Step aside Target, Yahoo, and Playstation Network. Equifax, one of the three largest credit reporting agencies in the US, just inducted itself into the Poor IT Security Hall of Shame by announcing what’s turning into the most MASSIVE security breach of all time.
Last week, Equifax announced a security breach that affected 143 million Americans.
By number, the breach is one of the largest of all time, but that only paints half the story. What’s really concerning is the sensitivity of information Equifax stores.
If you’re like me, you might be tempted to blow this off. After all, security breaches have become so common they’re almost not even newsworthy.
I didn’t even bat an eye when Yahoo lost nearly a billion logins. If some hacker wants to waste his time reading my emails from a Yahoo account I haven’t accessed since I was a teenager, well then I hope he enjoys some cheesy AOL Instant Messenger chat logs between me and my middle school crush, because that’s about all he’s going to find.
But Equifax is another story.
How Bad Is the Equifax Security Breach?
In a word – bad. The information that Equifax stores is essentially an identity theft starter kit.
Hackers gained access to full legal names, birthdates, addresses, social security numbers, driver’s license numbers, and even some credit cards. For 143 million people.
Yeah, not good…
And if that didn’t look bad enough, Equifax is putting on a crash course in “how to make your company look completely clueless about customer security.”
As it turns out, the hackers spent months inside Equifax’s system. It took Equifax a full 10 weeks to even realize anything was wrong, and then another 6 weeks before letting anyone know about it.
And what was the first action Equifax management took during those 6 weeks following the breach?
They sold their stock.
Rather than, you know, letting the public know they lost extremely sensitive personal information for nearly half of the US population, Equifax management spent the days following the discovery of the breach selling over $2 million of the company’s stock.
But hey, a day after Equifax finally did let the public know, they tweeted us all a Happy Friday.
I guess maybe I’d be a little more sympathetic if this wasn’t the third time in less than a year and a half that Equifax got hacked. Who appointed these clowns as the keepers of our personal information anyway?
Oh wait, nobody did.
I don’t know about you, but I don’t recall ever consenting to Equifax’s services. Do you remember being asked if you wanted Equifax to track all of your personal information? Were you ever given a choice to opt out of their services?
Instead, the credit giant is automatically granted access to every piece of personal information we have, then “guards” the information with haphazard security so pathetic it makes Ashley Madison blush.
Remember, this is the company so bad that 1 in 5 Americans found a material error in their credit report.
Is Your Information at Risk?
Things couldn’t get any worse right? Here’s the kicker…
There’s still no reliable way to tell if you were impacted by the breach.
Along with Equifax’s halfhearted press release “apologizing for the concern and frustration this causes,” the company set up a website to help customers find out if they were compromised.
There’s just one problem with their site. It doesn’t work.
Many customers using the site complained they never received the response explaining if they were affected or not. Even crazier, some customers entering completely fake names and information were told by Equifax’s website they “may have been affected.”
Plus, Equifax snuck in some legal language waiving your right to any future class action lawsuits if you check your status on their page.
Oh, and step 1 for their site? Enter 6 digits of your social security number.
You just can’t make this stuff up…
Equifax swears they’ve since fixed the bugs, and that the sneaky legal language doesn’t actually apply to the breach.
Pardon me for not immediately trusting these guys, but in any case, I’m still hesitant about using Equifax’s website to check whether you’ve been compromised.
If you still feel like chancing it, the website is equifaxsecurity2017.com, or you can call 866-447-7559.
Since their website is so vague, we might as well assume we’ve all been affected. There’s a 50/50 chance that’s the case anyway.
The Best Way to Protect Yourself Against Security Breaches
With my Equifax rant over, the next question is obvious. What should we do in response to our info being compromised?
Whether it’s the Equifax hack, any of the past hacks, or any of the inevitable future ones, we all have tools to discourage criminals from acting on our leaked information.
Here are the three best steps to take, ranked in order of effectiveness:
1. Monitor Your Credit
Interestingly, there’s no immediate harm just from your personal info being out there. The harm comes when that info is used to commit identify theft, meaning hackers using your info in ways you obviously don’t intend. Usually this involves opening accounts in your name.
Your best line of defense against this is solid monitoring. After all, it’s hard for hackers to get very far if you spot their moves as soon as they happen.
You can do this in a few ways:
Use a tracking service to monitor your bank accounts:
At a basic level, using a free service like Personal Capital will make it easy to see all your accounts in one place. If some jerk uses your credit card to pay for whatever it is ID thieves like to buy, you’ll see it come across your Personal Capital Dashboard in real time.
Sign up for a free credit monitoring service:
Since hackers often use your information to open new accounts in your name, don’t forget to monitor your credit.
Although not perfect, services such as CreditSesame or CreditKarma will alert you to changes to your account. This includes credit pulls requested on your behalf and any accounts opened under your name.
Check Your Credit Score:
More and more credit cards are offering free (often unofficial) glimpses into your credit scores. These days, Chase, Bank of America, Discover, American Express, and Capital One all have cards offering free credit scores. These scores are usually more reliable than what’s provided by sites like CreditSesame or CreditKarma.
If you want to get even more official, you can purchase a score directly from MyFico.com, but that may be unnecessary. The key lies in monitoring the changes to your score, not its numerical accuracy, so pick a source or two and stick with it.
Check Your Free Credit Reports:
Not to be confused with a credit score – a credit report shows your entire credit history, minus the number. The report shows the accounts in your name, when they were opened, and whether anyone has taken a look at your credit. The information comes directly from the credit reporting agencies, so it’s as accurate as it gets.
By law, you’re entitled to one free credit report each year from three major credit agencies, which means if you play your cards right you can receive a constant stream of 100% official credit updates every 4 months, directly from the credit reporting agencies.
You can get your report from AnnualCreditReport.com. Which totally sounds like a scam, but it’s the official website recommended by the United States Consumer Financial Protection Bureau.
2. Set up Fraud Alerts
If suspect you’re a victim of ID theft, you may want to set up a fraud alert with the credit reporting agencies. A fraud alert requires lenders to call and verbally verify it’s you who made the application, before extending any credit in your name.
(Why this isn’t standard practice, we’ll never know.)
Setting up a fraud alert is actually pretty simple, and free. Just call one of the credit reporting agencies and ask to apply a fraud alert to your credit file. You’ll want to double check they plan on sharing this info with the other three agencies.
A fraud alert lasts 90 days, and can be renewed for free.
Check out the FTC’s easy instructions, complete with contact information for the three agencies. And yes, you can request one of the other two agencies share the information with Equifax, if you’d prefer not to deal directly with those clowns.
3. Ultimate Defense – The Credit Freeze
The nuclear option. If you pull out this big gun, the ID thieves will be mostly S.O.L.
A credit freeze completely forbids access to your credit report, which means any account needing a credit check prior to opening won’t be approved.
A credit freeze does not impact your credit score.
Freezing your account does cost around $10, per agency, and the freeze remains in place until you lift it. You will have to pay to freeze AND unfreeze your account, making the total cost to freeze and unfreeze your credit across all three agencies about $60.
And remember, a credit freeze prevents everyone from accessing your credit, even yourself. So if you plan on legitimately using your account after the freeze is in place (say, to open a new credit card, apply for an apartment rental, or get a home loan) you’ll have to pay to temporarily lift the freeze.
The FTC has a detailed FAQ page on credit freezes here.
You Don’t Have to Run Faster Than The Bear…
You just have to run faster than the slowest guy running from the bear.
This isn’t the first hack and it certainly won’t be the last. While we might never be able to stop our information from getting out, we can always take steps to reduce the chances that information is ever used.