifying information to open accounts?

A. Experts say consider freezing your credit report at the three main reporting bureaus – whether your data was exposed in the breach or not. A three-bureau freeze blocks access to your credit file, so thieves can’t open an account and run up debts under your name. It will also be difficult for you to apply for legitimate credit, without first unlocking the report.

There are charges for the freeze, which vary from state to state. Here are links to the credit report freeze at Equifax, Experian and TransUnion.

TransUnion, another big-three credit bureau, offers a lock on its credit reports as part of a free service called TrueIdentity. The service requires no credit card to begin, but users face multiple attempts to upsell them into other products.

Experian, the third of the big three credit bureaus, has not announced a free option for locking your credit file. It continues to sell services that include credit report locking on its website, for a monthly fee. 

Short of a freeze, routine measures will provide some protection, or at least inform you when ID theft has occurred. Everyone is entitled to check their full credit report from each of the big three bureaus once a year. Experts recommend to check one report every four months, to spread your monitoring effort out during the year.  Get your free reports through AnnualCreditReport.com.

You can also set up a fraud alert at the credit bureaus to alert creditors that your identifying data has been hacked. This should cause lenders to contact you to confirm any applications for credit they receive are genuine.  

Q. I signed up for Equifax’s free credit monitoring. Will that block me from getting payments from a class-action lawsuit against them?

A. Equifax has dropped the ban on legal action from the terms of use for its credit monitoring service since it announced the breach in September. The legal language had included a “class-action waiver” preventing people from joining a class-action lawsuit.

According to Equifax’s financial report to investors, more than 240 class actions have been launched on behalf of breach victims in the U.S. and Canada. U.S. cases are being combined in U.S. District Court in Atlanta, where Equifax is headquartered, under Judge Thomas W. Thrash Jr. The terms for the new Lock & Alert service do not include a class-action waiver.

However, the ban on customer lawsuits still appears on Equifax’s general terms of use  for products purchased on its main website. The terms on the website specifically exempt the Lock & Alert service, TrustedID, and the web pages related to the cybersecurity breach.

People who sign up for services not related to the cybersecurity breach, such as paid credit monitoring, can still opt out of the class-action ban. To do so, you must send an opt-out letter within 30 days of signing up for the service. Opting out should not affect how services are provided. Here are the instructions to opt out:

To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration.”

Q. Apart from opening new accounts, what else can ID thieves do with data they got?

A. Experts say to file your taxes early as a precaution against tax return fraud. ID thieves may claim to be you and file a false tax return seeking federal benefits.

Also, be on the watch for medical identity theft. In this scam, thieves get medical treatment and potentially insurance benefits by using your name. The FTC has information about spotting and fighting medical identity theft here.

Time to check statements, accounts regularly

While freezing your credit reports is the strongest protection from identity theft, its scope is limited to credit fraud such as new credit cards opened in your name, or the hijacking of existing accounts with new addresses and contact information.

As data breaches become common, U.S. consumers should expect to devote more time to checking their transaction statements and protecting their accounts, Velazquez said. “It is definitely time for a national conversation about security versus convenience,” she said. 

Editor’s note: this article has been updated to reflect Equifax’s statement that it will not charge people for credit monitoring at the end of the one-year free period. The company has also stated that it will not block people from joining lawsuits against Equifax if they take advantage of the free credit monitoring.

See related: Data breach protection: 10 tips, Equifax breach exposes data of 143 million U.S. consumers


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 06-20-2018