Lock Down Your Data After Equifax Breach — Right Now
Chances are good that the Equifax data breach affects you. What do you do next? The short answers: Consider a credit freeze. Scrutinize your credit statements. And check your credit reports from all three credit bureaus.
Equifax says hackers used a website application vulnerability to access the personal information of about 143 million U.S. consumers, or more than half of the country’s adult population. Credit bureaus such as Equifax are an especially sensitive target because they handle detailed financial records, and it’s nearly impossible for consumers to avoid credit reporting. Every time you apply for credit, the personal data — including your name, birthdate and Social Security number — you share can be stored by a reporting bureau.
Most credit card issuers and lenders report consumer activity to all three major U.S. credit bureaus, and your data is likely duplicated at Experian and TransUnion. There’s no reassurance in the fact that only one bureau was hacked.
“On a scale of 1 to 10, this is a 10, and that’s because of the quality of the data … your Social Security number is the skeleton key for your identity,” said Adam Levin, founder of CyberScout, a company offering identity theft and data breach defense services.
Freeze your credit for the best protection
Credit freezes prevent stolen information from being used to open new accounts in your name by restricting access to your records. Without access to your credit history, most creditors won’t open a new account.
“We have to assume that our personal information is exposed and act accordingly,” Levin said. He said a credit freeze has become “a critical thing to do.”
Credit expert Barry Paperno, who blogs at Speaking of Credit, agreed: “That’s the most extreme method, but it’s also the most effective.”
But this most effective method will cost you in money and inconvenience.
A freeze might cost you a small fee, which varies from state to state, but it’s better than a credit monitoring service. A freeze can prevent fraud, while monitoring alerts you fraud might have happened. It’s the difference between using a deadbolt to keep thieves out rather than a security camera to catch them after the fact.
You’ll also have to pay to lift the freeze each time you apply for credit or need to allow a potential landlord or employer to check your credit. You’ll receive a PIN to “thaw” your credit. Keep it in a safe place.
Here’s how to request a freeze:
- Equifax: 1-800-349-9960 or go online
- Experian: 1‑888‑397‑3742 or go online
- TransUnion: 1-888-909-8872 or go online
Even with your credit frozen, you’ll still have access to your credit records and scores. If you don’t already have a way to regularly monitor your score and report information, consider signing up before you place a freeze. Some credit card issuers and many personal finance websites offer them for free. Watching for a big, unexplained change can alert you to potential fraud.
Place fraud alerts if a freeze is too much
If you don’t want to lock out all creditors — perhaps you’re in the middle of mortgage shopping or refinancing — you can place a 90-day fraud alert on your credit. This tells potential creditors to verify your identity before issuing credit in your name.
Contact one of the three bureaus, and it will notify the others.
Monitor your own credit
You’re entitled to at least one free credit report from each credit bureau every 12 months via AnnualCreditReport.com. If you haven’t accessed your credit reports within the past 12 months, do it now. If you’ve reviewed them recently, placing a fraud alert on your credit files allows renewed access. Use your reports from the bureaus, and any free score and report services you have, to watch for:
- New accounts that you didn’t open
- Credit inquiries that don’t match when you applied for credit
- Balances that don’t match your statements
Deal with your credit cards
Freezing keeps new accounts from being opened, but doesn’t stop fraudulent charges on an existing account. Take these steps to protect yourself:
- Check your email and regular mail. Some consumers whose account numbers were compromised are being notified by credit card issuers that they’ll be sent a new card and the old one will be deactivated.
- Even if you’re not notified by your issuer and you think your data wasn’t in this breach, don’t relax. Stay vigilant by checking your credit card statements for changes you don’t recognize. If something looks fishy, dig further. Often there’s a phone number listed with the merchant name for the transaction.
- Consider signing up for text or email alerts about credit transactions. Many issuers let you set them for charges above a certain amount.
If you see a charge you think isn’t yours, call your issuer right away to dispute it. Your card issuer can’t charge interest or fees on the transaction while it’s being investigated.
What was exposed? Is my data out there?
The data accessed includes:
- Information such as names and addresses, birthdates, Social Security numbers and some driver’s license numbers
- Credit card numbers for approximately 209,000 consumers
- Some documents from about 182,000 consumers’ credit report disputes, including personal identifying information
Consumers can check whether their information is affected at www.equifaxsecurity2017.com. However, the “Check potential impact” process asks you to input the final 6 digits of your Social Security number, which gives security experts pause.
Equifax also opened a call center that you can reach at 866-447-7559. It will notify the subset of consumers whose credit card numbers or dispute documents were affected by mail.
Should I sign up for the free Equifax monitoring?
Equifax is offering all U.S. consumers free credit and identity theft monitoring for one year. But the risk doesn’t disappear after a year. Someone who has your Social Security number has it — and might try to use it — forever.
The service is through TrustedID, an Equifax company. The terms of service include waiving your right to participate in a class-action lawsuit or class arbitration and agreeing to use individual arbitration. The National Consumer Law Center has called upon Equifax to strike that clause. Failing that, the NCLC advises consumers they can opt out of the forced individual arbitration by notifying Equifax in writing within 30 days.
Bev O’Shea is a writer at NerdWallet. Email: boshea@nerdwallet.com. Twitter: @BeverlyOShea.
The article How to Protect Yourself After a Data Breach originally appeared on NerdWallet.