I’m pretty sure even if you were hiding under a rock in some remote corner of America you probably heard that credit reporting company Equifax was breached and confidential information on nearly 150 million Americans was stolen. Rather than handling it like an industry leader, they seemed to have stumbled around like a tyro startup experiencing their first breach. Much criticism has been leveled at the company for its apparently hamfisted opportunism by first leading consumers to a site that is supposed to show whether your info was exposed in the breach (news flash: most likely it was), and then after confirming the bad news (a result that appears initially to have been random, though possibly corrected now), dropping you into the signup page for their free credit-monitoring service. Initially the legalese surrounding this process suggested that by signing up for their free service you would be waiving your right to sue Equifax, but after a heated backlash from the internet, Equifax clarified their language to exclude the breach incident from this indemnification:
Unfortunately, they still seem to be bumbling their way through this, with continuing reports of false positive results from their website, compulsory signups for the credit monitoring service, as well as a stony silence on why they took over a month to report the breach, why 3 executives sold off stock before the announcement, or why we should trust them to monitor our credit when they were the ones that lost our data in the first place.
What should I do now?
Cybercriminals have had your information for at least a month if not longer (from prior breaches), and with the amount of information now exposed (SSN, DOB, addresses, credit history) and capabilities of well-funded (and now well-armed) cybercrime organizations, the likelihood of your identity getting stolen is growing, but you still have to “win” the equivalent of an anti-lottery among 140M people. Because of the amount of publicity the Equifax breach is receiving and the gravity of the matter, there is a lot of information out there both good and misleading, and the seeming urgency of the situation leads to snap judgments and possibly poor choices. Overall, the current consensus on what to do next is to put a freeze on your account at the three major credit reporting companies: Equifax, Xperian and TransUnion. This action is often poorly understood or explained, but Brian Krebs does a great job explaining what it is why you should do it.
If you can’t get to their respective websites to initiate a credit freeze, here are the numbers you can call to initiate a credit freeze:
- TransUnion: 1-888-909-8872
- Equifax: 1-800-349-9960
- Experian: 1 888 397 3742
Get a copy of your current credit report, if only for historical documentation and spotting new, unauthorized items that might appear later: Government-mandated Credit Reporting Website. In case you were wondering if this was legitimate, here are the sources:
If your identity gets stolen, or you suspect that a theft is in process, this page provides easy to understand steps on what to do next.
If you are civic-minded and believe that “something should be done about this mess”, you can use this page to send a message to your congress-critter.
As always, stay vigilant, even paranoid, in these less secure times. Be on the lookout for scams exploiting the FUD created by this breach, and NEVER give out your personal information to anyone who calls you directly unless (a) you contacted them first, and (b) you verify they are who they say they and they are legitimate. There is never a better time to rely on the experts in the business, but you should work with people you trust. Don’t have a trusted lawyer, financial adviser or IT professional? Ask someone who you trust if they know someone, and then ask another person you trust for someone else. Don’t be afraid to ask for references, and in the case of licensed or certified professionals, it’s never rude to ask for credentials, especially if you can’t meet them in person. As you know, “On the internet, nobody knows that you’re a fake.”
Much thanks to this post on Reddit (Warning: very useful info interspersed with salty language)
Image courtesy of Miles Stuart on FreeDigitalPhotos.net