Equifax breach: How to protect your credit and identity

On September 8, 2017 Equifax announced that more than 143 million consumer records had been stolen in one of the largest data breaches in American history. The stolen data included critical personal information including Social Security Numbers and Addresses.

More than half of all Americans with a credit history are affected by this breach, and it doesn’t matter whether or not you’ve voluntarily used Equifax in the past. The truth is, credit bureaus like Equifax, Experian, and Transunion keep data on our credit whether we want them to or not.

And there will be financial fraud resulting from this leak. Why?

Because Names, Addresses, and SSN’s have leaked!

And that’s basically all the information a criminal needs to: Open a credit card, get a loan, or file a tax refund in your name!

What this guide will teach you:

You’ll learn step-by-step the free (or inexpensive) actions you can take to protect your credit, and minimize the damage. Criminals go after easy, low-hanging fruit. Take these few steps to make yourself a much more difficult target.

The Gameplan: Actions to take

Here’s an overview of the steps you’ll need to take to protect your financial future after this breach:

1. Determine whether you’re affected
2. Freeze your credit files (or set a permanent alert)
3. Monitor your future credit
4. Protect your taxes/tax refund
5. Sue Equifax (optional)

How to determine if your data is affected

Since the stolen database hasn’t been made public, 3rd party monitoring tools that promise to notify you if your info leaks on the ‘Dark Web’ can’t be considered reliable for determining if you’re affected by this breach.

But it’s a better than 50% chance that you are.

Currently the only tool to check your exposure is Equifax’s own tool, which can be found at https://www.equifaxsecurity2017.com/potential-impact/

How to use the Equifax Impact Tool

To check if your data was exposed, follow these steps:

1. Click the ‘Check Potential Impact’ button here
2. Enter your Last Name and the last 6 digits of your SSN
3. Check the ‘I am not a robot Checkbox’
4. Click the ‘Continue’ Button

After submitting your info, you will receive one of two responses:

1. “…you may have been impacted…”
2. “…personal information was not impacted…”

In either case, you will be offered the option to Enroll in Equifax’s TrustedIDPremier credit monitoring service. It appears that the service will be free to all users for at least the first year.

Tool Problems: Rumors vs. Truth

In the days immediately following the breach announcement, there were reports of issues with the tool giving false-positives. There was also concern that Equifax was using the tool as a sneaky way to get consumers to surrender their rights to join a class action lawsuit.

Here’s the latest on those concerns…

Tool not working properly

Multiple users reported the tool wasn’t working properly. It was validating clearly false name/SSN combos such as ‘Test 123456’. It would also validate the same SSN used with multiple names. In our own testing in the first 2 days after the breach, we were also able to generate a false-positive with a random name/SSN combo.

However it looks like most of those problems were in the first 48-72 hours, and in our testing the tool now appears to be working properly (or at least not generating a false-positive for every combo).

Takeaway: The tool appears to be working properly, but it’s basically impossible to verify whether the results you’re getting are accurate. Personally we recommend that you should assume you’re affected unless proven otherwise.

Lawsuit/Arbitration clause in the TOS

Let’s be honest, almost nobody ever reads the ‘Terms of Service’ before signing up for something online. And companies know that, so they sometimes try to sneak things in that consumers would object to if they were stated openly.

Thankfully a few people (probably lawyers or law students) did read the TOS for the impact tool, and found what’s known as an ‘Arbitration Clause’ requiring users to submit to binding arbitration instead of a lawsuit. Companies do this because arbitration is much less expensive and more likely to result in a favorable ruling for the company.

So what’s the truth about the Arbitration clause?

Equifax has since clarified that the Arbitration Clause doesn’t apply to the data breach itself, and affected customers still retain their right to sue. Equifax also added the clarification to their breach information page:

How to Protect your credit file

There are two different actions you can take to protect your credit after the breach:

Place an Alert:

You can place either a temporary (3 months) or permanent alert on your credit file. This requires any financial institution issuing credit in your name to contact you and verify that the request is valid.

You only need to place an alert with one credit bureau and they are required by law to notify the others.

Basically you will get notified if someone pulls your credit report.

