On September 7, 2017, credit reporting bureau Equifax announced that hackers had broken into its system and possibly stolen data on 145.5 million Americans.
It's one of the biggest cyberattacks ever, with potential consequences for years to come.
Hackers stole sensitive information like names, Social Security numbers, addresses, birth dates, credit card numbers, and drivers' license numbers — enough information to steal your identity or open a fraudulent account in your name.
This is basically the worst-case scenario.
Equifax is one of the country's three major credit reporting agencies, along with TransUnion and Experian. It collects private data about consumers and packages them to sell to vendors like credit card companies.
Credit bureaus don't need your approval to do this, so it's likely Equifax has information on you even if you've never heard of the company.
Hackers exploited a vulnerability in Equifax's open-source software, Apache Struts (sometimes misspelled as Apache Strut), to gain access to private files for over two months.
Equifax found out in late July but didn't announce it for five weeks. The company's reputation and stock have since tanked.
The breach could have long-term consequences for consumers - it affects half of U.S. adults, as well as some residents of Canada and the United Kingdom.
Unlike the theft of a credit card, which can be canceled, your birth date and Social Security number will never change.
Criminals could use this information for decades. They might:
- open a bank or credit card account
- make purchases
- take out a car loan
- file a fake tax return to get your refund
- file health insurance claims
- get prescription drugs or see a doctor
The Equifax breach is just the latest in a frightening series of cyberattacks.
Hackers have targeted companies like Deloitte, Chipotle, and Verizon, as well as governments and political campaigns.
According to the Identity Theft Resource Center, there have been nearly 8,000 data breaches since 2005, exposing over a billion records.
Fortunately, there are steps you can take to limit the damage. But you need to act today; crooks could use your personal information anytime.
Here's a step-by-step guide to what you need to do now.
To find out whether you were affected by the breach, you can visit Equifax's website, www.equifaxsecurity2017.com.
You will have to give them your surname and the last six digits of your Social Security number.
The system isn't great. It will probably say that you "may" have been impacted.
Given the scale of the security breach, assume that you have.
1. Enroll in free credit monitoring programs
In the wake of the breach, Equifax is offering everyone a year of free credit monitoring called TrustedID Premier.
You may not want to trust the major credit bureau with anything right now, but the Federal Trade Commission and other experts recommend signing up.
You have to enroll by November 21, 2017.
TrustedID Premier is an all-in-one credit strategy. The tool gives you copies of your Equifax credit report, blocks third parties from accessing it, and scans suspicious websites for your Social Security number.
It includes up to $1 million of identity theft insurance.
It also includes a credit monitoring service, which checks your credit reports with TransUnion and Experian and sends alerts if anything changes in your file.
Reporters initially questioned whether signing up for TrustedID Premier would waive your right to joining a class-action lawsuit against Equifax.
After the company changed its legalese, this is no longer the case. If you take advantage of TrustedID Premier, you still have the option to participate in a class-action suit.
2. Check your credit reports
It's always smart to check your credit reports for suspicious activity or erroneous information. That's especially true after the Equifax hack.
All the three major credit reporting agencies—Equifax, TransUnion, and Experian—have your credit report on file.
Federal law entitles you to check with each agency once every 12 months. You can see all three at once or stagger them over the year.
Request your free credit report. Head over to Annualcreditreport.com to request your report, and/or check out our free credit score tool. To learn more about credit scores, check our our interactive How Credit Scores Work.
Examine your reports for unfamiliar items, like a loan that you didn't take out or a credit card you don't have. Such activity means that your identity may have been stolen.
Report possible identity theft on the Federal Trade Commission website IdentityTheft.gov.
In Canada, customers who may have been affected can visit the Canadian Anti-Fraud Centre.
3. Freeze your credit
The most reliable way to prevent thieves from opening an account in your name is to put a credit freeze or security freeze on your files.
A credit freeze prevents anyone from accessing your credit report, including yourself.
You will have to unlock it when you apply for a loan or credit card. But protecting your credit is worth the hassle.
