Equifax Data Breach – Follow-UP

As a quick follow-up to my post about the data breach on Friday…  there are numerous questions about the website that Equifax is using (www.equifaxsecurity2017.com) to tell people if they were impacted by the breach and to lead them to the year of free credit monitoring.  First, the terms and conditions of using the website and enrolling in Trusted ID, the credit monitoring service, seem to indicate that you’re giving up your rights to participate in any class action lawsuits against Equifax by using them.  Next, people have reported that the check to see if you are impacted was giving random results.  For example, entering “Test” as the last name and “123456” as the SSN was telling people they were impacted.  Similarly, using two different browsers with a real last name and SSN was giving two different responses.  Those issues are supposedly now corrected.  Equifax’s site indicates that:

“1) You Can Determine Your Status Immediately
Some consumers who visited the website soon after its launch failed to receive confirmation clarifying whether or not they were potentially impacted. That issue is now resolved, and we encourage those consumers to revisit the site to receive a response that clarifies their status.

2) No Waiver Of Rights For This Cyber Security Incident
In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

I have no idea whether the issues above are truly corrected.  While it seems unlikely that our government would allow consumers to give up their rights by enrolling in credit monitoring due to a breach like this, I can’t guarantee it.  I highly doubt that Equifax was trying to pull a fast one, knowing there’s no way they’d get away with it.  Most likely, there was a technical issue with a site that was created on a rushed basis, and the terms and conditions people were referencing were never intended to apply to this data breach.  But, if you decide to enroll in Trusted ID, I wanted you to be aware of what has transpired over the last few days and make your decision with this knowledge.

Equifax Data Breach

Yesterday, Equifax announced a data breach that potentially impacts 143 million people. While we’ve all become somewhat desensitized to these types of breaches due to the sheer number of them over the last few years, this is probably the worst one I’ve seen. It sounds like the usual data from virtually everyone was obtained (name, address, SSN, DOB, etc.), but for a smaller group, also credit card numbers, driver’s license numbers, and other personally identifiable information from dispute documents that were accessed. The breach was discovered on July 29th, but the unauthorized data access occurred as far back as mid-May. My sense is that if bad things were going to happen to you as a result of this breach, they probably would have already happened, though it’s possible there will be a surge now that the public is aware in an attempt to get fraudulent activity in prior to credit card account numbers being changed and other preventative action taken.

The good news is that credit fraud almost never results in financial loss to the victim. It creates a nightmare of forms to fill out, phonecalls to make, and customer service reps to deal with, but generally, you’re not responsible for anything that’s fraudulent. The person claiming fraud is virtually always given the benefit of the doubt as well. The thieves are stealing from the credit card companies, the banks, and the retailers (or the IRS / states if it’s fraudulent tax returns that get filed), not from you. Where it could impact you is if you’re applying for credit like a mortgage in the middle of fraudulent activity that has lowered your credit score and put derogatory marks on your credit report.

Equifax is supposedly contacting affected consumers (those whose credit card numbers or certain other information was accessed) by mail in the next few days. If your credit card info was taken, you should get those cards replaced. If your driver’s license number was taken, you should contact your DMV. If other data was taken, my guess is that it’s no worse than the other hundreds of recent hacks. Your name, address, DOB, SSN, and even medical information has likely already been accessed from the health insurance hacks and various other financial and retail hacks. If you’re concerned, the best advice I can give is to freeze your credit with the credit agencies (https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs) which will prevent new accounts from being opened, and to monitor your credit score / credit report / account statements regularly to detect any unauthorized use of existing accounts. You could go so far as to hire a service like https://www.lifelock.com/ (I have no personal experience with them and can’t recommend them on that basis) if you’re really concerned. Equifax is also offering a free year of credit monitoring as a result of the breach (see below for more info).

In general, I think freezing your credit is a good idea if you’re not planning to need a credit check in the near future, but it can be a real nuisance if you forget that you did it and you’re urgently trying to get something done (like getting a new cell phone, establishing utilities, applying for financial aid, or a host of other things that will be disrupted if your credit is frozen when you do it). I think it’s just a matter of whether you consider freezing / unfreezing to be more inconvenient than dealing with ID theft / credit fraud if it happens (adjusted for the probability of it happening). There are some easy things that I think we should all do to mitigate the risk of credit fraud / id theft. Those are:

· checking your credit report regularly (almost all credit cards provide access now and there are also free services like www.creditkarma.com (though be aware that they are collecting, storing, and potentially selling your data as well) and annualcreditreport.com).

· setting alerts on your existing accounts so you’re notified by text or email when charges are incurred or money transfers are attempted.

· using a different password for each website that you use.

· not keeping a lot of money in checking accounts or other accounts which can be accessed via fraudulent checks or debit cards.

More information on this data breach is available directly from Equifax at: https://www.equifaxsecurity2017.com/. At that site, you can also register for the one year of free credit monitoring that they are providing. I can’t think of any downside to registering for that service other than potentially having to field a request to join a paid service at the end of the year. Whether or not you feel it’s worth your time/energy is obviously up to you.

If you believe you have been the victim of identity theft, go to www.identitytheft.gov and follow their instructions. This will involve reporting the fraud to the credit agencies, filing a police report, and contacting the companies that have opened fraudulent accounts. The website does a fantastic job of walking you through the process.