Place a Freeze (most secure):

A credit report ‘freeze’ is the most effective action you can take because it prevents anyone (including you) from viewing your credit report or opening a new account with your SSN. The freeze can be lifted any time you want, but it may take up to a few days, and credit bureaus usually charge a small fee ($10-$30) to do so. You need to manually place a freeze at each individual credit bureau.

Pros: 

• No new accounts can be opened without lifting the freeze
• Preventive (as opposed to reactive like an Alert)
• Strongest action you can take

Cons:

• Cost: Placing/lifting a freeze usually incurs a fee of $10-$30
• Inconvenience: If you need to open a new account or get a credit check (applying for a job), you’ll need to lift the freeze. This takes a few days, and you’ll need to know which credit bureau the check is being done at (or lift a the freeze at all bureaus).

How to place a Freeze

Freezing your credit can be done by phone or online directly at the website of each credit bureau. When I froze my own after the Equifax breach it was free at all 3 bureaus (though at one I used their free monitoring service to ‘lock’ my credit instead of actually freezing).

Here’s how to do it for each credit bureau…

Transunion:

www.transunion.com

• Place a ‘Lock’: Using their free TrueID service
• Freeze:  By Phone (1-888-909-8872) or Web

Transunion currently charges a small fee to freeze, but the credit ‘Lock’ through TrueID is free.

Equifax:

• Phone: 1-800-349-9960
• Web: Freeze online

When I did the freeze at Equifax, I first tried the web option, but received an error along the lines of:

“…sorry but we cannot verify your information”

This may have been a server issue because I was able to create a freeze by phone quite quickly. The process was totally automated and took about 2 minute

Experian:

www.experian.com

• Phone: 1‑888‑397‑3742
• Web: Freeze online

How to lift a credit freeze

In order to lift a freeze, you’ll need to contact each credit bureau individually by phone or web.

You’ll also need the security PIN code you were issued when you placed the freeze.

If you want a bit more assistance, Lifehackers guide to lifting freezes can help walk you through it.

After the freeze: Monitor you credit

If you did a full freeze of each of your credit reports, you should be in good shape. But don’t let down your guard.

Even though you received a private PIN when you created the credit freeze (and an identity thief won’t have this info), it’s still theoretically possible to have issues popup.

For example, all credit bureaus will have an alternate way to lift a freeze in case you lose the PIN (since this probably happens a lot). Naturally, the info they ask you to provide for this workaround is personal and financial data. Unfortunately, this may partially (or completely) be obtainable using the info leaked in the Equifax breach.

So you’ll need to monitor you credit just in case. Here’s your best options:

Get your annual credit reports

In return for surrendering your privacy and credit history to credit bureaus, they each allow you to receive a free copy of your credit report each year!

So take advantage.

Go to annualcreditreport.com to access your reports. You get 1 for each bureau, once per year (so three total).

Consider Lifelock^TM identity theft protection

You may have noticed Lifelock ads everywhere lately. They’re on TV, Facebook, the Radio, and your favorite websites. They know catastrophic data breaches like Equifax’s will create huge demand for their identity theft protection service.

What Lifelock Does:

Lifelock is a credit monitoring and identity theft protection company. The services vary from plan to plan, but here is a quick breakdown of what Lifelock can do:

• Credit Monitoring and alerts
• Change of address verification
• Identity restoration handled for you
• Black Market / Dark Web monitoring for you SSN
• Data breach notification
• Fraud/resolution reimbursement up to $1 Million

Now to be fair, you could do many of these things yourself, including credit monitoring (free annual reports) and fraud resolution. What Lifelock really offers is convenience and peace of mind for a reasonable price.

Also, things like dark web monitoring and data breach alerts are tougher for you to handle on your own, not to mention the hassle of recovering from identity theft if it occurs. Personally, I wouldn’t mind outsourcing that hassle for $10-$30 a month to sleep like a baby.

Lifelock  has 3 subscription tiers. The higher priced tiers have a few extra features and a higher reimbursement guarantee in the case of fraud (up to $1 million). Below is is a quick plan comparison:

Beware of TAX Fraud

After a breach like this, it’s easy to worry about someone running up charges on your credit card. But the real damage could be done by someone filing fraudulent tax returns in your name.

