Yesterday, Equifax announced a "cyber security incident" potentially impacted 143 million customers in the United States. Equifax is a large, publicly traded credit reporting company. It aggregates sensitive information on nearly every adult in the country. This is a big deal. Equifax did itself more harm as we now know that its executives have known about this breach for a full 40 days before alerting the public and its impacted customers. Even worse, Equifax executives began to quickly, and quietly, sell their stock before the news hit. When the announcement was made, Equifax stock (EFX) lost nearly 14% in a single day.
Names, Social Security numbers, birth dates, addresses, driver's license numbers and some credit card information has been compromised. Equifax says hackers exploited a vulnerability in the company's US web application to gain access to the information. The intrusion appears to have run from mid-May through July 2017. The company says that it has uncovered no evidence of unauthorized activity on "Equifax's core consumer or commercial credit reporting databases." While the breach impacts mainly United States consumers, some information from Canadian and UK customers has also been stolen.
What should you do?
Equifax has set up a website to help determine if your information was stolen. www.equifaxsecurity2017.com will take you to a page where you can enter your last name and last six digits of your Social Security number. The promise of the page is that it will tell you if you been likely impacted or not. Some commentators have had inconsistent results with the page -- sometimes it gives them positive news, other times news that they have been compromised. So there may still be some kinks being worked out. It's probably worth trying it more than once with a few hours in between.
When you are on the company's page, it offers you the option of signing up for one year of Equifax credit monitoring for free. You can choose to do this, but if you do the terms of agreement forbid you for participating in any legal claim against Equifax related to the breach. By signing up, you sign away your legal rights. This waiver impacts your ability to bring an independent claim or participate in any future class action proceedings that might be prosecuted.
If you don't want to take Equifax up on its offer, you can look at other credit monitoring companies. Lifelock, Free Scores and More, Privacy Guard, and myFICO are all well-reviewed services in this area.
Here are some other tips from experts:
- Frequently monitor your account statements and credit reports, and report any suspicious activity to your financial institution. The faster you can identify identity theft, the less damage will occur. You can even sign up for an automated service that will alert you to suspicious changes.
- Secure all your online accounts with strong, unique passwords and two-factor authentication. Following large data breaches, cyber criminals are known to attempt to use stolen data to access online banking accounts, travel-related accounts, insurance accounts, and email accounts–all of which store your most sensitive financial and personal information. Use unique, strong passwords for every account so an attacker can't access the “whole portfolio” of your identity with your reused passwords.
- Consider placing a freeze on your credit report. A credit freeze lets you restrict access to your credit report, making it harder for an identity theft to open a new account under your name. A credit freeze does not affect your current credit score and remains in place until you ask the credit reporting firm to remove it.