Wednesday, September 13, 2017

Equifax - Now What?

Please excuse this short interruption in the adventure blog for a public service announcement.

The last couple of weeks have seen a surge of disasters: minor and major, natural and man-made. My observation has been that it's very rare for a blog post, tweet, or other online comment to have a meaningful impact. I hope some of you find this post to be tangibly helpful. It's mostly just my friends and family reading my blog and almost all of you are Americans. That last part is important because it means more than half of you reading this had your SSN, address, credit score, and other key personal information used to verify your identity swiped between May and July thanks to Equifax. If you've had more important things going on the past week here's a guide:

What happened?
Equifax is one of the three largest credit reporting companies. They compile and sell people's financial data to banks and other financial companies. Their reports and scores are what determine if you or I qualify for a loan and what the interest rate on that loan will be. They were hacked between May and July. When they finally reported it last week, they announced that hackers took key identification info for 143 million Americans. That's a pretty big deal. Most the news I've seen says the breach affected 44% of the population, but unless they are keeping credit scores for minors, they should only have around 250 million Americans in their system. I expect the odds are closer to 60% and maybe higher if the hackers had enough access to target data tied to good scores first.

If possible, Equifax's response has actually been worse than their data security was. Ignoring for the moment that executives sold stock before the news broke, we still have a confusing mess of information that is changing daily, despite two months of preparation. It does seem to be improving a little. You can now check if your data was taken from the Equifax website, but you still have to click through four pages to get to the real page where you enter your info and find out if your data was stolen. Also, the answer they provide might just be meaningless... Until Equifax can provide some reason to trust them again, I'm going to assume my information was taken.

So, a giant faceless company lost all of our data... What can we do?

The good news is that we actually can do a few things to mitigate the damage. Freezing your credit might may not work for you if you're trying to get a loan right now, but the rest of these options should. Here's what I've found so far.

Check your credit report for free to see if there are any accounts you didn't create; I tried to check Equifax after the breach and they would only send me my report by mail! Hopefully, that's just an overwhelmed server and they will get it fixed soon. It's also a good idea to review the TransUnion and Experian reports. You can check each of these for free once every year. In the past I've usually checked all three at once, but I'm switching that to one report every four months.

I also have a free account with Credit Karma as another way to key an eye on my credit. Although it isn't the full credit report, they were able to show me all the credit accounts that Equifax knows about, allowing me to verify them. They've also notified me in the past when I've opened a new account providing a measure of credit monitoring. The tradeoff is that yet another company has access to my data.

Place a fraud alert on your credit report. This is completely free and, in theory, it will encourage lenders take additional steps to verify your identity when they pull your credit report. One downside is that you have to renew it every 90 days unless you are active duty military personnel or can prove you're already a victim of identity theft. I can also imagine lenders deciding to ignore fraud alerts if every account has one.

Place a freeze on each of your credit reports. Unfortunately, you have to pay to freeze your credit report, but it should prevent anyone from opening a new account in your name. The cost varies by state but is limited to $10 per company. Equifax has agreed to waive the fee for freezing their credit report, but TransUnion and Experian are currently still charging to freeze their reports. Depending on the state you live in they can also charge for unfreezing the report later.  The whole thing feels like a mob protection racket to me, but the peace of mind could be worth it if you're not planning to open a new account for a while. To freeze your report(s), just click the links above follow the process for each company. TransUnion is pushing an option to "lock" your report instead of freezing it. It's free, but they don't provide details on what "locking" really means. *Note: see 9/14/17 updates below on Equifax and the IRS.

Now that Equifax has removed the clause (see item 5 linked here) suggesting it will waive your right to sue, you can sign up for their credit monitoring service. Equifax is offering Americans a free year of monitoring after being hacked. That's really stingy. My health insurance lost a lot less data last year and provided two years of free credit monitoring.  I'm going to wait a bit before signing up since that monitoring service I have is still active, and the free period is open until November. If you choose to sign up, please don't reward Equifax by paying for the service next year.

One more thing... The news has focused on credit fraud, but according to the FTC it's possible for someone to file for your tax refund or get a job in your name using the information Equifax just lost (SSN, address, DoB and Employer). They suggest filing your taxes as soon as possible and being extra attentive to anything you see from the IRS. I'd say it's also more important than ever not to give Uncle Sam a large interest free loan. I'd appreciate hearing from anyone who knows how to prevent someone from reporting wages against a stolen SSN.

This security breach will likely still be causing havoc long after the headlines stop. Hopefully some of you will find this information useful for protecting your identity.

Updates 9/14/17:
Turns out it wasn't possible for Equifax's response to be worse than their data security. The user/password was admin/admin? Seriously? On the bright side gross negligence just got a lot easier to prove in court. It's bad news for my Argentinian friends though.

A friend pointed out that phishing scams are another threat likely to increase in frequency and sophistication. The leaked data will provide scammers with enough information to sound legit. My bank has sent out reminders in the past that they don't call and then ask security questions to confirm a customer's identity. If you get a call that seems suspicious you can just decline and then call your institution directly to see if they really are trying to reach you.

Apparently the IRS uses Equifax to verify your identity when you sign for an online account. If you don't already have an online account set up you might want to do so before you freeze your equifax report. Even if you don't use it, setting up the account will prevent anyone else from doing so and filing a fraudulent return that way. 


  1. Thanks for the info, Nick. When I went to file my taxes this year, there was a notice that someone had already filed under mine or my husbands or my daughter's ssn, or all three. The IRS was really helpful (!) with next steps, and they had already flagged the return for fraud as soon as they got it. Probably because we always owe money! We did the recommended steps with credit freezing, etc. After this latest news, though, I am thinking I need to pay for Life Lock (or similar), and also more-regularly review financial stuff. -Megan (Persson) Hopkins

  2. Thanks Megan. You were one of the people who came to mind when thinking of friends who might have had more pressing matters to deal with this past week. It's encouraging to hear the IRS caught on right away and was really helpful last year. Before this past week I hadn't considered avoiding fraudulent refund claims as another advantage of oweing a little tax each April.