Consumers are facing a nightmare scenario following a massive hacking of credit bureau Equifax. The incident, which the company disclosed on Thursday, involved thieves making off with highly sensitive personal information including Social Security and credit card numbers of at least 143 million people.
The breach is especially dangerous because the stolen data will give crooks opportunities to conduct fraud and identity theft. And as the hacking took place several months ago, the information is likely for sale already through online criminal forums.
Here’s how to tell if you’re affected—and what to do next.
How can I tell if I was hacked?
Equifax has created this website that lets people see if they were affected. The site asks users to enter their last names and the last six digits of their Social Security numbers. If your data was compromised, you’ll see a message like this (yes, it appears I got hit):
What does it mean if I was affected?
It means the hackers obtained some or all of the following personal information: Your birthday, your Social Security number, your addresses (past and present), your driver license number, and your credit card numbers. This set of data may give crooks enough information to apply for loans in your name. It may also help them break into your existing accounts by answering security questions based on your birthday, previous addresses, and so on.
All of this does not mean crooks can automatically exploit your data, especially as banks and other companies are getting better at detecting fraud. Nonetheless, the Equifax breach is the third largest in history (after two breaches at Yahoo) and is by most accounts the most serious of them all. Consumers should be more vigilant than ever.
What will Equifax do about this?
The company says it will offer free enrollment in TrustedID Premiere, a service that monitors credit requests at Equifax and two other major credit bureaus. There’s a catch, however, in that Equifax is not enrolling consumers immediately, but instead asking them to return in a few days to complete the sign-up, and saying it will not send out any reminders to do so.
Should I rely on Equinox’s credit monitoring to protect me?
Brian Krebs, a highly respected security journalist, has criticized Equifax’s response. This is partly because of Equifax’s failure to enroll people automatically, but also because credit monitoring can only help prevent crooks from opening new accounts. It will not stop them from using the Equifax data to try hijack existing accounts.
And as Krebs’ notes, Equifax’s incompetence in allowing the breach to happen in the first place means its offer of future protection may not amount to much.
So, no, don’t count on the credit monitoring to protect you. Also, note that signing up for the service might forfeit your right to join the class action lawsuits that will invariably be filed against Equifax. (Update: this no longer appears to be the case following pressure from Attorneys General).
What else can I do then?
Krebs and the Federal Trade Commission suggest freezing your credit altogether. This means that your credit data (and personal information) will simply be unavailable to fraudsters and anyone else who wants to obtain it.
While this is an effective way to prevent fraud, the process is cumbersome. First, it entails contacting the four different bureaus (Equifax, Experian, Innovis, and Trans Union) that manage consumer credit, which in some cases involves paying a fee. Next, you will have to save a PIN number in order to unfreeze your credit in the future—in a process that can take 24 hours or more, which might prove inconvenient when you need to provide a credit report to an employer, a bank, or a landlord. (Here are more details about the process).
Beyond that, however, there are few other practical steps consumers can take other than remaining vigilant about unusual activity involving your bank and credit card accounts.
Finally, consumers can hope the political fallout surrounding the Equifax data breach—several members of Congress are already vowing to investigate—leads to new laws that oblige companies to properly secure consumer data.