Mark your calendar to sign-up for a free lifetime credit lock. At the end of January, Equifax will begin offering anyone affected a credit freeze that's not subject to state laws. (The interim chief executive, Paulino do Rego Barros Jr., made this announcement in an apologetic op-ed in the Wall Street Journal.)
In the New York Times, columnist and consumer advocate Ron Leiber suggests that everyone should take advantage of this tool: "Here's hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files."
Go online to the websites of Equifax, Experian, and TransUnion to sign up and, in some states, pay a fee.
Leiber recommends doing the same for smaller reporting agency Innovis as well.
Having used freezes for years, Leiber explains how the process works:
"Once you do (and it may take a little time to complete the process), the bureaus are not supposed to release your credit report to any company except the ones that already have you as a customer.
"Why is this important? When a thief shows up with your Social Security number and address to apply for credit in your name, the lender will go to fetch your credit report before anything else happens.
"If it can't retrieve the report because of the freeze, then no new account for the thief.
"You can thaw your freeze every time you want to apply for new credit by using a personal identification number that the companies give you, which you absolutely should not lose.
"This costs a few more dollars. (Would it kill Equifax to waive these fees for a while, given the circumstances? Or how about forever?)
The process is annoying, but it takes only about 15 minutes to do this at all three of the big agencies."
4. Set up a fraud alert
If you have an active fraud alert, a company must verify your identity before issuing credit.
If you include a phone number when you set up the alert, lenders will call you to get your approval. This is an important form of identity theft protection.
Alerts last 90 days and can be renewed as often as you wish. For victims of identity theft, they last seven years.
A fraud alert is a less extreme option than a security freeze. The reason being, with a fraud alert, you'll still be able to open new accounts with relative ease.
Business reporter Jeff Blyskal, writing for Consumer Reports, says that if you're in the midst of buying a home or another major transaction, you might not want to block access to your credit file.
In that case, "opting for a fraud alert may offer reasonable protection, because lenders will be warned and you'll receive a free credit report from each bureau."
But he and many experts recommend setting up both a fraud alert and a credit freeze.
"A credit freeze is the stronger option," Blyskal explains, "so if you can't lock down your credit now, plan on doing so as soon as you can.
"And for maximum protection, we recommend using both freezes and fraud alerts. As the Equifax breach showed, you can't be too careful."
5. Watch your bank account balance and credit card statements
It has always been smart to watch out for suspicious activity on your credit card statements or bank accounts.
This is especially the case after your wallet has been stolen or after a data breach at a major company.
You should look for withdrawals from your bank account that you don't recognize or unfamiliar charges, both warning signs of identity theft.
Criminals often check that an account is active by making a small purchase of a few dollars or less using your credit card number. If this goes unnoticed, they will likely follow up with bigger ones.
If you notice suspicious activity, contact your credit issuer. Even if a transaction seems negligible, contact your credit card company to report that thieves may be using your consumer name or identity.
In an interview with NPR, Steve Bernas, President and CEO of the Better Business Bureau of Chicago, said that many consumers don't notice charges under $10 - precise amounts like $9.84 look legitimate.
"Most of them were seeing say "customer support" [or] "website support," Bernas says. "And basically [what] they are really trying to do is get really pedestrian, in essence, so it flies underneath the radar…
"Usually if it's a joint credit card, the husband thinks the wife charged it and the wife thinks the husband charged it."
So instead of checking only the balance of your checking account or credit card bill, examine numbers line by line.
Ask your spouse or joint cardholder about questionable items.
6. File your taxes early
With your address, date of birth, and Social Security number, scammers can file fraudulent tax returns. Why would they go through the paperwork? To get your tax refund.
Some victims only find out about this when they file their taxes and the IRS says it has already received them.
The best way to prevent this is by filing your taxes as early as possible, beating the thieves to the punch.
According to the Government Accountability Office, in 2014, the IRS paid out $3.1 billion in fraudulent refunds.
The IRS is working to safeguard its system and coordinate with the states.
It's taking new steps to verify your identity and that your tax return is valid, such as validation codes, PINs, and the inclusion of past adjusted gross income.
