The Equifax Breach: What You Should Know
It remains unclear whether
those responsible for stealing Social Security numbers and other data on as
many as 143 million Americans from big-three credit bureau Equifax intend
to sell this data to identity thieves. But if ever there was a reminder that
you — the consumer — are ultimately responsible for protecting your financial
future, this is it. Here’s what you need to know and what you should do in
response to this unprecedented breach.
Q: What information was
jeopardized in the breach?
A: Equifax was keen to
point out that its investigation is ongoing. But for now, the data at risk
includes Social Security numbers, birth dates, addresses on 143 million
Americans. Equifax also said the breach involved some driver’s license
numbers (although it didn’t say how many or which states might be impacted),
credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute
documents with personal identifying information for approximately 182,000 U.S.
consumers.”
Q: Was the breach limited
to Americans?
A: No. Equifax said it
believes the intruders got access to “limited personal information for certain
UK and Canadian residents.” It has not disclosed what information for those
residents was at risk or how many from Canada and the UK may be impacted.
Q: What is Equifax doing
about this breach?
A: Equifax is offering
one free year of their credit monitoring service. In addition, it has put up a
Web site — www.equifaxsecurity2017.com — that tried to let
people determine whether they were affected.
Q: That site tells me I
was not affected by the breach. Am I safe?
A: As noted in this
story from Friday, the site seems hopelessly broken, often returning differing
results for the same data submitted at different times. In the absence of more
reliable information from Equifax, it is safer to assume you ARE compromised.
Q: I read that the legal
language in the terms of service that consumers must accept before enrolling in
the free credit monitoring service from Equifax requires one to waive their
rights to sue the company in connection with this breach. Is that true?
A: Not according to
Equifax. The company issued a statement over the weekend saying that nothing in
that agreement applies to this cybersecurity incident.
Q: So should I take
advantage of the credit monitoring offer?
A: It can’t hurt, but I
wouldn’t count on it protecting you from identity theft
.
Q: Wait, what? I thought
that was the whole point of a credit monitoring service?
A: The credit bureaus
sure want you to believe that, but it’s not true in practice. These services do
not prevent thieves from using your identity to open new lines of credit, and
from damaging your good name for years to come in the process. The most you can
hope for is that credit monitoring services will alert you soon after an
ID thief does steal your identity.
Q: Well then what the heck
are these services good for?
A: Credit monitoring
services are principally useful in helping consumers recover from identity
theft. Doing so often requires dozens of hours writing and mailing letters, and
spending time on the phone contacting creditors and credit bureaus to
straighten out the mess. In cases where identity theft leads to prosecution for
crimes committed in your name by an ID thief, you may incur legal costs as
well. Most of these services offer to reimburse you up to a certain amount for
out-of-pocket expenses related to those efforts. But a better solution is to
prevent thieves from stealing your identity in the first place.
Q: What’s the best way to
do that?
A: File a security
freeze — also known as a credit freeze — with the four major credit bureaus.
Q: What is a security
freeze?
A: A security freeze
essentially blocks any potential creditors from being able to view or “pull”
your credit file, unless you affirmatively unfreeze or thaw your file
beforehand. With a freeze in place on your credit file, ID thieves can apply
for credit in your name all they want, but they will not succeed in getting new
lines of credit in your name because few if any creditors will extend that
credit without first being able to gauge how risky it is to loan to you (i.e.,
view your credit file). And because each credit inquiry caused by a creditor
has the potential to lower your credit score, the freeze also helps protect
your score, which is what most lenders use to decide whether to grant you
credit when you truly do want it and apply for it.
Q: What’s involved in
freezing my credit file?
A: Freezing your credit
involves notifying each of the major credit bureaus that you wish to place a
freeze on your credit file. This can usually be done online, but in a
few cases you may need to contact one or more credit bureaus by phone or
in writing. Once you complete the application process, each bureau will provide
a unique personal identification number (PIN) that you can use to unfreeze or
“thaw” your credit file in the event that you need to apply for new lines of
credit sometime in the future. Depending on your state of residence and your
circumstances, you may also have to pay a small fee to place a freeze at each
bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union. It’s a good idea
to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with
your latest credit report), so that when and if you need to undo the freeze,
the process is simple.
