Posted by William Charles on September 9, 2017
Misc

Published on September 9th, 2017 | by William Charles

80

List Of What You Should Do In Response To The Equifax Data Breach

In case you missed the news, Equifax has indicated that there was a data breach that may have affected 143 million consumers. At this stage it’s not clear who has stolen this data and Equifax’s site is of little use to determine if your data was actually stolen or not. A lot of readers have been asking what they should be doing in light of this. Here’s my suggestions, as always do your own research and implement a plan that works for you.

Pro-active Steps

Set Up A Fraud Alert

Fraud alerts are designed for people that are or could be the victims of identity theft. The aim of a fraud alert is to let those who are accessing your credit report know that there is an increased risk of fraud regarding your account. This allows them to take additional steps to verify your identity. There are multiple types of fraud alerts, at this stage I’d suggest it’s advisable to set up an initial 90 day fraud alert. You only need to set up a fraud alert with one of the three major credit bureaus know and they are required to let the other two know.

This can all be done online or by phone. For more information regarding add a fraud alert please read this post. Keep in mind that setting up a fraud alert will opt you out of pre-approved/screened offers by default as well. You can opt back in.

Set Up A Security Freeze

A security freeze is more significant than a fraud alert as it makes your credit report inaccessible. This means that nobody can open new accounts in your name (assuming the creditor pulls your credit report). When you set up a security freeze you will be provided with a PIN/password and this can be given to a creditor so they can still access your report (you can see what credit card issuers will accept a PIN for a frozen report here). The downside to security freezes is that they aren’t free unless you’re the victim of identity theft. The cost of a security varies by state, you can view the cost of implementing and lifting a security freeze for each state here. You can view how to implement a security freeze with each credit bureau here.

A security freeze isn’t necessary for everybody, but it’s important to know what your options are.

Set Up Credit Monitoring

If somebody has gotten access to the data that Equifax is indicating was breached it would be fairly easy for them to open up fraudulent accounts. By setting up credit monitoring you can be informed whenever a new account is opened. There are lots of free solutions available. For more information on the best & cheapest way to set up credit monitoring please read this post.

Set Up SSN Searches

Discover offers free social security alerts.  This alerts you if your SSN is found on a risky website.

Enable Two Factor Authentication Where Possible

Reader Kashmoney rightfully pointed out that the information breached could also be used by attackers to reset passwords and access other accounts. One of the best ways to prevent this is by setting up two factor authentication (or multiple factor authentication). The idea behind two factor authentication is that accessing your account requires a second set of authentication besides a normal username and password. The most common way this is done is by requiring you to enter an access code sent to your phone.

Be Aware Of Fake Websites

Reader Jeff H has reported receiving spam e-mails for sites pretending to be Equifax. At the moment the only official Equifax site is: https://www.equifaxsecurity2017.com/, we know this is the correct website because www.equifax.com directs us here and it has been confirmed as legitimate multiple times by Equifax. This is a major news story and hackers are using people’s fear to try to get them to disclose their personal information.

Check To See If Your Data Has Been Breached

This would normally be the first thing you should do, but the Equifax site isn’t working properly currently (e.g fake details are showing as affected when they don’t exist). When it is working properly I’ll make sure to create a new post on the site to remind readers that they can now check to see if their information has been breached.

Create Accounts With The Social Security Administration and IRS

Good idea to do this before somebody else does it in your name. The websites you want are:

If you want to do this you’ll need to do it before you set up security freezes/alerts.

What To Do If You’re The Victim Of Identity Theft

If you become the victim of identity theft (e.g somebody opens an account in your name) then there are a number of other things you should do immediately. The government has a great website called IdentityTheft.gov. Rather than giving you the same advice I’d recommend just following the clear steps there instead.

Should You Sign Up For TrustedID?

As part of the data breach Equifax is providing a free one year of credit monitoring with TrustedID. This is a company owned by Equifax. An issue a lot of people have is that in the fine print of TrustedID it states by signing up you’re waiving your rights to abritration and class actions. Equifax has updated the https://www.equifaxsecurity2017.com/ website to state:

  • In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.

