What to do about the Equifax Breach and Potential Identity Theft
As you’ve probably heard, this week Equifax Inc. (one of the “big-three” credit bureaus) announced a cybersecurity incident that involved a data breach of 143 million U.S. consumer records. The information that was exposed includes: names, Social Security numbers, birth dates, addresses and some driver’s license numbers, amongst other things. Some credit card numbers were also exposed. This data breach exposes millions of US citizens to potential Identity Theft. This is also all the information someone would need to fraudulently file an income tax return on your behalf.
The records were accessed by criminals who hacked into a web server run by Equifax. The criminals had access for an extended period of time – from May through July of this year. This means the information is certainly in the hands of individuals who could use it for Identity Theft.
How do you know if your records were exposed? First of all, 143 million is nearly half the population of the U.S. There’s a good chance you are impacted, but Equifax is providing a website to positively confirm if your records were exposed.
Equifax is providing this website: https://www.equifaxsecurity2017.com in order to allow consumers to confirm whether or not their account was impacted (“Potential Impact” tab), and to provide information about the incident. This page is where you check if you were impacted.
Beyond that, what else is Equifax doing to help mitigate damage? They are also offering complimentary identity protection and credit file monitoring services for 1 year. These services are of dubious value – they really only inform you that someone has stolen your identity and opened a new credit account in your name. They are only alerting you after the identity theft has occurred. Additionally, after the “free year”, it will be $19.95 per month – forever – quite expensive for no real value. Should we be rewarding Equifax by handing them 143 million potential future customers?
We are going to discuss some much more effective, proactive measures that can help prevent Identity Theft. It’s a four-step process specifically for people impacted by this data breach, but the advice applies for anyone who might be the victim of identity theft through other means. As a bonus, it’s going to be cheaper than using credit monitoring services for the rest of your life.
In a nutshell, determine if your records were breached, using the Equifax website, and then:
- File an Initial Fraud Alert – this will put protection onto your credit quickly, at no cost.
- Check your credit report using http://annualcreditreport.com to ensure a fraudulent account hasn’t already been created (unlikely, but possible)
- Put a Credit Freeze in place across all three credit bureaus. This may involve cost, and it will cause some inconvenience, if you rely on constantly opening new credit.
- File next year’s tax return as early as possible
Please understand that I do not recommend signing up for Equifax’s complimentary credit monitoring service. It is not the best move you can make to protect against identity theft, and it will be expensive over the long term – for no real benefit.
We’ll discuss in detail each of these steps, and why I think they make sense.
Step 1 – Initial Fraud Alert
You should probably file an Initial Fraud Alert. What’s that? Once in place, potential creditors should contact you for confirmation anytime you (or a thief) tries to open up a new account. It puts you in the loop effectively blocking any identity theft. This lasts for 90 days.
What’s even better – this is a free service. It’s open to anyone that “suspects they are a victim of identity theft”. When you submit it, you’ll be asked to confirm that: “You certify that you have a good faith suspicion that you have been or are about to become a victim of fraud or related crime, including identity theft”.
It’s also easy – once opened with any one of the credit bureaus, they have to share the information with the other two credit bureaus.
Given the circumstances, I think this step is appropriate if Equifax’s impact report came back and indicated your information is at risk. This is the best zero cost, easy step to ensure your information is not abused. And you can put this in place quickly.
Use this link to request an Initial Fraud Alert with Equifax
Once this step is done, you’ve bought yourself a little bit of breathing room.
Step 2 – Check Your Free Annual Credit Report
You should be checking your credit report every year, but in the wake of this incident it’s probably time to do that regardless. You are entitled to 1 free credit report (from each bureau) per year via: https://www.annualcreditreport.com/. This covers the “big-three” : Equifax, Experian, and TransUnion. These credit reports will show you all the information related to your account that the bureau has on file, including accounts and balances. If you find an account that isn’t legit you can dispute it.
Step 3 – Credit Freeze
The third step is to request a credit freeze with all the major credit bureaus. This is a longer term proactive measure. Remember that your Initial Fraud Alert only lasts 90 days. And after you understand what a credit freeze is, you’ll likely want to leave it in place forever. Why? If your information was breached – it’s going to be around forever … your Social Security Number isn’t changing. And this information will be sold and traded by criminals on the “dark web” for years to come.
What is a credit freeze?
A credit freeze (or security freeze) lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. Creditors need to see your credit report before they approve a new account. If they can’t see your file, they will not extend the credit.
You read that correctly, a credit freeze only makes it more difficult, not impossible, for criminals to steal your identity. A freeze does not prevent a thief from making charges to your existing accounts. You will still need to monitor all bank, credit card and insurance statements for fraudulent transactions, and check your annual credit report regularly. A credit freeze makes it less convenient to get new credit, and there are potentially costs involved – in both placing and lifting the freeze. Still, this is the best action to take, especially compared to the dubious value (and expense) of a credit monitoring service.
Does a credit freeze affect my credit score?
A credit freeze will not affect your credit score in any way.
Can I still open a new account with a credit freeze in place?
You will need to lift the freeze temporarily or permanently before applying for a new credit account. This will take some time and effort, and may include cost. “Instant credit” is not going to be available. It’s definitely less convenient than leaving your credit report unlocked and open all the time. But how often do you really need to be opening new credit accounts?