Q: How much is the fee,
and how can I know whether I have to pay it?
A: The fee ranges from $0 to
$15 per bureau, meaning that it can cost upwards of $60 to place a freeze at
all four credit bureaus (recommended). However, in most states, consumers can
freeze their credit file for free at each of the major credit bureaus if they
also supply a copy of a police report and in some cases an affidavit stating
that the filer believes he/she is or is likely to be the victim of identity
theft. In many states, that police report can be filed and obtained online. The
fee covers a freeze as long as the consumer keeps it in place. Consumers
Union has a
useful breakdown of state-by-state fees.
Q: But what if I need to
apply for a loan, or I want to take advantage of a new credit card offer?
A: You thaw the freeze
temporarily (in most cases the default is for 24 hours).
Q: What’s involved in
thawing my credit file? And do I need to thaw it at all three bureaus?
A: The easiest way to
unfreeze your file for the purposes of gaining new credit is to spend a few
minutes the phone with the company from which you hope to gain the line of
credit (or research the matter online) to see which credit bureau they rely
upon for credit checks. It will most likely be one of the major bureaus. Once
you know which bureau the creditor uses, contact that bureau either via phone
or online and supply the PIN they gave you when you froze your credit file with
them. The thawing process should not take more than 24 hours, but hiccups in
the thawing process sometimes make things take longer. It’s best not to wait
until the last minute to thaw your file.
Q: It seems that credit
bureaus make their money by selling data about me as a consumer to marketers.
Does a freeze prevent that?
A: A freeze on your
file does nothing to prevent the bureaus from collecting information about you
as a consumer — including your spending habits and preferences — and packaging,
splicing and reselling that information to marketers.
Q: Can I still use my
credit or debit cards after I file a freeze?
A: Yes. A
freeze does nothing to prevent you from using existing lines of credit you
may have.
Q: I’ve heard about
something called a fraud alert. What’s the difference between a security freeze
and a fraud alert on my credit file?
A: With a fraud alert
on your credit file, lenders or service providers should not grant credit in
your name without first contacting you to obtain your approval — by phone or
whatever other method you specify when you apply for the fraud alert. To place
a fraud alert, merely contact one of the credit bureaus via phone or online,
fill out a short form, and answer a handful of multiple-choice, out-of-wallet
questions about your credit history. Assuming the application goes through, the
bureau you filed the alert with must by law share that alert with the other
bureaus.
Consumers also can get
an extended fraud alert, which remains on your credit report for
seven years. Like the free freeze, an extended fraud alert requires a police
report or other official record showing that you’ve been the victim of identity
theft.
An active duty
alert is another alert available if you are on active military duty.
The active duty alert is similar to an initial fraud alert except that it lasts
12 months and your name is removed from pre-approved firm offers of credit or
insurance (prescreening) for 2 years.
Q: Why would I pay for a
security freeze when a fraud alert is free?
A: Fraud alerts only
last for 90 days, although you can renew them as often as you like. More
importantly, while lenders and service providers are supposed to seek
and obtain your approval before granting credit in your name if you have a
fraud alert on your file, they are not legally required to do this
— and very often don’t.
Q: Hang on: If I thaw my
credit file after freezing it so that I can apply for new lines of credit,
won’t I have to pay to refreeze my file at the credit bureau where I thawed it?
A: It depends on your
state. Some states allow bureaus to charge $5 for a temporary thaw or a lift on
a freeze; in other states there is no fee for a thaw or lift. However, even if
you have to do this once or twice a year, the cost of doing so is almost
certainly less than paying for a year’s worth of credit monitoring services.
Again, Consumers Union has a handy state-by-state
guide listing
the freeze and unfreeze laws and fees.
Q: What about my kids?
Should I be freezing their files as well? Is that even possible?
A: Depends on your
state. Roughly half of the U.S. states have laws on the books allowing freezes
for dependents. Check out The
Lowdown on Freezing Your Kid’s Credit for more information.
Q: Is there anything I
should do in addition to placing a freeze that would help me get the upper hand
on ID thieves?
