While it’s not the biggest data breach in history — that dubious honor probably still rests with Yahoo’s combined 1.5 billion leaked accounts between 2013 and 2014 — the Equifax hack is setting out to be one of the most devastating. It’s put at risk the social security numbers, credit card numbers, birthdates, driver’s licenses, and addresses of over 143 million people.
If you’re American — or have worked in the U.S. — and aren’t worried, then you’re not paying attention. Here’s everything you need to know about the Equifax hack, how it could impact you, and what you can do to protect yourself.
What is Equifax?
Don’t know of Equifax? Well, they most likely know quite a bit about you.
Equifax is one of the big four credit-reporting agencies based in the U.S. These agencies collect information on all of our borrowing and bill-paying habits in order to create credit reports on us. Any institution in a position to give you a loan, manage your money, or send you money can then access your credit report to help decide whether to proceed with the transaction.
What do credit reporting agencies like Equifax collect?
- Social security numbers
- Driver’s licenses and other ID information
- Credit card numbers and purchase histories
- Loan and debt information
- Bank account details
So what happened in the Equifax hack?
Back in mid-March, security researches found a vulnerability in the open source Apache Struts software used to build certain websites — including Equifax’s.
While a patch for the vulnerability was released, Equifax apparently failed to implement the fix, allowing hackers to access their system from mid-May until the end of July, when Equifax finally noticed and closed the breach. The company then conducted a silent internal audit which ended in early September, when it formally announced the breach.
That means that not only was the personal information of those 143 million people at risk for nearly 2 months, but the thieves have had nearly 4 months to take advantage of the stolen identities.
Outraged yet? You’re about to be. Shoddy security aside, it later surfaced that several Equifax executives had cashed out on large amounts of stock options after the breach was discovered, but before it was announced publicly. While the company claims the sell is unrelated, it certainly doesn’t look good.
How does the Equifax hack put me at risk?
The Equifax breach is unlike any other breach you may have heard of. Previous breaches had always affected distinct parts of someone’s online identity: an Instagram account here, an Apple account there, maybe a credit card number... But this is the first breach that occurred in a place that collects nearly all of the fundamental pieces of institutionally recognized IDs.
This one breach holds everything a thief would need to steal your identity
In other words, this single Equifax breach gave hackers everything they needed to successfully steal your identity.
Financial identity fraud
There are various ways that thieves could use the breached information for financial identity theft. They could:
- Open new lines of credit with different institutions and rack up obscene amounts of debt
- Steal your tax refunds and create problems with the IRS
- Make purchases with your credit cards
- Sign up to utilities and services in your name
- Get educational loans
- Ruin your credit score
Each of these could have long-lasting ramifications for your financial life that, once caught, could take years to resolve. Even if resolved, the whole situation could make it harder to get lines of credit or morgages when you need them, and it could even hurt your future employement prospects when employers review your records.
Criminal identity fraud
It’s not all about money. Identity thieves could commit crimes under your name: Everything from shoplifting, to signing into hotels or hospitals and skimping on the bills, to running up speeding tickets… Honestly, criminals can be far more creative than any list we can come up with.
The point is that you’d be on the hook for those crimes, and police, lawyers, and debt collectors could come knocking at your door for arrest or reparations. And in many cases, you’d have to physically present yourself in whatever state the crime occurred to prove your innocence.
Am I affected by the Equifax breach?
You won’t know for sure
Equifax have put together a site where you can enter part of your Social Security number to check if you were impacted. Yes, the company that failed to protect crucial data is asking you to provide more of it to see if you’re impacted. The worst part? Several researchers have pointed out that not only does the system seem insecure (surprise!), it could also be little more than a stalling tactic for the company: Entering gibberish has produced the same responses as entering legitimate information.
Tellingly, if you are a Canadian or UK national who is potentially impacted by the breach, the system offers no method for you to check your information.
In other words, you shouldn’t trust the Equifax website.
So assume you are affected
Most of the data that was stolen pertains to documents and IDs that cannot be easily changed. That means that even years down the road, someone somewhere could get access to that data and make use of it, subjecting you to everything mentioned above.
How do I stay safe after the Equifax hack?
Putting the genie back in the bottle isn’t going to be easy on this one. In fact, it’s pretty much impossible if your information was among those taken. Still there are some steps you can take:
- Get a credit freeze with each consumer credit reporting bureau
- Set up fraud alerts — if possible extended ones
- Periodically check your credit report
- Keep an eye on your tax filings
- Extreme: Consider changing your social security number
1. Get a credit freeze
This is the number one thing you should do to protect yourself from financial fraud, and keep your credit score intact. To set up a credit freeze (also called a security freeze), you’ll need to get in touch with each of the big four consumer protection bureaus:
Setting up the credit freeze should be possible online, but in some cases you may need to also phone in or request the freeze in writing. Each bureau will provide you with a PIN that you will be able to use to unfreeze your credit file to apply for new lines of credit.