WSJ is saying that only the terms are binding so the above statement is meaningless. I’m not a lawyer but my personal feeling is why should I trust Equifax & TrustedID again when they are the cause of the issue in the first place. Especially when there is other free monitoring available.

Final Thoughts

A lot of these things you should have in place regardless of whether your information has been accessed or not. I’m sure there are some things that I’ve missed, please let me and other readers know what they are in the comments below.

 

 



80 Responses to List Of What You Should Do In Response To The Equifax Data Breach

  1. RF says:

    One thing you should possibly NOT do…take up Equifax on their offer of free credit monitoring.

    I can’t confirm this is true (because the terms and conditions seem to be hidden behind the SSN verification step that I’m not filling out) but I’ve heard it reported that by accepting the offer, you are waiving any right to participate in any class action suit against them over this matter.

  2. Pijanec Ordiner says:

    You don’t get any more targeted credit offers if you freeze, right?

    • Anthony says:

      I don’t believe this is the case. There’s a separate process to opt out of offers, which is approved by the FTC.

    • Bob says:

      Correct. Every time I freeze, EX sends me a letter saying I’ve opted out. You have to opt back in again when you unfreeze, that’s not automatic like the freezing opt out is

    • Jim says:

      From TU:

      “As you requested, an Initial Fraud Alert has been added to your credit report.
      As an added precaution, we have removed your name from prescreened offer mailing lists for a minimum of 90 days.
      As a convenience to you, we will notify the other national credit reporting agencies, Equifax and Experian, of your request for an Initial Fraud Alert. You should receive confirmation from them directly.”

      • Pijanec Ordiner says:

        This one was for a 90 day alert not even a freeze, right? Does their email say how to opt back into prescreened offers?
        This is the most inconvenient time to have to screen yourself out of the offers, I was waiting for that new BofA card.

    • Added a note regarding this in the post

  3. TanT says:

    When I put fraud alert in Experian, they also include this. Does it mean I opt-out the targeted offers?

    As an additional precaution, we have removed your name and address from prescreened offer mailing lists for two years.

  4. Treesha says:

    Thank you, Doc, for this helpful information! I appreciate it.

  5. Jake says:

    It’s also good to create accounts with the Social Security Administration and IRS before someone else creates them in your name. https://www.ssa.gov/myaccount/ and https://www.irs.gov/payments/view-your-tax-account are the places to do this.

  6. Dale says:

    For those in the U.S., what about setting up a “Self Lock” to protect your identity by preventing unauthorized use of your social security number. “This helps prevent anyone else from using your SSN to try to get a job with an E-Verify employer. If your locked SSN is entered in E-Verify to confirm employment authorization, it will result in an E-Verify mismatch, called a tentative nonconfirmation.”

    Self Lock is part of myE-Verify, a service from the U.S. Citizenship and Immigration Services.
    Link: https://www.uscis.gov/mye-verify/about-mye-verify

    This sounds worthwhile to me, since we already trust the U.S. government to manager our SSNs. Your thoughts?

  7. Josh says:

    Does anyone know if the PINs used to set and remove a security freeze on for Equifax credit reports has also been breached? If so, I will need to contact Equifax to change my PIN.

  8. Harry Nguyen says:

    I feel like there’s just no point of suing Equifax, I mean banks sell our info all the time and we aren’t aware of it. I only use Experian but when I do check for Equifax I use credit check total once in a blue moon. I rather get their free monitor protection for the year.

  9. cm says:

    > This would normally be the first thing you should do, but the Equifax site isn’t working properly currently (e.g fake details are showing as affected when they don’t exist). When it is working properly I’ll make sure to create a new post on the site to remind readers that they can now check to see if their information has been breached.

    Let’s not spread fake news, shall we? I tried providing fake details, and I receive a message that I am not affected. Proceeding further does still give me an enrolment date, but that’s not an indication that the system isn’t working.

    • I just went to enroll, I added the last name “Doe” and last 6 digits as 123456. They said the following;

      “Based on the information provided, we believe that your personal information may have been impacted by this incident.”

      Not sure how what I said is fake news.

      • CM says:

        I’m pretty sure a person named “Doe” with an SSN ending in 123456 is, in fact, impacted.