A: Yes: Periodically
order a free copy of your credit report. By law, each of the three major credit
reporting bureaus must provide a free copy of your credit report each year —
via a government-mandated site: annualcreditreport.com. The best way to take advantage of this right is to make a
notation in your calendar to request a copy of your report every 120 days, to
review the report and to report any inaccuracies or questionable entries when
and if you spot them. Avoid other sites that offer “free” credit reports and then
try to trick you into signing up for something else.
Q: I just froze my credit.
Can I still get a copy of my credit report from annualcreditreport.com?
A: According to
the Federal Trade Commission, having a freeze in place should not
affect a consumer’s ability to obtain copies of their credit report from
annualcreditreport.com.
Q: If I freeze my file,
won’t I have trouble getting new credit going forward?
A: If you’re in the habit of
applying for a new credit card each time you see a 10 percent discount for
shopping in a department store, a security freeze may cure you of that impulse.
Other than that, as long as you already have existing lines of credit (credit
cards, loans, etc) the credit bureaus should be able
to continue to monitor and evaluate your creditworthiness should you decide at
some point to take out a new loan or apply for a new line of credit.
Q: Can I have a freeze AND
credit monitoring?
A: Yes,
you can. However, it may not be possible to sign up for credit monitoring
services while a freeze is in place. My advice is to sign up for whatever
credit monitoring may be offered for free, and then put the freezes in place.
Q: Beyond this breach, how
would I know who is offering free credit monitoring?
A: Hundreds of companies —
many of which you have probably transacted with at some point in the last year
— have disclosed data breaches and are offering free monitoring. California
maintains one of the most comprehensive lists of companies that
disclosed a breach, and most of those are offering free monitoring.
Q: I see that Trans Union
has a free offering. And it looks like they offer another free service called a
credit lock. Why shouldn’t I just use that?
A: I haven’t used that
monitoring service, but it looks comparable to others. However, I take strong
exception to the credit bureaus’ increasing use of the term “credit lock” to
steer people away from securing a freeze on their file. I notice that Trans
Union currently does this when consumers attempt to file a freeze. Your mileage
may vary, but their motives for saddling consumers with even more
confusing terminology are suspect. I would not count on a credit lock to take
the place of a credit freeze, regardless of what these companies claim
(consider the source).
Q: I read somewhere that
the PIN code Equifax gives to consumers for use in the event they need to thaw
a freeze at the bureau is little more than a date and time stamp of the
date and time when the freeze was ordered. Is this correct?
A: Yes. However, this
does not appear to be the case with the other bureaus.
Q: Does this make the
process any less secure?
A: Hard to say. An
identity thief would need to know the exact time your report was ordered. Unless
of course Equifax somehow allowed attackers to continuously guess and increment
that number through its Web site (there is no indication this is the case).
However, having a freeze is still more secure than not having one.
Q: Someone told me that
having a freeze in place wouldn’t block ID thieves from fraudulently claiming a
tax refund in my name with the IRS, or conducting health insurance fraud using
my SSN. Is this true?
A: Yes.
There are several forms of identity theft that probably will not be blocked by
a freeze. But neither will they be blocked by a fraud alert or a credit lock.
That’s why it’s so important to regularly review your credit file with the
major bureaus for any signs of unauthorized activity.
Q: Okay, I’ve got a
security freeze on my file, what else should I do?
A: It’s also a good
idea to notify a company called ChexSystems to keep an eye out
for fraud committed in your name. Thousands of banks rely on ChexSystems to
verify customers that are requesting new checking and savings accounts, and
ChexSystems lets consumers place a security alert on their credit data to make
it more difficult for ID thieves to fraudulently obtain checking and savings
accounts. For more information on doing that with ChexSystems, see this
link.
Q: Anything else?
A: ID thieves like to
intercept offers of new credit and insurance sent via postal mail, so it’s a
good idea to opt out of pre-approved credit offers. If you decide that you
don’t want to receive prescreened offers of credit and insurance, you have two
choices: You can opt out of receiving them for five years or opt out of
receiving them permanently.
To opt out for five years:
Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and
website are operated by the major consumer reporting companies.
To opt out permanently:
You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your
request, you must return the signed Permanent Opt-Out Election form, which will
be provided after you initiate your online request.