When The New York Times published “The Biggest Tech Failures and Successes of 2017,” July’s massive Equifax hack topped the list of “epic failures” that “exposed your personal data to hackers.”
That so-called epic failure was unprecedented — cyberthieves breached the credit reporting agency’s repository of sensitive personal information for more than 145 million Americans, about 44 percent of the population. Exacerbating the personal risk to those Americans, Equifax executives waited nearly six weeks to publicly disclose the giant hack. Days after the breach was “detected” by the Atlanta-based company, but well before it was publicly disclosed, three senior Equifax executives sold almost $1.8 million of the company’s stock. Equifax has insisted that the executives were unaware of the breach at the time of those stock sales, but the Securities and Exchange Commission is investigating. The July incident was the third hacking disclosed by Equifax for the year.
Equifax acknowledged that hackers gained access to the data by exploiting vulnerabilities in a web application, stealing names, addresses, birth dates, Social Security numbers, driver’s license numbers, medical bill data and about 209,000 credit card numbers. The breach also compromised 182,000 “dispute documents,” complaints that include sensitive personal identifying information. More than 240 lawsuits seeking class action status have been filed against Equifax, and all 50 state attorneys general have ordered the company to hand over information. The Federal Trade Commission, Consumer Financial Protection Bureau, SEC and regulators in Britain and Canada have also ordered Equifax to provide information.
If you are still unsure if your personal information was compromised in the Equifax data theft, go to the website equifaxsecurity2017.com where you can determine whether you were among the more than 145 million people whose information was lost.
Perhaps most disturbing is the fact that no person opts in to Equifax (or the only two other credit bureaus, Experian and TransUnion) and you cannot opt out. But anyone who has credit, meaning any adult American, was likely part of the breach, or vulnerable to identity theft. Credit reporting agencies calculate credit scores based on a consumer’s entire financial history to determine which consumers get loans and credit cards and at what interest rate. Credit bureaus scoop up consumers’ personal and financial information and sell it to banks and other financial institutions, even though no one gives them permission to do this. Oversight for credit monitoring agencies is lax at best, and they are scrutinized only when there is an epic transgression. Though the European Union is rolling out strict new privacy rules, called General Data Protection Regulation, in May, Republican lawmakers blocked all legislation proposed to better protect Americans’ privacy or to force credit bureau accountability for loss of people’s personal information.
In other words, you are on your own.
“Once the information is out there, it is out there,” said Clifford Neuman, director of USC’s Center for Computer System Security. “There is nothing you can do to keep it from further circulating. You can just make it harder for someone to use it and appropriate your identity.”
Following is a list of the best ways to protect yourself after your information has been breached, and Neuman said that everyone should act defensively, assuming that their personal and financial information has been breached.
Freeze Your Credit
Freeze your credit with all three credit reporting agencies — Equifax, Experian, and TransUnion; that keeps any new creditors from seeing your personal and financial information in a credit report and issuing a card or loan. You need to freeze it at all three agencies because an identity thief could use your personal information to apply for credit at a lender that checks files with just one of the agencies, said Neuman. “Freezing your credit blocks people from using your information to open a credit card account,” said Neuman. A credit freeze may require a small fee, usually about $10 per bureau.
After absorbing consumer rage and a lashing from lawmakers, Equifax dropped the charge to freeze consumers’ credit following the breach. The company offered a free year of its TrustedID Premier credit protection and monitoring service to all U.S. consumers who signed up by the end of January; that includes a credit freeze, credit file monitoring for the three bureaus, the ability to lock and unlock your Equifax credit report, identity theft protection and insurance and Internet scanning for Social Security numbers. At the end of the free year, charges apply, as they already do for customers who sign up in February or later. That has angered many consumers, who’ve pointed out that Equifax’s negligence created the need for the TrustedID Premier services that it is now selling or marketing to the very consumers victimized by the breach. Naturally, some consumers refuse pay a nickel to Equifax. The company has since announced the Jan. 31 launch of its Lock & Alert service; it’s billed as free for life, but the website doesn’t provide details.
Note About Unfreezing Credit
A small fee may apply when you want to unfreeze your credit in order to apply for new loan or a credit card. (Appalling note: credit reporting bureaus have fought all state laws designed to make freezes available, along with all other regulatory strictures. Freezes make it more difficult for credit bureaus to profit from selling Americans’ personal data.)
One problem with a credit freeze is that when you want to apply for a new line of credit or a loan, you will need to unfreeze your credit and then refreeze it, which may involve fees. You will be given a PIN number to unfreeze your credit, so be mindful of the PIN number issued with your credit freeze by each bureau (for a total of three separate PINs) ; you will need to access the PIN later if you want to open a line of credit. Consumer advocates at Identity Theft Resource Center (ITRC), a San Diego–based consumer advocacy nonprofit, are circulating a petition on Change.org (#FreeFromAll3) to make credit freezes free for all Americans with one free thaw and one free refreeze per year.