        I think you have to be more creative to see whether the values submitted this form are checked against their backend than that! 😉

      • Jenny says:

        Read in WaPo the journalist tested using name Donald Trump, random numbers, and got the same response, Charles.

      • Terri M says:

        I have 2 family members who are relatively inactive in the credit card approval world. One has no cards (I’m in the process of making her an AU on one of my AmEx accounts); one has had and frequently uses the same 3 basic cards for several years. When I typed in each of their info, the message from Equifax was that they were probably NOT impacted by this incident.

  10. Jeff H says:

    Equifax updates terms of service after arbitration clause causes uproar following massive breach

    http://www.washingtontimes.com/news/2017/sep/9/equifax-updates-terms-service-after-arbitration-cl/

    It appers someone out there is hearing the public outcry.

  11. M says:

    What to do after your horse has bolted:
    1. Lock the barn door.
    n.b: can be scaled up to 143 million horses.
    j/k

  12. Matt says:

    How does Credit Karma compare to the credit report monitoring that many banks do now? I’ve had CreditWise through a CapitalOne card for a while, and every time I apply for a new card I get an email within a few days about it. I’m also planning to sign up for Chase’s Credit Journey. Also have the credit reports through other credit card issuers, though I don’t think those have email alerts. Is Credit Karma any better? My hesitation to sign up is for security/privacy reasons, just trying to avoid giving my info to yet another company. CapitalOne/Chase already have my info (since I have their credit cards), so I figure signing up for their programs is security/privacy-risk-free.

  13. airgypsy says:

    Hi DoC and William.
    – Would it be correct to assume that a 90 day fraud alert would result in no “instant approval?”

    – If one already has a freeze on his credit reports, how do you go about an online credit card application? I’m assuming you pretty much have to unfreeze right away, then babysit the application until you know the outcome, then freeze again?

    Thanks in advance.

    • > Would it be correct to assume that a 90 day fraud alert would result in no “instant approval?

      Don’t know for sure, but I think it should still be possible.

      > If one already has a freeze on his credit reports, how do you go about an online credit card application? I’m assuming you pretty much have to unfreeze right away, then babysit the application until you know the outcome, then freeze again?

      I believe you’d need to call in and mention the freeze and provide a PIN.

    • Josh says:

      “If one already has a freeze on his credit reports, how do you go about an online credit card application? I’m assuming you pretty much have to unfreeze right away, then babysit the application until you know the outcome, then freeze again?”

      Visit each bureau’s freeze center and lift the freeze on your report. You can use Google to find all their respective sites.

      You’ll need the PIN number they sent you in the snail mail to lift the freeze. You can lift it by date range or by a specific business.

  14. raomonger says:

    How am I assured that credit monitoring services like credit karma are not/will not be hacked? Do I give my information to another site?

  15. abey says:

    Thanks william, i succesfuly added a fraud alert.
    Experian is very easy if you have an account with them already

  16. San says:

    Is there any way to “freeze” for free? I read on other sites that it costs $10 – $20 each time. I really don’t wanna have to spend to freeze it. I’m not even working at the moment. If there’s a free way, someone please post.

    • I’m interested in knowing the same. The costs of freezing and unfreezing could add up over time. Would be nice if the Big Three targets of our data would make the process free.

      • Joe-SC1 says:

        Fees vary by state. From my research, only Indiana and South Carolina are completely free. Maine and North Carolina are the same with caveats.

        Delaware, DC and Virginia have a fee to place a freeze, but have no cost lifts and full removal.

        See my full comment below for more details and information sources.

  17. TVM says:

    Looks like nobody is really talking about free credit locks (Locks are nearly same as freezes, but gives you the ability to control access to your credit file instantly and easily. More here: https://equifax-us.custhelp.com/app/answers/detail/a_id/66/~/security-freeze-vs-credit-lock)

    Apparently TransUnion is already offering this credit lock service for free as part of their TrueIdentity product. I tweeted at Doc asking if he’s heard about this product, but didn’t get a response.
    https://www.transunion.com/product/trueidentity-free-identity-protection

    Whether you want to use Equifax’s monitoring service (TrustedID Premier) and loose the ability to sue them later is entirely a separate debate. Although WaPo reports that they have changed the terms after the public outcry – http://www.washingtontimes.com/news/2017/sep/9/equifax-updates-terms-service-after-arbitration-cl/. But, TrustedID Premier does come with Equifax’s own version of credit lock.

