Legal, Regulatory, and Privacy Issues

Q&A: What to know, what to do about Equifax data breach


The data taken from credit bureau Equifax handed powerful tools for identity thieves, experts say. Here are steps to monitor your accounts and protect your identity from being hijacked.

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

alt text

Editor’s note: This article was updated Oct. 2, 2018 to include new information about credit freezes.

The massive data breach at Equifax announced in September 2017 exposed potent information for identity theft, experts said. So millions of U.S. consumers should take steps to protect themselves from having their identity hijacked to open new accounts, collect government benefits or obtain medical services.

“Unfortunately, this is very rich data that thieves can use in a variety of ways,” said Eva Velazquez, CEO of the nonprofit Identity Theft Resource Center in San Diego.

Social Security numbers, birth dates, addresses and in some cases driver’s license numbers were exposed for about 143 million in the U.S., Equifax announced Sept. 7. Since then the company has revised upward the total number affected to 147.9 million in the U.S., as of March 2018. The number of driver’s licenses exposed is between 10 million and 11 million, according to news reports citing company sources.

About 209,000 people’s credit card numbers were accessed, and 182,000 people’s credit dispute documents, which contained personal information. Equifax said it will notify those people by mail if they are affected.

Here are questions about the data breach and what you can do to protect yourself. The information is drawn from Equifax, the Identity Theft Resource Center, the U.S. Federal Trade Commission, and the National Consumer Law Center.

Q. Were my identifying details taken in the Equifax hack?

A. Equifax has set up a website to check whether you have been affected. Enter your last name and the last six digits of your Social Security number to find out.

If you are among the Americans whose personal data was exposed but not a Social Security number, Equifax will mail written notices to you, the company has said.

Q. Enrollment expired Jan. 31, 2018 for Equifax’s offer of a year of identity theft protection. What else is the company doing to help keep my identity safe?

A. On Jan. 31, Equifax rolled out a free mobile and desktop application called Lock & Alert that lets users control access to their credit report. The app is available to anyone with an Equifax credit report, whether they were affected by the breach or not.

The tool allows you to shut off access to your credit report by pushing a button, blocking fraudsters from opening new accounts in your name.

When applying for credit, you can temporarily turn access to your report back on. In that way the service is similar to a credit report freeze available under most state laws. However, as the terms state, the service is not the same as a credit freeze available under state law.

Q. I signed up for the year of credit monitoring before the enrollment offer expired. Will I start getting billed for it at the end of the one-year free period?

A. People signing who signed up for the service will not be billed for it after the one-year period ends, the company has said.

Q. What else should I do to keep identity thieves from using my name, Social Security number and other identifying information to open accounts?

A. Experts say consider freezing your credit report at the three main reporting bureaus – whether your data was exposed in the breach or not. A three-bureau freeze blocks access to your credit file, so thieves can’t open an account and run up debts under your name. It will also be difficult for you to apply for legitimate credit, without first unlocking the report.

Freeze your credit for free – online or by phone

Starting Sept. 21, 2018, it is free to place or remove a freeze on your credit report. Here are the contact links and numbers to do so.

Be ready to supply your address and Social Security number to verify your identity. For more information about free credit freezes, read “How to free your credit: A step-by-step guide.”

Short of a freeze, routine measures will provide some protection, or at least inform you when ID theft has occurred. Everyone is entitled to check their full credit report from each of the big three bureaus once a year. Experts recommend to check one report every four months, to spread your monitoring effort out during the year.  Get your free reports through

You can also set up a fraud alert at the credit bureaus to alert creditors that your identifying data has been hacked. This should cause lenders to contact you to confirm any applications for credit they receive are genuine.  

Q. I signed up for Equifax’s free credit monitoring. Will that block me from getting payments from a class-action lawsuit against them?

A. Equifax has dropped the ban on legal action from the terms of use for its credit monitoring service since it announced the breach in September. The legal language had included a “class-action waiver” preventing people from joining a class-action lawsuit.

According to Equifax’s financial report to investors, more than 240 class actions have been launched on behalf of breach victims in the U.S. and Canada. U.S. cases are being combined in U.S. District Court in Atlanta, where Equifax is headquartered, under Judge Thomas W. Thrash Jr. The terms for the new Lock & Alert service do not include a class-action waiver.

However, the ban on customer lawsuits still appears on Equifax’s general terms of use  for products purchased on its main website. The terms on the website specifically exempt the Lock & Alert service, TrustedID, and the web pages related to the cybersecurity breach.


People who sign up for services not related to the cybersecurity breach, such as paid credit monitoring, can still opt out of the class-action ban. To do so, you must send an opt-out letter within 30 days of signing up for the service. Opting out should not affect how services are provided. Here are the instructions to opt out:


To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration.”


Q. Apart from opening new accounts, what else can ID thieves do with data they got?


A. Experts say to file your taxes early as a precaution against tax return fraud. ID thieves may claim to be you and file a false tax return seeking federal benefits.

Also, be on the watch for medical identity theft. In this scam, thieves get medical treatment and potentially insurance benefits by using your name. The FTC has information about spotting and fighting medical identity theft here.

Time to check statements, accounts regularly

While freezing your credit reports is the strongest protection from identity theft, its scope is limited to credit fraud such as new credit cards opened in your name, or the hijacking of existing accounts with new addresses and contact information.

As data breaches become common, U.S. consumers should expect to devote more time to checking their transaction statements and protecting their accounts, Velazquez said. “It is definitely time for a national conversation about security versus convenience,” she said.

Editor’s note:this article has been updated to reflect Equifax’s statement that it will not charge people for credit monitoring at the end of the one-year free period. The company has also stated that it will not block people from joining lawsuits against Equifax if they take advantage of the free credit monitoring.

See related: Data breach protection: 10 tips, Equifax breach exposes data of 143 million U.S. consumers

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Legal, Regulatory, and Privacy Issues

Equifax breach exposes data of 147.9 million U.S. consumers

A total of 147.9 million U.S. consumers had information exposed included Social Security numbers and addresses, and the credit card numbers of 209,000 cardholders.

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more