A small fee may apply to get the freeze, but if you get a copy of a police report and an affidavit that you are likely to be the victim of identity theft (which is not hard to make a case for given this breach) you can get a freeze placed for free.
Credit freezes aren't perfect, but they're the best thing you can do to protect yourself
Even if you need to shell out some cash, take our word for it: it’s well worth it. Not only will it stop someone from opening new lines of credit, it will stop issuers from checking your credit file in the first place — which helps protect your credit score.
Whatever happens, do not get distracted from setting up the freeze by offers for other services: A "credit lock" is not the same thing as a credit freeze, and won't stop credit bureaus from selling your report to anyone who comes asking.
Remember that selling your report is how credit bureaus make a large chunk of their money, so they won't be inclined to make this easy. Be determined.
2. Set up a fraud alert
Fraud alerts are an additional level of security you can place on your credit file. With a fraud alert, no lender or service provider should grant credit without first getting your approval. You only have to apply for a fraud alert with one of the above bureaus, and they are obligated by law to share the alert with the others.
Fraud alerts only last for 90 days, but you should be able to apply for an extended seven-year fraud alert if you provide the same kind of police report or affidavit used for a free credit freeze.
But keep in mind that while the bureaus should contact you, they are not legally obligated to do so. A fraud alert is no replacement for requesting a credit freeze.
3. Periodically check your credit report
You should verify your credit report regularly and report any fishy activity you spot. Do so every quarter just to be sure. You can order a free copy of your credit report from the bureaus via the government-mandated site: annualcreditreport.com.
What about credit monitoring?
Credit monitoring services don’t actually prevent new lines of credit being opened or stop fraudsters from committing crimes, but they could be useful in recovering from identity theft and financial fraud later. They are also more expensive than the fees to set up a security freeze on your credit report.
Credit monitoring services don't actually prevent fraud or identity theft
In response to the breach, Equifax is currently offering one year of free credit monitoring. Their fine print mentions that in using the service you waive any rights to participate in a class-action lawsuits in the future, but they have come out in writing to say that this does not apply to their current free offer.
So there’s really no reason not to take them up on it, but once the free year expires, you can expect them to try to hard sell you into further years.
4. Keep an eye on your tax filings
If you find that someone has already filed your taxes in your stead, contact your local state agencies and report it immediately. Tax fraud is a growing problem, and the Equifax leak has just made it easier than ever to perpetrate.
Consider filing early to get the drop on fraudsters.
5. Extreme: Change your Social Security number
If your social security number has leaked, none of the measures outlined above will ever make it safe to use again. Your social security number can be used in many ways, including tax fraud. And if you think dealing with financial institutions is a headache, just wait until you deal with the IRS.
While this shouldn’t be taken lightly, you can request a new social security number. The process isn’t simple and will require plenty of documentation, but the government has a page that details everything you need to change your social security number.
Keep an eye out for scams
While identity thieves are definitely a threat, the amount of information leaked from Equifax is a real treasure trove for scammers, too. They can use it to target you — or people you’re close to — with all kinds of tailor-made scams.
"This is Equifax calling to verify your account information."
No it isn't. Fact: Equifax isn't calling you, or anyone. If you receive a phone call claiming to be from Equifax, don't provide any personal information. Hang up, and contact Equifax yourself using the number on their website.
Fact: Equifax isn't calling anyone. If you get a call claiming to be from Equifax, hang up
Don't trust caller ID, either — scammers know how to spoof call numbers. And if it's a robo-call, don't engage by pressing any numbers to speak to a live operator or get your number off the list.
Basically, if you haven't initiated the call, don't give anything away.
Received a call you think is fake? Report it to the FTC.
We've covered how to spot fake emails in the past — and now's the time to get your paranoia on. In this case, look out for the address the emails are coming from: Equifax only sends emails from @equifax.com, @trustedid.com and @e.equifax.com.
Scammers can create addresses that look nearly identitical to the real ones, so pay extra attention to the details. As an extra precaution, just don't click on any of the links in the emails, or download any of the attachments.
If you think a email may be legitimate, open your browser and get to the Equifax website directly so you're sure you're hitting the right website.
Remember the site Equifax set up to let you check to see if you are impacted by the breach — the same one we said you couldn't trust? Well, someone's already spoofed it. Worse still, Equifax customer support tweeted the fake site to its customers.
Yes, this really did happen — and while it turned out this fake site wasn't a phishing site, it was created specifically to illustrate this point.
So again, trust us when we say don't click on any links claiming to come from Equifax, and be hyper vigilant these days.
Although this is hardly the time to be trying to plug any products, AVG Internet Security really does help block phishing emails and stops you from being redirected to phishing websites. If you aren't using it, give it a try for free.