Last week we started hearing about the Equifax data breach, although Equifax had actually known about the data breach at least a month earlier. (The full text of the Equifax statement about the cybersecurity data breach is reprinted below.) The most stunning thing about this breach is the breadth of it: the Personally Identifiable Information (PII), including names, social security numbers, and driver’s license numbers, of 143 million U.S. citizens were exposed in this breach. Here is what you need to do, right now, to protect yourself.
While most reporting agencies are pointing out that 143million is nearly half of all of the people in the U.S., it’s even worse than that, because the total number of people in the U.S. includes children. According to the U.S. Census bureau, there are 259 million wage earners age 15 and over (relatively few individuals with credit records are likely to be children under the age of 15). So the number of records that are compromised because of the Equifax data breach, and the number of individuals who are now at risk for identity theft, fraud, and financial theft, actually represents more than half of the wage earning adults in the U.S.!
Let’s put this more simply: one out of every two U.S. adults has PII that has been compromised in the Equifax data breach. If it’s not you, it’s someone you know. Probably many someones that you know.
And because this breach actually happened several weeks ago, but Equifax only revealed it last week, there are already victims whose identity is being used by criminals. (Here’s one Equifax data breach victim talking about his experience.)
Given the horrendous odds that your personal data has been exposed in the breach, what can you do to protect yourself from identity theft?
By far the most common form of identity theft is someone pretending to be you and using your credit, which they then max out (often this looks like opening credit cards in your name and then using the cards to buy electronics or other items that are easy to sell on the black market).
So, what you need to do, right now, is freeze your credit.
What is Freezing Your Credit?
Freezing your credit means that you tell each of the 4 credit bureaus (Experian, Transunion, Equifax, and Innovis*) that you do not want any new lines of credit opened, at all, until you personally ‘unfreeze’ your credit with them. In some cases it also means that credit inquiries (like when a company checks your credit) will not return any information about you. However, your credit rating is not affected by this – so if you stop paying your bills, your credit rating will still go down, for example. (*Yes, there are actually four credit bureaus: Experian, Transunion, Equifax, and Innovis. For some reason a lot of people have never heard of Innovis, but they have been around since 1970.)
You may be wondering why, if the bad guys have all of your PII, they can’t just call up the credit bureau and pretend to be you, and unfreeze your credit. That is because each of the credit bureaus will either have you create a PIN at the time that you freeze your credit, or will assign you a PIN when you freeze your credit, and you must have the PIN to unfreeze your credit.
Example of Online Form for Freezing Your Credit
How to Freeze Your Credit
It is easy to freeze your credit at each of the four credit bureaus*, and you can do it online at the links below. Due to the sheer volume of people accessing these sites right now, you may sometimes get an error loading the page, so we are including the telephone numbers that you can call to freeze your credit.
Unfreezing Your Credit
If you need to unfreeze (i.e. ‘thaw’) your credit, say for example if you are trying to buy a house and need the lenders to be able to pull your credit report, you simply use the same links above, or call the same numbers, and tell them that you need to unfreeze your credit.
Remember that you will need to provide them with your PIN.
What’s It Cost to Freeze and Unfreeze Your Credit?
How much it will cost to freeze and unfreeze your credit depends in large part on where you live. Some states require that the credit bureaus do this for free; if you are not in a state where it is free, it should be no more than $10 per bureau. Even if you have to pay $10 to each one, $40 compared to the tens or even hundreds of thousands of dollars lost to identity theft is a very small price to pay.
According to Credit.com, Colorado, Indiana, Maine, New Jersey, New York, and South Carolina all provide for you to freeze your credit with each credit bureau for free, at least for the first time that you freeze it; New York and New Jersey charge $5.00 for unfreezing.
For a comprehensive guide to how much it costs – or doesn’t cost – in each state, see this charge by CreditCards.com.
While we’re speaking of states, it’s important to note that in South Dakota, Nebraska, Kentucky, and Pennsylvania, your freeze will be automatically dropped in seven years, and you will need to renew it.
Here is the full text of the Equifax Statement about the Data Breach:
Full Text of Equifax Statement about July Security Breach Announced on September 7, 2017
ATLANTA, Sept. 7, 2017 /PRNewswire/ — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year. The website also provides additional information on steps consumers can take to protect their personal information. Equifax recommends that consumers with additional questions visit www.equifaxsecurity2017.com or contact a dedicated call center at 866-447-7559, which the company set up to assist consumers. The call center is open every day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern time.
In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. Equifax also is in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.
Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.
CEO Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”