And tax fraud is trivially easy once someone has your SSN and address.

All they have to do is submit a phony tax return before you do, claim a giant refund, and have the funds sent to a dummy address or bank account under an assumed name.

And while the IRS actually does manage to flag the majority of fraudulent returns filed by identity thieves, they still paid out more than $5.8 Billion in fake refunds in 2013 alone!

And you can bet those numbers are going to go up in the coming years.

Steps you can take to prevent tax fraud

CNBC published a decent guide on minimizing the risk of tax fraud, but here’s a quick summary of actions you can take:

1. File Early: Identity thieves like to file fraudulent returns in the time window before the IRS actually receives W-2 forms from employers. This allows the fake returns to bypass checks that would notice a discrepancy in W-2 earnings. So the earlier you can file, the better
2. Monitor your tax account: The IRS has a dedicated tool, allowing you to monitor any activity on your tax account. If you check this every month or so, you should be able to notice unauthorized activity pretty quickly. Bewarned, the tool is a bit difficult to access (security measures), even for the true tax account holder (yourself).
3. Get a tax PIN (not available to everyone): An IP (Identity Protection) PIN is a new pilot program being tested by the IRS in certain states to combat tax fraud. It’s also available on a case-by-case basis to former identity theft victims. More on this program below:

IRS IP PIN Program

The IRS’s new Identity Protection PIN program makes the tax filing process much more secure, by making it impossible to file a tax return or claim a refund without knowing your personal 6 digit PIN code.

This is similar to a 2-factor authentication system (which you should already be using on your email and financial accounts).

Who can get an IRS PIN?

There only two types of taxpayers to whom this PIN system is available:

1. Previous Identity theft/tax fraud victims
2. Residents of Georgia, Florida, or D.C.

If you are a resident of one of these states, you’re one lucky duck. You can learn more about their pilot program directly from the IRS site.

For the rest of us, the only way to get an IRS PIN is if you were formally invited by the IRS to participate. This usually only occurs after you were already the confirmed victim of tax fraud.

For everyone else: Let’s cross our fingers and hope this Equifax breach accelerates the nationwide rollout of the IRS PIN program. I’d bet on it going mainstream in a couple years.

Lawsuits against Equifax

There are already multiple class action lawsuits in the wake of this data breach, and likely to be more. In fact, law firms are already advertising their lawsuits in google search results:

But class action suits tend to be more of a windfall for the law firms sponsoring them than the actual customers who were hurt. Fortunately, you have the right to opt-out of any class-actions if you think it’s not the best choice for you. And Equifax might well get off with a wrist-slap in these class actions, with some estimates coming in around the $1/customer mark.

I don’t know about you, but I think the privacy of my Social Security Number is worth more than a buck.

But you have the right to sue on you own, and you can even do it quite cost-effectively by suing Equifax in small claims court. Small claims has limited damage caps that vary by state, but range from $2500 to $25,000 (which is a heck of a lot more than $1).

And now, thanks to the magic of AI and technology, you can even automate the process. There is now a free chatbot that will help file your small claims paperwork for you.

Ready? Go.

Final Thoughts

Look, this situation sucks. And there’s not doubt that some of what happens now is out of your hands. Some crook somewhere could devote his entire life to screwing you over if he wanted, and there’s probably enough personally identifiable information out there for him to cause some real damage.

But identity thieves don’t typically work like that. They go for the easiest targets, the low hanging fruit and then move on.

That means the people who will really get screwed over by the Equifax failure will be the people who don’t take the most basic steps to protect themselves.

So make yourself a harder target. It’s common sense (you can thank me later).

Make sure you:

1. Freeze your credit (or place a permanent alert)
2. Monitor your credit reports. Do it annually at a minimum, but quarterly is better.
3. Lock down your financial accounts with 2-factor authentication
4. Consider Lifelock monitoring/protection

Be proactive not reactive. It’s the best way to avoid being an identity theft victim. 

Good luck, and godspeed.