Equifax breach: What you can do ... and what public pressure may do

Hackers broke into the credit-report company Equifax and stole personal data on up to 143 million Americans. Individual actions can help control the damage. And collective action may lead to new safeguards.

Brendan McDermid/Reuters
Trading information and the Equifax company logo are displayed on a screen where the stock is traded on the floor of the New York Stock Exchange, Sept. 8. The company is one of three big firms that track credit data on US consumers, and a recent breach there exposed information on millions of consumers.

The Equifax breach, which occurred over 2-1/2 months, compromised personal data, including Social Security numbers. The incursion affects three-quarters of US adults with a credit score. Here’s a concise look at what happened, the variety of steps that consumers can take, and the pressure for new steps to guard credit data.

Q: What happened?

From mid-May through July, hackers exploited a weakness in the software of Equifax, a credit agency, to steal the private information of some 143 million people. It is the largest known breach in the United States in terms of sheer numbers, and it involves what the National Consumer Law Center (NCLC) calls “the mother lode” of personal data: full names, addresses, birth dates, and Social Security numbers. In some cases, driver’s licenses, credit-card numbers, and other records were also exposed. With that data, identity thieves can apply for credit cards, take out loans, and even file for federal tax refunds – all in another person’s name.

On July 30, a day after observing suspicious activity on its network, Equifax closed the breach.

Q: What should consumers do right now?

Identity theft experts say the breach is too serious to ignore. At a minimum, consumers can find out if their information is at risk by going to Equifax’s special website – equifaxsecurity2017.com/potential-impact – or calling 866-447-7559. [Editor's note: Several readers say the phone option doesn't work.] They then can request a copy of their credit report at AnnualCreditReport.com from all three credit agencies (the other two being Experian and TransUnion). Individuals can obtain a free report once a year from each agency.

Consumers should review the reports to ensure they recognize every credit account that’s been opened in their name. If there’s something wrong or unfamiliar, they should contact the credit agency.

Q: If a consumer doesn’t notice any credit problems in the next month or so, does that mean everything is OK?

The effects of the Equifax breach are ongoing. Identity thieves may wait months or years before using data. “Once your information is exposed and compromised, there’s no putting it back in the box,” says Eva Velasquez, president of the Identity Theft Resource Center (ITRC), a nonprofit that helps consumers protect themselves free of charge.

Cyber criminals are intent on stealing Social Security numbers, a tactic that has proved to be one of the most effective routes to identity theft, according to the ITRC. During the first half of 2017, about 60 percent of breaches in the US involved the exposure of Social Security numbers, down only slightly from the figure for the first half of 2016 (61 percent).

Q: What are consumers’ options for a permanent fix?

The most aggressive step – one that several experts recommend – is a credit freeze. Lending companies and potential employers won’t be able to pull a person’s credit report unless the individual lifts the freeze. Depending on the state and the person’s status as an identity fraud victim, and whether the person unfreezes the file temporarily or permanently, it might cost between $5 and $10 to freeze or unfreeze the report. Credit freezes are free at Equifax for the moment, but to be effective it should be done with all three credit agencies.

For some people, a freeze might not be right – for those whose job requires frequent moves or background checks that involve pulling their credit report, for example. These individuals can opt for milder protection in the form of credit monitoring. For a fee, companies will track consumers’ credit use at all three credit agencies and send alerts for any suspicious activity. Some employers, banks, insurance companies, and credit cards offer free credit monitoring from some of the credit agencies, points out Lisa Gerstner, a contributing editor at Kiplinger’s Personal Finance. Equifax is allowing people affected by the breach to sign up for a year of free monitoring via its TrustedID service.

Ms. Gerstner says yet another option is to initiate a fraud alert, which tells companies pulling a credit report that the individual may have been a victim of identity theft. This allows them to take extra steps to verify the person’s identity. The alert is free but expires after 90 days, so it has to be reactivated frequently.

Q: Why do consumers have to do all this work and pay fees when they did nothing wrong?

“Good question,” Chi Chi Wu, an NCLC attorney, writes in an email. “We think Equifax should pay for those freezes” at the other credit agencies. The ITRC is pressing the agencies to eliminate their fees.

With its shares plunging and widespread criticism for a slow and sloppy response to the data breach, Equifax is facing a huge backlash in the form of class-action lawsuits, state and federal investigations, and legislation proposed by members of Congress that would give consumers greater control over their own credit data.

“If there can be a silver lining [from the breach], we can be hopeful that it can be a catalyst for significant changes” for the industry, government, and consumers themselves, says Ms. Velasquez of the ITRC.

Q: Is the Social Security number now obsolete as a way to confirm people's identity?

Some experts say yes, and that the Equifax breach makes the problem obvious. "In effect, Social Security numbers function as both usernames and passwords, albeit ones that are widely shared and impossible to change," argues one new commentary by Daniel Castro of the Information Technology and Innovation Foundation, a Washington think tank. "We should replace the outdated, paper-based system of Social Security numbers with a secure identity system built for the digital era."

But the mechanics of introducing some new system may not be obvious or quick. Mr. Castro, for his part, says a promising path would be for Congress to expand a Commerce Department initiative called the National Strategy for Trusted Identities in Cyberspace.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Equifax breach: What you can do ... and what public pressure may do
Read this article in
QR Code to Subscription page
Start your subscription today