The Equifax breach will test current security systems. According to the IRS website, some possible warning signs of tax-related identity theft to remain aware of are if the IRS or your accountant contacts you about:
- More than one tax return filed using your SSN
- Owing additional tax, a refund offset, or a collection action taken against you for a year you did not file a tax return
- IRS records indicating you received wages or other income from an employer for whom you did not work
You may also want to keep an eye on your tax account through the IRS website. It tracks payments and refunds, updating your balance every 24 hours.
[pullquote style="full"]Any activity that's not yours could be a sign of identity theft.[/pullquote]
Even if you suspect a problem, the IRS says you should continue to pay your taxes and file your return.
7. Beware of scammers
It is often hard to tell a legitimate solicitation from a fraud, especially if they include personal information that makes them seem legit.
Now that there's so much data out there, you need to be especially wary. Crooks are creative.
For instance, a criminal might produce your Social Security number or driver's license number in order to look like a bill collector, fooling you into giving them a payment.
Alternatively, phishing scams offering a new credit card could get you to hand over money or information to their fake company.
Consumers should also watch out for imposter scams that take advantage of the panic following the Equifax breach.
FTC lawyer Lisa Weintraub Schifferle writes that if you get a call purportedly from Equifax asking to verify your information, hang up:
[pullquote style="full"]Stop. Don't tell them anything. They're not from Equifax. It's a scam. Equifax will not call you out of the blue.[/pullquote]
Never give out your personal information unless you initiated the call. And if you didn't, you should be 100% certain the phone number that called is a legitimate number.
Email phishing scams are especially clever, making people fall for them all the time. When it comes to your inbox, keep up your guard, writes Lily Hay Newman in Wired.
"The most important thing experts recommend is to listen to your gut. When something feels off, it probably is.
"But since the whole point of phishing (and its more tailored and targeted counterpart spear phishing) is to get you to do something without raising alarm bells, you need to practice skepticism even when things seem fine.
"You should be generally reluctant to download attachments and click links, no matter how innocuous they seem or who appears to have sent them."
Also, confirm the source. Look for iffy URLs or email addresses.
If a message is from a friend but the tone is out of character, confirm it with them first because the user account may have hacked.
In addition, Newman recommends other standard cybersecurity measures like using a password manager to maintain strong unique passwords and backing up your data.
Plus, always use two-factor authentication when it's offered, especially with financial institutions.
8. Help loved ones stay safe
Equifax isn't sending letters to potential victims about the data breach.
People without access to the internet or who aren't tech savvy may not know what to steps to take.
Once you've taken steps yourself, help loved ones protect themselves. This is especially important for elderly relatives.
On Next Avenue, Darren Guccione, the CEO of Keeper Security, says that it's important that older Americans are informed about online risks.
He offers tips on how to keep your elderly parents safe, including:
- Teach them about smart email practices and check their privacy settings on social media sites
- Advise them not to share valuable personal details on social media sites, like a phone number or alma mater
- Make sure they are using an updated internet browser
- Monitor their credit card statements
- Sign them up for Nomorobo to reduce telemarketing and robo-calls
- Stop unsolicited credit card offers through OptOutPrescreen.com
It's a hassle to go through this whole process twice, but it's a much bigger one if a relative gets his identity stolen. It's worth taking the time to protect them.
9. Remain vigilant
After the Equifax breach, criminals could sit on personal information like Social Security numbers for a long time.
Once it's out of the news and people forget about it, they'll pounce.
This isn't a passing event. It will have lasting repercussions.
So you need to stay on the alert year after year, repeating many of the above steps annually.
Rich Mogull, CEO of security research firm Securosis, has been blunt about the danger.
He told the Associated Press: "If any of the data was exposed, you will be living with that for the rest of your life."
Take action now so you can live confidently in the future
It's impossible to safeguard yourself completely.
Hackers have a way of finding vulnerabilities and loopholes in any security system.
But what you can't do is ignore the seriousness of this hack on Equifax.
Given the ubiquity of digital information and cyberattacks, data breaches are probably the new normal.
Even if you are a victim of the Equifax hack, as many of us are, if you follow the steps above, you will protect yourself as well as possible in the internet age.
Have you been a victim of identity theft?
Have any tips on protecting your personal data?
Please share in the comments below!