Q&A: What to know, what to do about Equifax data breach
How to prevent ID theft in wake of massive exposure of records
Editor's note: This article was updated Oct. 2, 2018 to include new information about credit freezes.
The massive data breach at Equifax announced in September 2017 exposed potent information for identity theft, experts said. So millions of U.S. consumers should take steps to protect themselves from having their identity hijacked to open new accounts, collect government benefits or obtain medical services.
“Unfortunately, this is very rich data that thieves can use in a variety of ways,” said Eva Velazquez, CEO of the nonprofit Identity Theft Resource Center in San Diego.
Social Security numbers, birth dates, addresses and in some cases driver’s license numbers were exposed for about 143 million in the U.S., Equifax announced Sept. 7. Since then the company has revised upward the total number affected to 147.9 million in the U.S., as of March 2018. The number of driver's licenses exposed is between 10 million and 11 million, according to news reports citing company sources.
About 209,000 people’s credit card numbers were accessed, and 182,000 people’s credit dispute documents, which contained personal information. Equifax said it will notify those people by mail if they are affected.
Here are questions about the data breach and what you can do to protect yourself. The information is drawn from Equifax, the Identity Theft Resource Center, the U.S. Federal Trade Commission, and the National Consumer Law Center.
Q. Were my identifying details taken in the Equifax hack?
A. Equifax has set up a website to check whether you have been affected. Enter your last name and the last six digits of your Social Security number to find out.
If you are among the Americans whose personal data was exposed but not a Social Security number, Equifax will mail written notices to you, the company has said.
Q. Enrollment expired Jan. 31, 2018 for Equifax's offer of a year of identity theft protection. What else is the company doing to help keep my identity safe?
A. On Jan. 31, Equifax rolled out a free mobile and desktop application called Lock & Alert that lets users control access to their credit report. The app is available to anyone with an Equifax credit report, whether they were affected by the breach or not.
The tool allows you to shut off access to your credit report by pushing a button, blocking fraudsters from opening new accounts in your name.
When applying for credit, you can temporarily turn access to your report back on. In that way the service is similar to a credit report freeze available under most state laws. However, as the terms state, the service is not the same as a credit freeze available under state law.
Q. I signed up for the year of credit monitoring before the enrollment offer expired. Will I start getting billed for it at the end of the one-year free period?
A. People signing who signed up for the service will not be billed for it after the one-year period ends, the company has said.
Q. What else should I do to keep identity thieves from using my name, Social Security number and other identifying information to open accounts?
A. Experts say consider freezing your credit report at the three main reporting bureaus – whether your data was exposed in the breach or not. A three-bureau freeze blocks access to your credit file, so thieves can’t open an account and run up debts under your name. It will also be difficult for you to apply for legitimate credit, without first unlocking the report.
Freeze your credit for free - online or by phone
Starting Sept. 21, 2018, it is free to place or remove a freeze on your credit report. Here are the contact links and numbers to do so.
Be ready to supply your address and Social Security number to verify your identity. For more information about free credit freezes, read “How to free your credit: A step-by-step guide.”
Short of a freeze, routine measures will provide some protection, or at least inform you when ID theft has occurred. Everyone is entitled to check their full credit report from each of the big three bureaus once a year. Experts recommend to check one report every four months, to spread your monitoring effort out during the year. Get your free reports through AnnualCreditReport.com.
You can also set up a fraud alert at the credit bureaus to alert creditors that your identifying data has been hacked. This should cause lenders to contact you to confirm any applications for credit they receive are genuine.
Q. I signed up for Equifax’s free credit monitoring. Will that block me from getting payments from a class-action lawsuit against them?
According to Equifax’s financial report to investors, more than 240 class actions have been launched on behalf of breach victims in the U.S. and Canada. U.S. cases are being combined in U.S. District Court in Atlanta, where Equifax is headquartered, under Judge Thomas W. Thrash Jr. The terms for the new Lock & Alert service do not include a class-action waiver.
People who sign up for services not related to the cybersecurity breach, such as paid credit monitoring, can still opt out of the class-action ban. To do so, you must send an opt-out letter within 30 days of signing up for the service. Opting out should not affect how services are provided. Here are the instructions to opt out:
To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration.”
Q. Apart from opening new accounts, what else can ID thieves do with data they got?
A. Experts say to file your taxes early as a precaution against tax return fraud. ID thieves may claim to be you and file a false tax return seeking federal benefits.
Also, be on the watch for medical identity theft. In this scam, thieves get medical treatment and potentially insurance benefits by using your name. The FTC has information about spotting and fighting medical identity theft here.
Time to check statements, accounts regularly
While freezing your credit reports is the strongest protection from identity theft, its scope is limited to credit fraud such as new credit cards opened in your name, or the hijacking of existing accounts with new addresses and contact information.
As data breaches become common, U.S. consumers should expect to devote more time to checking their transaction statements and protecting their accounts, Velazquez said. “It is definitely time for a national conversation about security versus convenience,” she said.
Editor’s note: this article has been updated to reflect Equifax’s statement that it will not charge people for credit monitoring at the end of the one-year free period. The company has also stated that it will not block people from joining lawsuits against Equifax if they take advantage of the free credit monitoring.
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...