In Florida, there are no fees for victims of identity theft (with a police or postal theft report as proof) and seniors aged 65 years and older. For all others, there is a $10 fee to place, temporarily lift or to remove a security freeze.
If you live in another state, use the Consumers Union site to find the fees applicable to you.
NOTE: As a result of the breach, Equifax is waiving security freeze fees for all requesters until Nov 21, 2017.
How Do I Place the Credit Freeze?
You can place a credit freeze online. To be effective, you’re going to need to request a freeze with each of the “big-three” credit-reporting bureaus:
In addition, there are two smaller credit bureaus you may want to contact:
Or contact each of the nationwide credit reporting companies via phone:
- Equifax — 1-800-349-9960
- Experian — 1‑888‑397‑3742
- TransUnion — 1-888-909-8872
Typically, you’ll need to supply your name, address, date of birth, Social Security number and other personal information. If you have lived in your current residence for less than 2 years, you’ll need to provide the previous address also. Fees vary based on where you live, but commonly range from $5 to $10 (with each credit bureau).
How Do I Lift the Credit Freeze?
A freeze remains in place until you ask the credit reporting company to temporarily lift it or remove it altogether.
Each credit reporting bureau will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place and do not lose it. You will need it when you choose to lift the freeze.
It can take up to 3 business days for a credit freeze to be lifted. You will need to plan in advance before attempting to open a new account.
To keep costs reasonable, you will also want to inquire which credit bureau is used when opening a new account – that way you can avoid lifting the freeze across all 3 bureaus.
Other Things to Consider
Before you place credit freezes, be aware:
- Utility and service providers often run background credit checks. These will fail with a freeze in place.
- Likewise, potential employers may run background checks that involve credit.
Step 4 – Plan to File Next Year’s Tax Return As Soon As Possible
If you were impacted, you should assume someone might fraudulently file a tax return on your behalf next year. The best defense? Be first to submit the tax return. Therefore, you should plan to file yours as early as possible in 2018. Fraudulent tax returns have become quite popular in recent years.
Next Steps – More About Identity Theft in Other Forms
That’s the 4-step process. You may want to continue reading to find out a bit more about other options for protecting your credit, as well as general tips on Identity Theft.
More About Fraud Alerts
We talked about the Initial Fraud Alert earlier. An Initial Fraud Alert can be filed by anyone who believes they may be subject to identity theft – but it only lasts for 90 days. It can be renewed after 90 days. You can also put an Extended Fraud Alert into place for 7 years, if you have a police report about actual identity theft.
Unlike a credit freeze, a fraud alert allows creditors to get a copy of your credit report as long as they take steps to verify your identity. There are 3 types of fraud alert:
- Initial Fraud Alert – If you believe you are imminently in danger of identity theft, but haven’t necessarily become a victim yet, you should put this in place. This alert will protect your credit from unverified access for 90 days.
- Extended Fraud Alert. For victims of identity theft, an extended fraud alert will protect your credit for seven years. You will need a police report detailing the identity theft.
- Active Duty Military Alert. For those in the military who want to protect their credit while deployed, this fraud alert lasts for one year.
Unlike a freeze, a fraud alert is free, and only needs to be placed with one credit bureau, who will communicate it to the other two.
As we indicated initially, if Equifax’s site reports that you are impacted by this breach, you should be filing a Initial Fraud Alert, in my opinion.
Other Ways Identity Theft Can Happen
A data breach isn’t the only way identity theft can happen. These are other methods that thieves use:
- Steal wallets and purses containing personal identification and credit/bank cards.
- Steal mail, including bank and credit card statements, pre-approved credit offers, new
checks and tax information
- Complete a change of address form to divert mail to another location.
- Rummage through trash, or the trash of businesses, for personal data in a practice known as “dumpster diving”
- Find personal information in homes
- Use personal information individuals share on the Internet
- Send e-mail posing as legitimate companies or government agencies with which
individuals do business.
- Get information from the workplace in a practice known as “business record theft” by
stealing files out of offices where a person is a customer, employee, patient or student,
bribing an employee who has access to personal files, or “hacking” into electronic files.
Other Steps to Avoid Identity Theft
All consumers should consider taking these steps to prevent identity theft from occurring:
- Review Credit Reports from each of the three major credit bureaus once a year.
- Place passwords on your credit card, bank and phone accounts.
- Secure personal information in your home.
- Ask about information security procedures in your workplace.
- Don’t carry your social security card with you; leave it in a secure place.
- Don’t give out your social security number unless it is absolutely necessary; ask to use
other types of identifiers when possible.
- Don’t give out personal information over the phone, through the mail or over the internet
unless you have initiated the contact or are sure you know with whom you are dealing.
- Guard your mail and trash from theft.
- Destroy offers of credit received in the mail that you do not respond to; you may choose to opt-out of receiving free offers of credit.
- Carry only the identification information and the number of credit/debit cards that you
- Pay attention to your billing cycles—follow up with creditors if bills do not arrive on
- Be wary of promotional scams.
- Keep your purse or wallet in a safe place at work.
- Notify your credit card company if you are planning to travel out of state.