Monitoring Your Credit and Accounts
Free credit reports are available once a year from all three credit reporting agencies by making an online request at annualcreditreport.com, checkfreescore.com and freescoreonline,com (the latter two websites offer a free seven-day trial, followed by a monthly fee of nearly $40 — of course, they bank on you forgetting to cancel). You can also request a free credit report at all three credit bureaus separately. You can space out your requests to get one report every four months.
Credit Karma is a website and mobile app that pulls your credit scores from Equifax and TransUnion (but not Experian) anytime, as often as you want, for free; it also offers free credit monitoring, alerting consumers when there is any change in their credit report or when a new account is added to their credit report. (Credit Karma does not sell subscriber information, instead relying on digital advertising income.) Neuman uses Credit Karma.
“Once you set up an account, you get an alert when there is any activity on your credit file,” which helps detect signs of identity theft more quickly, he said, adding that you won’t have to search your credit file because of the alerts.
Review credit card and bank statements weekly for red flags. Many credit card companies and banks automatically provide some identity fraud protection and alert customers when a suspicious charge occurs out of step with a customer’s spending habits. You can learn about these services by asking your financial institution or credit card companies. Setting alerts at your bank to notify you anytime a transaction is made over a set amount, such as $50, will immediately alert you to any charge of consequence.
Identity Protection Services
For people who want to streamline their monitoring of all three credit bureaus into one subscription service, and do not mind forking over a monthly fee for expanded services like identity restoration services, instant fraud alerts and more, there are options such as IDShield and LifeLock, to name a couple. (Do read consumer reviews before subscribing.) But even these services have limitations.
“Consumer protection services can be helpful, but they can’t stop identity theft,” warns Neal O’Farrell, executive director of The Identity Theft Council, a consumer advocacy nonprofit based in Walnut Creek, California. “They… just let you know that it might be happening and help you resolve it.”
Identity protection services will monitor all three credit bureaus, send fraud alerts when your identity is being used, scan the Internet for potential threats to your information, restore a secure identity if stolen and resolve disputes and losses resulting from identity theft. Prices generally vary from $10 to $30 a month, depending on the level of protection. The Equifax breach has been a driver of panicked consumers signing up for identity protection services, and for the record, Equifax is one of LifeLock’s credit monitoring providers. Since the Equifax breach, LifeLock’s web traffic increased sixfold, with enrollments jumping 10 times the pre-hack rates, according to Bloomberg News. Equifax has not stated what it will do to prevent another breach.
Strengthen Your Passwords
“Good password habits are essential and especially not using the same passwords forever or for multiple accounts,” noted O’Farrell, also author of a new, free ebook, Double Trouble — Protecting Your Identity in an Age of Cybercrime, a broad examination of consumer security, privacy and identity issues (GetDoubleTrouble.com). “Protecting your personal email password is critical. If hackers get that password, they can delve through years of your personal and professional life, stuff you can’t change.” And once personal information is lost, there is no getting it back. That’s why passwords and PINs require hypervigilance to outwit hackers’ attempts at cracking them.
“The information that has gone out with the Equifax breach has gone out and it is out there,” said Peter Reiher, a UCLA adjunct professor of computer science. “It is more likely that any info that you think is private is somewhere that it shouldn’t be. And somebody can get it if they want it. It is worse when you think about passwords and credit cards and anyone with a cellphone, or Alexa, where anything you say and do is being sent up to Google and, hopefully, they are not doing something bad with it.”
Chilling. This is why making your passwords more difficult to cyber-crack, and changing them regularly is a good strategy. Avoid a short password, or an easily hackable word or name (no family members), according to Money magazine (time.com/money/collection-post/2791981/how-do-i-create-a-secure-password/?xd=emailshare). For guidance on creating a hack-proof password and a more secure login, go to “How do I create a really strong password that I can actually remember?”
Lock Your Devices
Make sure all your devices (phones, tablets, laptops and desktop computers) have password protection or fingerprint protection. Sign up for remote locking or wiping your phone clean, so that if it is stolen you can still remove any personal information lost to thieves.
Avoid Clicking Links
Do not click on potentially virus-contaminated links in emails, a common and easy way for hackers to access your computer and steal personal information. Instead of clicking on a link, Google the webpage in the email and click on that entry instead.
Hypervigilance: The New Normal
The Equifax breach is only one of many breaches. According to a Javelin Strategy and Research study, more than 15 million people were victims of identity theft in 2016, the highest number of victims in one year ever recorded, and 2 million more than the previous year. More than 800 data breaches were reported in the first six months of 2017, according to Identity Theft Resource Center. And almost 1.4 million data records were compromised worldwide in 2016, according to the cybersecurity firm Gemalto. This suggests that identity thieves are highly adaptable to the latest iteration of cybersecurity tactics. And that means consumers, whose data is presumably out in cyberspace, have to live defensively, take every measure to secure personal data against hackers and stay hypervigilant.