    So that’s 2 out of 3 credit locks for free. I couldn’t find anything from Experian for free, so you’d have to pay the small fee, I guess. These credit locks would be especially more helpful to people like us in this community cause they don’t require us contacting these agencies to unlock, everything done online or via an app. Traditional freezes can take up to 3 days to be lifted. Imagine a leaked Amex 100K offer and you waiting for the credit profile to be unfrozen.

    • Joe-SC1 says:

      I have been working in this community for several years with all three bureaus files frozen since 2010. When done online, security lifts don’t take three days, in my experience. They take mere moments, and you get instant verification that the lift is in effect. I happen to live in a completely free state, so I don’t pay for each lift, so you might be better served by your locks or a basic fraud alert, so YMMV. Just wanted to say that my experience doesn’t correlate to your note regarding the security freeze lift.

      • TVM says:

        Good to know that it’s instant when done online.

        My ‘can take up to 3 days’ comment came directly from one of the agencies’ website. I haven’t done it myself.

        Unlike you, I live in a state where each freezing & unfreezing would cost $5. So locks would be cheaper if you signed up for the free products I mentioned above.

        What I want to verify is whether locks are as effective as freezes. Equifax says so on their site, but anyone has any direct knowledge of this ??

  18. Jan says:

    FYI – I froze my credit with the Main 3 + Innovis then tried to sign up for Credit Karma. Credit Karma was unable to sign me up due to the freezes. Out of the steps listed in the post, the freeze should be last – but it is the most effective.

  19. Joe-SC1 says:

    DOC Team – Thanks for the great article. Lots of good information.

    In my opinion, though, fraud alerts are vastly inferior to security freezes:

    Fraud alerts work mainly on human intervention, from my reading. Once in place, creditors should take additional steps to verify your identity, but with instant approvals, I wonder how often that actually happens. Freezes prevents anyone who accesses bureau data from offering you (or an ID thief) any credit at all.

    Fraud alerts stay active for only 90 days unless you prove you are an ID theft victim – then it stays for 7 years. Freeze stay in effect until cancelled (except for Kentucky, Nebraska, Pennsylvania, and South Dakota, where they also cancel at 7 years). And the paperwork required for each is similar.

    So, unless the costs are prohibitive for multiple freeze/thaws – those of us obtaining credit cards several times per year – then the Security Freeze is far away superior.

    Speaking of costs, in handful of states, they are completely free (a slight correction to the description listed in the post).

    From my research, Indiana and South Carolina have completely free security freeze adds, lifts, and removes. Maine is the same if a bureau file exists in the first place. North Carolina is the same if the freeze is added via online versus phone or mail. This is for adults who are not ID theft victims, nor protected persons, nor senior citizens. (Many state laws carve out exceptions for a lot of groups). So that is four states.

    Add in three more that cost resident’s $10(x3 bureaus) for the initial security freeze placement, but then have free lifts and free permanent removals. Delaware, DC and Virgina follow this pattern. These three have relatively low up-front costs and still zero ongoing costs for those who might want to obtain new credit from time to time.

    In my opinion, any resident of these seven states should put a security freeze in place. It’s no cost or low cost insurance with only minimal interruption to your periodic credit card applications. Just be sure to sign up for any credit services (Credit Karma, Quizzle, Credit Sesame, Credit.com) before the freeze as I believe they can monitor files once a freeze is in place, but only if you sign up before you place the freeze.

    Cheers.

    Sources:
    https://help.equifax.com/s/article/ka137000000DSDyAAO/What-are-the-security-freeze-fees-in-my-state
    http://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/security-freeze/
    https://www.transunion.com/credit-freeze/place-credit-freeze
    https://www.doctorofcredit.com/knowledge-base/credit-freeze-security-freeze/
    http://clark.com/personal-finance-credit/equifax-breach-how-to-protect-yourself-from-whats-coming-next/
    http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/
    http://clark.com/personal-finance-credit/credit-freezes-frequently-aske2/

    • Yes, freezes are superior but there are draw backs as well (e.g fees and having to deal with unfreezing etc). I don’t think most issuers will auto approve with a fraud alert in place but YMMV. We still haven’t seen how bad this hack actually is yet. I agree that security freezes are the safer option but might not be preferable for everybody.

