The Equifax breach, which occurred over 2-1/2 months, compromised personal data, including Social Security numbers. The incursion affects three-quarters of US adults with a credit score. Here’s a concise look at what happened, the variety of steps that consumers can take, and the pressure for new steps to guard credit data.
Q: What happened?
From mid-May through July, hackers exploited a weakness in the software of Equifax, a credit agency, to steal the private information of some 143 million people. It is the largest known breach in the United States in terms of sheer numbers, and it involves what the National Consumer Law Center (NCLC) calls “the mother lode” of personal data: full names, addresses, birth dates, and Social Security numbers. In some cases, driver’s licenses, credit-card numbers, and other records were also exposed. With that data, identity thieves can apply for credit cards, take out loans, and even file for federal tax refunds – all in another person’s name.
On July 30, a day after observing suspicious activity on its network, Equifax closed the breach.
Q: What should consumers do right now?
Identity theft experts say the breach is too serious to ignore. At a minimum, consumers can find out if their information is at risk by going to Equifax’s special website – equifaxsecurity2017.com/potential-impact – or calling 866-447-7559. [Editor's note: Several readers say the phone option doesn't work.] They then can request a copy of their credit report at AnnualCreditReport.com from all three credit agencies (the other two being Experian and TransUnion). Individuals can obtain a free report once a year from each agency.
Consumers should review the reports to ensure they recognize every credit account that’s been opened in their name. If there’s something wrong or unfamiliar, they should contact the credit agency.
Q: If a consumer doesn’t notice any credit problems in the next month or so, does that mean everything is OK?
The effects of the Equifax breach are ongoing. Identity thieves may wait months or years before using data. “Once your information is exposed and compromised, there’s no putting it back in the box,” says Eva Velasquez, president of the Identity Theft Resource Center (ITRC), a nonprofit that helps consumers protect themselves free of charge.
Cyber criminals are intent on stealing Social Security numbers, a tactic that has proved to be one of the most effective routes to identity theft, according to the ITRC. During the first half of 2017, about 60 percent of breaches in the US involved the exposure of Social Security numbers, down only slightly from the figure for the first half of 2016 (61 percent).
Q: What are consumers’ options for a permanent fix?
The most aggressive step – one that several experts recommend – is a credit freeze. Lending companies and potential employers won’t be able to pull a person’s credit report unless the individual lifts the freeze. Depending on the state and the person’s status as an identity fraud victim, and whether the person unfreezes the file temporarily or permanently, it might cost between $5 and $10 to freeze or unfreeze the report. Credit freezes are free at Equifax for the moment, but to be effective it should be done with all three credit agencies.
For some people, a freeze might not be right – for those whose job requires frequent moves or background checks that involve pulling their credit report, for example. These individuals can opt for milder protection in the form of credit monitoring. For a fee, companies will track consumers’ credit use at all three credit agencies and send alerts for any suspicious activity. Some employers, banks, insurance companies, and credit cards offer free credit monitoring from some of the credit agencies, points out Lisa Gerstner, a contributing editor at Kiplinger’s Personal Finance. Equifax is allowing people affected by the breach to sign up for a year of free monitoring via its TrustedID service.
Ms. Gerstner says yet another option is to initiate a fraud alert, which tells companies pulling a credit report that the individual may have been a victim of identity theft. This allows them to take extra steps to verify the person’s identity. The alert is free but expires after 90 days, so it has to be reactivated frequently.
Q: Why do consumers have to do all this work and pay fees when they did nothing wrong?
“Good question,” Chi Chi Wu, an NCLC attorney, writes in an email. “We think Equifax should pay for those freezes” at the other credit agencies. The ITRC is pressing the agencies to eliminate their fees.
With its shares plunging and widespread criticism for a slow and sloppy response to the data breach, Equifax is facing a huge backlash in the form of class-action lawsuits, state and federal investigations, and legislation proposed by members of Congress that would give consumers greater control over their own credit data.
“If there can be a silver lining [from the breach], we can be hopeful that it can be a catalyst for significant changes” for the industry, government, and consumers themselves, says Ms. Velasquez of the ITRC.
Q: Is the Social Security number now obsolete as a way to confirm people's identity?
Some experts say yes, and that the Equifax breach makes the problem obvious. "In effect, Social Security numbers function as both usernames and passwords, albeit ones that are widely shared and impossible to change," argues one new commentary by Daniel Castro of the Information Technology and Innovation Foundation, a Washington think tank. "We should replace the outdated, paper-based system of Social Security numbers with a secure identity system built for the digital era."
But the mechanics of introducing some new system may not be obvious or quick. Mr. Castro, for his part, says a promising path would be for Congress to expand a Commerce Department initiative called the National Strategy for Trusted Identities in Cyberspace.