12

The FTC recommends those who may be impacted by the Equifax data breach do the following:

  1. Check credit reports at annualcreditreport.com.

  2. Enroll in the 1 year of free credit monitoring provided by Equifax.

  3. Place a credit freeze or a fraud alert on your files.

  4. Monitor existing credit and bank accounts closely.

  5. File taxes early.

These seem inadequate to me because:

  1. Annual credit reports are far too infrequent to catch bad guys in time.

  2. You need more than 1 year of protection.

  3. Credit freezes and fraud alerts both make my own life harder when opening new accounts.

  4. Monitoring existing accounts doesn't help protect against new fraudulent accounts.

  5. Filing taxes early doesn't address all the other issues besides fraudulent tax returns.

  6. Bank accounts, phone lines, mortgages, etc. all need constant monitoring, not just credit lines.

What else can I do to help protect my identity against this data breach while addressing the above shortcomings?

user541686
  • 3,385
  • 6
  • 37
  • 47

4 Answers4

6

Services like Credit Karma and Credit Sesame are free and will alert you to new accounts. Not as good as a freeze but zero pain.

Loren Pechtel
  • 5,068
  • 1
  • 22
  • 20
3

It's worth pointing out, because none of the other answers address this, credit alert monitoring is not done in real time. None of the credit monitoring/identity protection services, including those offered by the bureaus themselves, guarantee real time notification. If/when you are notified of a new account it likely has already been days or weeks since the credit pull.

Your assertion in the comments to your question that It's not like someone can (say) apply for a credit card in your name and receive the card in the span of 1-2 days. If you just get an email notification in the meantime there should be plenty of time to act, right? assumes real time notification with a wide enough window for you to act and stop the account from opening. It also assumes efficiency on the part of the lender to be able to stop a new account once the opening process has begun; for credit cards specifically, once that process is started there's likely no mechanism for the bank to pull the card out of the issuing process. It also assumes the credit pull happened at one of the big three reporting bureaus directly, not from a less expensive less real time data set compiled from credit bureau information.

The sad reality is even a credit freeze cannot, with certainty, stop an account from being opened in your name. Once in my life I was erroneously reported deceased, the wireless phone provider that I learned this from simply wanted a deposit to open the account and wasn't terribly concerned that the reporting bureau thought I was dead and my record was frozen.

Monitoring is a good initial step, it is not to be relied upon but it's better than nothing; just approach it with the knowledge that notifications will not be real time. Monitoring for free by Credit Karma and the like monitors less real time aggregated data. Paid monitoring didn't notify me of my new credit card last year. Monitoring services, and the bureaus (including Equifax) will make a fortune in the wake of this blunder, though Equifax will likely have to pay a penalty of some sort at some point down the road, not the the people exposed, but to a government body.

Separately, and probably much more alarming, there is a lot more to identity theft than credit cards and loans -- tax returns, employment, healthcare, driver's license, car insurance, etc.

quid
  • 49,074
  • 11
  • 101
  • 161
2

-- EDIT FOR BREAKING NEWS--

Due to the Equifax breach, http://www.annualcreditreport.com will now allow you to run all three of your reports and provide opportunities for you to dispute adverse or incorrect items, for free, even if you have already used them within the last year. It will allow you to see your reports from the three major agencies. Plus, the Equifax report includes a link to Credit Karma which will give you your FICO score at no charge.

------------------------------------------------------------------------------------------------------

ANSWER:

According to this article:

Equifax breached, up to 143 million SSNx and DOBs stolen, all Americans offered credit monitoring

Excerpt:

Massive multinational credit reporting company Equifax has been breached by hackers, with up to 143 million U.S. residents having their names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers stolen from the company’s databases.

They direct you to this address to enroll in their identity theft protection by going to https://www.equifaxsecurity2017.com/

I believe the answer is that to answer the first part of your question(protect myself) is to get credit protection so you will be notified when new credit is taken in your name.

For Non-US customers: If you do not have a SSN, call 1-866-447-7559. The call center is open every day from 7a.m. to 1 a.m. Eastern time.

You can use http://www.annualcreditreport.com/ to look at your credit reports. They are not limiting it to annual due to the breach at Equifax.

HINT: While you do that, and while you are in the TransUnion and Equifax reports you will have the option to DISPUTE adverse items.

I always suggest that people dispute everything adverse. That puts the onus on the other parties to produce evidence to TransUnion within 30 days attesting to the validity of the adverse item.

You would be surprised how many will simply drop off your report after doing this.

Here is a direct way to get to TransUnion:

https://dispute.transunion.com/dp/dispute/landingPage.jsp

--> Once they have removed the adverse items, it is communicated to the other bureaus.

It is amazing how well it works. It can raise your credit score significantly.

You asked about risk aversion (not making your life miserable), so here are two risks to consider:

The risk of doing nothing about it:

Were you impacted by the Equifax breach? You risk financial chaos by doing nothing (MarketWatch)

  • Financial identity theft
  • Criminal Identity Theft
  • Many victims don’t have the time and money to sue
  • Your data may have already been breached

The (now-nullified) risk regarding class-action lawsuits:

Equifax TrustedID customers waive their rights to a class-action lawsuit

Excerpt:

created a website that would allow consumers to check if they were affected. Customers who were told their personal information may have been impacted were given the following message: “Click the button below to continue your enrollment in TrustedID Premier.”

There was one worry: Those who signed up to this TrustedID Premier security monitoring service for a year appeared to waive their rights to participate in a class-action lawsuit.

That risk has now been clarified as non-existent:

Consumer Backlash Spurs Equifax To Drop 'Ripoff Clause' In Offer To Security Hack Victims

Excerpt:

Direct quote from Equifax:

"In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Lawsuit potential:

As it turns out, EquiFax neglected to apply patches to their Apache servers which may have caused to happen in the first place:

Failure to patch two-month-old bug led to massive Equifax breach

Excerpt:

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," company officials wrote in an update posted online. "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

Also,

Equifax hackers stole data for 200k credit cards from transaction history

Thus, there is every reason to expect multiple lawsuits.

SDsolar
  • 147
  • 1
  • 6
1

Please refer to this earlier question about what actions to take when you become aware that your private information may have been exposed by a data breach.

The data exposed in a data breach is limited to the information the party breached has transported or stored. This information is typically limited to directory information (name, address, telephone, etc), may include financial information (income, specific account information, possibly credit card information), or may include private information (such as health information, and even SSN). Some notable data breaches (e.g. the Target breach), have exposed financial information such as credit card numbers. But a data breach at one of the credit bureaus could expose far more extensive information. Should the attacker(s) gain access to detailed credit file information, they could potentially use the information to open new lines of credit, or access existing accounts.

This Equifax breach is vast in scope (143M people affected), and it is still unclear exactly how much private or financial data was exposed for each person. Reports have suggested that the breach was ongoing, and was found at the end of July. This means there has been a delay of over 1 month where individual's data has been exposed and individuals were left uniformed. Considering the delay in providing information and the lack of clarity regarding the extent of information, a prudent person should immediately freeze their credit at all three bureaus. Credit monitoring will only tell you when someone tries to appropriate your identity and use your credit. Until we know the full scope of data exposed, the safest thing to do is assume the worst.

The amount of data that credit bureaus keep about individuals is extensive, and exposure of that data could affect credit, insurance, employment, and other areas. Expect that the fallout from this breach could be vast.

ChuckCottrill
  • 2,640
  • 19
  • 22