Credit reporting agency Equifax has reported a data breach that may affect as many of 143 million U.S. consumers. The breach occurred from mid-May through July 2017.
According to Equifax, information accessed primarily includes:
- Social Security numbers
- Birth dates
- In some instances, driver’s license numbers.
- In addition, credit card numbers for approximately 209,000 U.S. consumers
- Certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
Web page to see if you’re impacted and enroll in free credit monitoring
Equifax has a web page with information and a way to enroll in “complimentary identity theft protection and credit file monitoring services and there is a Getting Started page where you enter your last name and the last six digits of your social security number to find out if you may have been impacted. Given the breach, I was hesitant to enter my information, but — considering that they have it anyway — I decided to go ahead and got the following response:
After you determine your likely impact, the site offers you free access to the company’s “TrustedID Premier” program” and tells you to “mark your calendar” to check back. The Equifax site has been updated since it was first launched after widespread reports that it didn’t provide adequate or accurate information.
What to do
While this hack does make one question whether to turn over information to Equifax, the fact is that they already have your information. They collect it from companies you deal with. So, I did enroll in their monitoring service and — even as I wait to be enrolled — plan to take advantage of the FTC endorsed free AnnualCreditReport.com service. (Click here for FTC information on this).
It’s also a good idea to check your online credit card statements for fraudulent activity. In most cases, you can review very recent transactions on your credit card website prior to their appearing on your monthly statement. I did this after hearing about the Equifax breach and found an unrelated inaccurate charge, which I disputed, and the bank almost immediately credited my account.
Don’t click on links in email about the breach. Scammers may take advantage of it by sending you official looking email, asking you to log into what may be a rogue site. USA Today reports that Equifax will notify people by snail mail if there is follow up or you can access that Equifax web page I referred to early.
Equifax didn’t report anything about passwords being stolen, but if you have any accounts with Equifax, it’s a good idea to change your password. Here are some tips on password security from ConnectSafely.org.
You can freeze your credit so that the reporting bureaus won’t provide information if someone tries to open an account as if they were you. You will be given a PIN that you can use to unfreeze if you wish to open an account or apply for credit. To do this, contact each of the credit reporting agencies below.
The National Cyber Security Alliance offers this advice:
- Lock down your login. Use strong authentication — more than a username and password to access accounts — to protect your most valuable accounts, including email, social media and financial.
- Keep clean machines: Prevent infections by updating critical software as soon as patches or new operating system versions are available. This includes mobile and other internet-connected devices.
- Monitor activity on your financial and credit card accounts. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post breach). For more information, visit the Federal Trade Commission website identitytheft.gov.
- When in doubt, throw it out. Scammers and others have been known to use data breaches and other incidents to send out emails and posts related to the incident to lure people into providing their information. Delete any suspicious emails or posts, and get information only from legitimate sources.
One of the things I find disturbing about this data breach is that there is essentially nothing any of us could have done to protect ourselves. We’re told to have strong passwords, avoid risk sites and apps and use security software but that only protects our devices, not data stored by others. And, in the case of Equifax and other credit reporting bureaus, it’s not as if we’ve even chosen to do business with these companies. They collect and store sensitive data about us whether we like it or not and I’m even sure if there is a way to opt-out.
It also brings up the issue of how social security numbers are used to identify us. When I was a kid, no one talked about keeping your social security number secret because, at at time, it was only used by the Social Security Administration to keep track of your payments and future benefits. Now it’s used by many companies, almost like a password to identify you. On one hand we’re supposed to keep it secret but we’re also required to disclose it to financial institutions when we apply for loans or even set-up a bank account. We give it to our employer and sometimes to medical insurers and providers. These companies are supposed to safeguard this information, but they’re subject to hacks, human error and even deliberate breaches from within. Medicare even puts recipients social security number on their card, which they usually care in their wallet so if their wallet is stolen, their identify is at risk. Medicare plans to change this next year, but in the meantime millions of people over 62 are vulnerable.
We need to figure out a way to disempower the use of the social security number to steal our identities. I’m not sure how that can be done, but I’m pretty sure it’s doable.