As many of you may have already read in the headlines, a massive information breach occurred recently at credit reporting bureau Equifax. According to their website, the company identified a cybersecurity incident on July 29, 2017, that has the potential to impact approximately 143 million U.S. consumers. Criminals apparently exploited a U.S. website application vulnerability to gain access to certain files.
With a lot of uncertainty surrounding what to do next, we thought it prudent to share our thoughts on what you should know and how to protect yourself and your identity from further exploitation. This article is a little different from our regular articles, as it is in question-and-answer format. If you find your question is not addressed, feel free to follow up with us in the comments below, or via email or phone.
How do I know that my data was breached?
You may never know for sure. While Equifax has hastily thrown together a website for consumers to check and see if their data has been breached, they said in a statement that they are still trying to understand the scope of the incident: “We promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.”
In addition, the results of a positive query on the Equifax web tool are non-committal, citing, “We believe that your personal information may have been impacted by this incident.”
Call me a skeptic, but if Equifax is still “determining the scope” and telling me what they “believe,” I am not sure I trust the results of this web tool.
What sort of data was breached?
I have heard many initial public reactions citing an incorrect assumption that the data stolen was largely credit scores. That assumption is likely false. Equifax notes on their website that they believe much more sensitive data has been stolen: “The information accessed primarily includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. Criminals also accessed credit card numbers for approximately 209,000 U.S. consumers and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” This is precisely the type of data that a criminal would want to steal your entire identity.
Providing a company that just announced one of the biggest data breaches in history (due to a web vulnerability, mind you) with my last name and the majority of my Social Security number (SSN) through a website that they hastily put together doesn’t give me warm and fuzzy feelings inside. Plus, the fact that they are requiring six digits of your SSN implies that the more commonly requested “last four digits” were likely compromised. We have also seen many reports that this website has been returning differing results for the exact same data based on the use of a different browser.
Without a safer and more reliable source of information regarding what exactly has been breached, I would recommend steering clear of the Equifax website and assume that your data has been compromised.
Am I giving up my right to legal action if I agree to accept Equifax’s TrustedID monitoring service?
As part of the deal for mishandling your data, Equifax is offering their identity theft protection and credit file monitoring service – TrustedID Premier – free to all U.S. consumers, even if you are not impacted by this incident. Early acceptance of this deal required you to agree to forfeit your rights to bring legal action against Equifax:
This decision was quickly criticized by New York State Attorney General Eric Schneiderman in the below tweet:
Should I enroll in the identity theft protection and free credit monitoring?
It certainly cannot hurt, although this and other similar services are only preventive measures and are will not detect identify fraud until AFTER it has happened. In addition, these services are only good for one year and the thieves know that, meaning they will sit on the data until it is more likely they can get away with their nefarious actions.
Well, now, what the heck should I do?
Consider a credit freeze, which allows an individual to control how a U.S. consumer reporting agency is able to use their data. The credit freeze essentially locks the data at the agency until an individual gives permission for the release of the data. Basically, your information stored by the credit reporting bureaus is not available for lookup or use by any organization without your permission. This means no organization may allow the creation of a new account with your identity. Please note that this does NOT affect your current accounts or credit score.
How do I freeze my credit file?
To freeze your credit, you must notify each of the major credit bureaus that you wish to place a freeze on your credit file. In some cases, this can be performed online; in other cases you may have to inform the credit bureau by phone or mail. Once the application process is complete, each bureau will provide you with a unique personal identification number that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for a new line of credit. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. For residents of the Commonwealth of Pennsylvania, please see the below link for full details and instructions on how to put a credit freeze in place, and even a sample freeze letter: http://www.consumersunion.org/pdf/security/securityPA.pdf
What else can I do to protect my identity?
If you decide against a credit freeze, consider placing a fraud alert on your files, which warns creditors that you may be an identity theft victim and they should verify that anyone seeking credit in your name really is you.
Regularly check your credit reports from Equifax, Experian and TransUnion. You can do this by visiting http://www.annualcreditreport.com. Accounts or activity you don’t recognize may indicate identity theft.
Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
File your taxes early. We recommend doing this as soon as you have the tax information you need, before a scammer can exploit it. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.
How did this happen, aren’t the credit bureaus regulated?
The short answer is: Yes, but not well.
In 2012, the Consumer Financial Protection Bureau adopted a rule to begin supervising larger consumer reporting agencies, including credit bureaus and credit reporting companies. This was the first time these companies would be supervised at the federal level. Equifax and other credit bureaus don’t face the constant monitoring, auditing and oversight that help strengthen the banks’ systems and data protections and, in essence, fall through regulatory cracks. This is in stark contrast to traditional financial institutions, who have been under a much broader and deeper set of regulatory oversight for far longer. It begs the question, how do Equifax and other credit bureaus that store the most sensitive of details of our financial lives undergo such little regulatory scrutiny?
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.