The Equifax breach - what to do?
Posted on: 2017-09-16Update
27 July 2019
Good news! You can now claim for time and money lost trying to deal with the Equifax breach. Here are two articles about it...
Claiming your $125 from Equifax is a "moral duty"
You Have a Moral Obligation to Claim Your $125 From Equifax
You can claim significantly more than $125 - as you can claim up to 20 hours @ 25$ per hour, and additionally any money spent. We had to spend money to freeze some credit reports.
As the articles argue there are good reasons to get people who were affected to claim more than the $125 because we need for it to be more costly for companies to hold personal information, and that there are penalties (such as this claim) that will mean they will be serious about security if they do.
Claiming is actually relatively quick and easy. Just go to
EQUIFAX DATA BREACH SETTLEMENT
Filling in the form is pretty quick and easy - probably less than 10 mins effort.
As discussed in this article for a company who's business is storing personal information - Equifax had basically no security. Not only that when they knew they had a breach it took them over a month to even report the fact.
Summary
You should assume due to the Equifax hack, if you live in the USA, that your your data is available to hackers. You should therefore protect yourself.
- Don't bother going to Equifax to see if your data has been hacked - just assume it is.
- If you don't need credit services anytime soon I would suggest you put a freeze on your credit report - this will stop identity thieves being able to open accounts/credit cards in your name.
- Stop credit card offers being sent to your home. They just provide a mechanism for thieves to open credit cards in your name with exactly the information from the breach. And bonus! Less junk mail. Do this by going to optoutprescreen.com.
- You might consider purchasing identity protection services - but I can't recommend any, and many seem pretty dodgy.
How to freeze your credit report, click the name link to try and freeze online, or use the telephone number
- Transunion: 1-888-909-8872
- Equifax: 1-800-685-1111 (NY residents: 1-800-349-9960)
- Experian: 1-888-397-3742
- Innovis : 1-800-540-2505
When I tried it Equifax, and Innovis were free. For Transunion and Experian they will charge you - for me it was 10 USD each.
Also note that Transunions website when I tried it was very flaky, but did work. Experians website did not work at all, so I had to freeze via the phone number.
Consumer reports came out with a pretty good article covering what to do, including getting two factor authentication and observing that you may not have any protection with mutual funds.
Update 2:
It's probably a good idea to do a freeze on Chex Systems. I'm not entirely sure what they do - they seem like another credit reporting agency of a sort. Anyway doing a freeze on their system is free, and is recommended on several other reputable sites such as Krebs on security.
https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/Information
Update 1:
So whilst this is all reasonable advice, I did come across via a colleague an issue that might cause you some problems.
Apparently many organizations use Equifax (and presumably the other companies) to verify your identity, by accessing your credit report. To give a concrete example certain states Department of Transport websites use Equifax for identity verification. If you have a credit freeze with Equifax they cannot verify your identity. In practice if you went to the DOT website for your state and they used this, when the site tried to identify you, say when you tried to create an account, it wouldn't be able to.
This typically pulls up an error and asks you to contact the service directly. This may mean that you have to temporary unfreeze, or verify your identity some other way.
This could be a real pain. On the other hand it's pain that identity thieves are far less likely to get past. So whilst it is inconvenient, inconvenience is also a sign of protection.
About The Hack
The Equifax breach happened a few days ago. So far they claim 145 million users information - social security number, phone numbers, addresses and other data to verify identity has been extracted. The size of the hack means that you should assume your information has been hacked.
If you look at how the hack took place it really is mind blowing. They basically had no security! After the hack they didn't announce anything for over a month. In that month some high executives sold a considerable amount of shares.
Here's an article that apparently has information about the hack from the hackers themselves...
http://spuz.me/blog/zine/3Qu1F4x.html
An overview...
http://money.cnn.com/2017/09/11/technology/equifax-identity-theft/index.html
As these articles cover the hacked information can be used for identity theft. For example it could be used to open credit card accounts by nefarious persons in your name and all the problems that that will subsequently cause you.
What to do?
First I would not bother to lookup with Equifax if your data is stolen - at this point I think you can just assume it is.
If you don't need credit anytime soon it is probably a good idea to freeze your credit report with the four major agencies...
Consumer reports has some good information...
https://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection-2/
But doesn't cover Innovis. You can do a security freeze with them here
https://www.innovis.com/securityFreeze
In some states doing the freeze costs money. In the state I'm in it costs 10USD for a freeze. As of today though both Innovis and Equifax did not charge me. You might be wondering - why on earth would I want to give more information to these companies such as my credit card information? That is a good question, but it is likely they already have your credit card information, or at least some of it as part of their database.
I tried to do these blocks myself online. The Equifax website is effectively broken. It asks you to fill in all your information, but when you get to the end, it says 'Unable to honor your request to place a security freeze on your personal credit report based on the information you entered'. I tried this with both my information and my wife - neither worked.
In the end I could freeze on Experian using their somewhat tedious phone service available on 1-888-397-3742.
Transunion works right up to the last stage in creating your account. And displays 'system error'. If you go back to the start and login using the account you created and continue the process it does still work though.
In an article on Krebs on Security at the end it points out there is a service where you can block credit card offers by postage. That's something you may want to block, not least to avoid all the junk mail! Also such offers are a prime vector for an identity thief to use to open credit cards using the data from the breach.
To block the credit card offers by mail go here
https://www.optoutprescreen.com/?rf=t
If you permanently want to opt out (as I did), if you click that option you fill in the same form as the 5 year block and it will put in place a 5 year block. At the end it gives a letter you need to sign and mail to get the permanent block.
Identity Protection Services
Identity protection services claim to offer protection against Identity theft, and typically insurance to cover losses due to identity theft up to a limit. Apparently because of other breaches other companies offering such protection for free...
"Q: Beyond this breach, how would I know who is offering free credit monitoring?
A: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring."
Looking into that it doesn't seem easy to find a free service.
Services like Life Lock were originally created on a kind of hack on the database that the credit card providers made available. Basically Life Lock abused that system and there have been ongoing cases around it.
Well and LifeLock specifically are a pretty unsavory lot...
So I wouldn't use LifeLock, and I don't know which are the reputable providers that actually offer a reasonable service. It may be best to think of such services as a type of insurance - that is measure them by what insurance they provide after a fraud, don't value the blocking capacity too highly.
With the above steps, I don't think the use of such services are so important.