I’m pretty sure even if you were hiding under a rock in some remote corner of America you probably heard that credit reporting company Equifax was breached and confidential information on nearly 150 million Americans was stolen. Rather than handling it like an industry leader, they seemed to have stumbled around like a tyro startup experiencing their first breach. Much criticism has been leveled at the company for its apparently hamfisted opportunism by first leading consumers to a site that is supposed to show whether your info was exposed in the breach (news flash: most likely it was), and then after confirming the bad news (a result that appears initially to have been random, though possibly corrected now), dropping you into the signup page for their free credit-monitoring service. Initially the legalese surrounding this process suggested that by signing up for their free service you would be waiving your right to sue Equifax, but after a heated backlash from the internet, Equifax clarified their language to exclude the breach incident from this indemnification:
“In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”
Unfortunately, they still seem to be bumbling their way through this, with continuing reports of false positive results from their website, compulsory signups for the credit monitoring service, as well as a stony silence on why they took over a month to report the breach, why 3 executives sold off stock before the announcement, or why we should trust them to monitor our credit when they were the ones that lost our data in the first place.
What should I do now?
Cybercriminals have had your information for at least a month if not longer (from prior breaches), and with the amount of information now exposed (SSN, DOB, addresses, credit history) and capabilities of well-funded (and now well-armed) cybercrime organizations, the likelihood of your identity getting stolen is growing, but you still have to “win” the equivalent of an anti-lottery among 140M people. Because of the amount of publicity the Equifax breach is receiving and the gravity of the matter, there is a lot of information out there both good and misleading, and the seeming urgency of the situation leads to snap judgments and possibly poor choices. Overall, the current consensus on what to do next is to put a freeze on your account at the three major credit reporting companies: Equifax, Xperian and TransUnion. This action is often poorly understood or explained, but Brian Krebs does a great job explaining what it is why you should do it.
If you can’t get to their respective websites to initiate a credit freeze, here are the numbers you can call to initiate a credit freeze:
- TransUnion: 1-888-909-8872
- Equifax: 1-800-349-9960
- Experian: 1 888 397 3742
Get a copy of your current credit report, if only for historical documentation and spotting new, unauthorized items that might appear later: Government-mandated Credit Reporting Website. In case you were wondering if this was legitimate, here are the sources:
- https://www.usa.gov/credit-reports#item-35962
- https://www.transunion.com/annual-credit-report
- http://www.experian.com/consumer-products/free-credit-report.html
- https://www.consumer.ftc.gov/articles/0155-free-credit-reports
- https://en.wikipedia.org/wiki/AnnualCreditReport.com
If your identity gets stolen, or you suspect that a theft is in process, this page provides easy to understand steps on what to do next.
If you are civic-minded and believe that “something should be done about this mess”, you can use this page to send a message to your congress-critter.
As always, stay vigilant, even paranoid, in these less secure times. Be on the lookout for scams exploiting the FUD created by this breach, and NEVER give out your personal information to anyone who calls you directly unless (a) you contacted them first, and (b) you verify they are who they say they and they are legitimate. There is never a better time to rely on the experts in the business, but you should work with people you trust. Don’t have a trusted lawyer, financial adviser or IT professional? Ask someone who you trust if they know someone, and then ask another person you trust for someone else. Don’t be afraid to ask for references, and in the case of licensed or certified professionals, it’s never rude to ask for credentials, especially if you can’t meet them in person. As you know, “On the internet, nobody knows that you’re a fake.”
Much thanks to this post on Reddit (Warning: very useful info interspersed with salty language)
Image courtesy of Miles Stuart on FreeDigitalPhotos.net
My SS was hacked back in 2013. When I went to the SS office they put a block on my SS as well as how to contact the credit bureaus and I contacted Equifax and signed up for a security block on all three credit agencies. I get notices when balances change, I get notifications on my cell if I’m making a large purchase on my credit cards. Should I cancel the program with Equifax?
You may consider canceling any paid subscriptions with Equifax, such as their credit monitoring, but if just have a simple freeze on your Equifax account, keep it in place until you need to unfreeze for a new loan application or some other credit event.
[…] story of the decade, and this is happening alongside Intel’s monstrous security flaw, the Equifax breach (remember that one?), and the dismantling of Net Neutrality. And those are just the ones I can […]
[…] amounts of time. Personal information and identity theft has become so commonplace that even the massive Equifax breach has been essentially forgotten. You may not have realized it, but the real cyberwar isn’t […]
[…] should definitely consider a credit freeze (if you haven’t already put one in place from the previous Equifax breach) and you should take advantage of Marriott’s offer of a free year of WebWatcher monitoring […]
[…] reported here and everywhere, the 2017 breach of Equifax credit reporting agency exposed critical PII (personally […]