The Equifax Security Breach

You have very likely heard the recent news about the security breach of Equifax, which has given thieves access to the data of more than 143 million people.  This astonishing development is indeed a very serious issue, which has the potential to expose those people – about one-half of the U.S. adult population – to online thievery.

We want you to have helpful information on how best to protect yourself.  Our own systems-security provider has followed the issue closely and has provided us with advice and information. We pass their information on here so you can make informed choices about what you can do.

We understand that Equifax is going to contact all affected people by mail. That step may take a while. Normally, our security provider’s advice would be to go directly to a vendor’s website for detailed information. In this case, they do not recommend doing so. The website itself may not be secure. Many reports indicate that the information coming out of the website’s offer to check its database — to see if your particular information was accessed in the data breach — may be incomplete or altogether inaccurate.

As of this writing, operators at Equifax do not have information about who was or was not affected in the security breach. They have been swamped with calls.

Signing up for Equifax’s own credit monitoring service is free of charge for one year, but if it is not cancelled after the one-year free period, monthly charges will be incurred.

Here are a few steps you can take now in lieu of going online to Equifax to apply for its data protection service and divulging your sensitive personal data:

1. Check your credit card accounts for suspicious activity

The first, and most important thing you can do is to check the transactions on all your financial accounts and credit history. Keep in mind that there is an overwhelming amount of traffic going to all the major credit reporting agencies right now, so they may be slow or only intermittently available for a while. If you see activity that you do not recognize, it is important that you notify your bank or credit agency immediately.

The data stolen includes names, social security numbers, birth dates, addresses, and the numbers of some driver’s licenses and credit cards.  We are advised that the thieves may not use or sell all of the stolen data right away. You will need to be vigilant with your accounts for a while, possibly even for years to come.

2. Consider a Credit “Freeze”

While freezing your credit does introduce an obstacle when it comes to allowing someone to access your credit report (such as when you apply for a new bank card, loan, apartment or job), it also makes it more difficult for thieves to create new accounts using your information. If you take this route, it is important to contact all three credit reporting agencies to put freezes in place.  Besides Equifax, they are Experian and TransUnion.  There is a charge of about $10 by each company.  That means spending $30 for each person in your household who has a credit card or who either has, or has had, an outstanding loan. Equifax decided on September 14 to refund its $10 freeze charge automatically.  Fees paid to the other two credit reporting companies, Experian and TransUnion, are not refundable so far as we know. If you do order a freeze, it will be critically important to ensure against loss of the personal identification numbers (PIN’s) that you will be assigned by the companies.

About Fraud Alerts in lieu of freezes:

If your information was included in this breach, and you decide against a credit freeze, you may wish to place a “fraud alert” on your files at each company instead. A fraud alert warns creditors that you may be a victim of identity theft and that they should take additional steps to verify that anyone seeking credit in your name really is you.  However, an Initial Fraud Alert lasts only 90 days, which won’t be very helpful in this case because criminals can – and most likely will – misuse permanent credentials like Social Security numbers for years to come.  An Extended Fraud Alert is available that lasts for seven years, but it is limited to those who have already been victimized and have a police report that describes the fraud that was perpetrated against them.

Therefore, putting a credit freeze in place at each of the three major credit reporting companies may well be the most effective thing you can do at present, although doing so would cost you some money for each freeze.  You may well be charged to undo, or “thaw,” each freeze later when you want to apply for credit of any sort – and possibly as well when you re-freeze your credit access afterward.  Although  – and would therefore be a potentially gross inconvenience.

3. File your income tax returns promptly, and do not open e-mails purporting to be from the IRS

Your exposure to online theft may not be limited to credit-card fraud.  Thieves may use stolen information to create fraudulent bank accounts, and they may also use it to file fraudulent tax returns, which has already been a growing problem for several years.  A freeze on your accounts at the credit reporting companies does not protect you from fraud perpetrated through the IRS.  Our provider recommends filing your taxes as soon as you have the tax information you need and respond promptly to letters sent to you by the IRS. Note that the IRS will never communicate with you via email.  Our security firm advises watching out for this type of fraud,  refraining from opening e-mails that purport to be from the IRS, and deleting them.

4. Improve your login security

With all the information that is now available to thieves, they may try to combine it with attacks on other online accounts and services. It’s always a good idea to make sure you have strong, unique passwords for each account you use. If you’ve not yet enabled two-factor authentication wherever it’s available to you, now is a great time to make sure you have this in place.

5. Beware of scams

Criminals are aware that people will be feeling especially anxious about their security and privacy as a result of this incident. This could lead to other scams and has already inspired at least one phishing site passing itself off as an Equifax resource. Some people may, ironically, be more apt to fall for e-mailed schemes that prey on this fear. Our provider asserts, “Never click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. It’s a good idea, especially after major security events and other crises, to consider any link in an unsolicited email to be potentially malicious. Instead, you should get any online information you want by typing in a company’s name in your computer’s web browser directly instead of clicking on a link in an e-mail.”  We point out that that is excellent advice in general regarding opening e-mail and being offered online links to click.

In sum, there are plenty of things you can do to protect yourself without needing to contact Equifax right now. Equifax will contact affected consumers directly by mail.  So, for now, our system security provider advises keeping an eye on the news and be as careful with your personal information as you are with your possessions.