  20. kashmoney says:

    Thank you DOC for writing this article… it is very helpful!

  21. Jason says:

    Check out this thread on Twitter on what to do in the case of ID theft.

    https://twitter.com/patio11/status/906384638733467648

  22. 007 says:

    Just FYI, freezing Innovis is free for all. Freezing Chex online was somehow also free for me even though my state makes me pay $10 to freeze/thaw the big 3.

  23. Quentin says:

    Warning: once you have frozen your credit reporting agency accounts, you can’t create a new account with the IRS!

    All three freezes (TU, Experian, Equifax) were free for me this morning (in CO).

    Question: will these freezes ALWAYS affect my ability to rapidly start a new checking or savings account? I know banks can do a soft or hard pull, and surely either kind of pull will not work if the accounts are frozen.

    So presumably if I want to open a new checking account, I should first do a temporary lift of the freeze, then open the account. But is it necessary to lift the freeze with all three of the big agencies?

  24. Josiah says:

    Another thing one should do because of the Equifax breach is to contact customer support on all bank accounts, utility bill accounts, cell phone bill accounts, and any account that is important, and ask them if you can set a password or a PIN solely for the purpose of contacting customer support; this password is not the same password you would use to log in to your account online. This would prevent someone who has your SSN, DOB, address, full name and any other information that may have been breached in the Equifax incident from calling support, pretending to be you, and modifying your accounts.

    Once a password/PIN is set, in the future, when someone calls customer support, they will ask what the password/PIN is before they will access the account. Please note: Not all companies, banks, etc. support this feature. Another form of authentication for calling customer support is voice recognition technology. If your bank supports voice recognition, be sure to turn that feature on in addition to setting the password/PIN for 2 factor authentication.

    • Harv says:

      Excellent advice. Thank you !

    • Mimi says:

      I’ve been doing this for years on all our bank accounts. When I go to bank drive thru where the tellers recognize me, they still ask for the verbal password I set when I ask them to write my current balance on my receipt. I’ve also tested this via phone calls asking for my current balance and there is a prompt on their screen asking for my verbal PW. DH is the only other person that knows our verbal PW and it has not be written anywhere. There is a POD annotation on all our accounts in case both of us die at the same time so our adult kids can get whatever balance is on our accounts.

  25. charles chang says:

    Does anybody know which credit bureau does SSA.gov pull? I followed the post step-by-step, so I froze my credit reports first made me not able to create account at ssa.gov.

    Will – It is all your fault :D, seriously, thanks for the write-up.

    BTW: do we need to freeze report from the one USBank likes to pull? I can’t remember the name out of the top of my head.

  26. Jeff H says:

    I thought the DoC article indicated free freeze option for LIFE. I failed to find a valid link to make such an arrangement.
    I am unsure ya or ney about doing so since Equifax is the service with the least HPs I have amoung the three major services. Still, I would appreciate the information for my sister who has had to do some freeze and thaw due to a family member in her family.

  27. Lulu says:

    Would it be possible to move section 1.8 (set up accounts with SSA and IRS) up to the top, before section 1.1 (create fraud alert) please? Anybody that goes down the list step by step will not be able to create their SSA / IRS accounts, because the fraud alert will prevent it from working. Thank you for the write-up.

  28. C Cameron says:

    I notice this was posted 9/10. I looked at the Equifax page to check if I’ve been affected, and that posted page was dated 9/20. It told me I was not affected. Is there any update as to whether this is reliable or not? Thank you so much.

Leave a reply

Your email address will not be published. Required fields are marked *. Please do not share your referral links/codes unless the post specifically states it's allowed. If the post states it is allowed please follow the rules carefully. If you'd like an image next to your comments please create a gravatar. Most of all please be kind and respectful to each other. 

Back to Top ↑