I can tell from the email I’m getting (and, honestly, from friends calling me and even stopping me at church). You still have many questions about the Equifax hack last week. So do I. Equifax is still not providing enough answers, so I can’t be as helpful as I’d like. Meanwhile, the company’s initial bungled response created even more confusion, and it’s still not all sorted. Still, here’s a quick rehash of where we are and what you should be doing.
UPDATE: In a separate post, I have written a primer on security freezes. Click here to read that story.
What happened, again?
One of the nation’s three large credit bureaus, Equifax, said hackers stole information on up to 143 million Americans – and it was the motherlode. SSNs, names, addresses, and in some cases, even driver’s licenses.
Equifax says go to a website to check if my information was stolen. Should I?
Probably. But there are lots of problems with the website — https://www.equifaxsecurity2017.com/ — and as of now, it doesn’t really do very much for you, so it’s not necessary. In fact, I’d wait. You can just assume your data was stolen — three-quarters of adults with credit reports are probably victims — and await further instructions.
I heard the website is a trick, and if I use it, I waive my right to sue Equifax. Is that true?
Probably not true, but there’s a lot of truth in it. On that site, Equifax is offering victims the chance to sign up for a free ID theft service it owns. The terms and conditions of that service include a now-infamous “Ripoff Clause” that forces users to surrender their rights to join a class action lawsuit against the company is a dispute arises. This is a typical mandatory arbitration clause that appears in many standard-form contracts, a bad habit by corporate America that consumer advocates are trying to eliminate. In response to an outcry, Equifax issued a statement saying the ripoff clause doesn’t apply to hack victims, and ultimately changed the terms to state that explicitly. Still, arbitration clauses have been interpreted very broadly by federal courts (even the Supreme Court) so I wouldn’t want to give a judge a chance to rule on that.
Still, I should go to the website to see I was hacked, right?
No, I don’t think so. It appears that website does nothing at all. Users initially reported vague answers like “you may have been hacked” and a message to revisit the site later. Then, clever programmers started feeding the site with dummy data like 123-456 and found erratic answers. I think it’s quite possible the site is just a placeholder to give consumers busywork, and it checks nothing.
I heard the site doesn’t work. Is that true?
See above. I don’t know, but it doesn’t look good. I’ve had at least one person tell me she entered the correct information on separate occasions and got different answers. So maybe it’s generating a random response. Until we get more answers from Equifax, I can’t recommend using it.
But then I’d give up the free service Equifax is offering. Shouldn’t I sign up?
It’s probably not a terrible idea to ultimately accept the Trusted ID Premier offering from Equifax, but there’s no rush. Meanwhile, the service isn’t going to do that much for you. It includes credit monitoring (of dubious worth) and a credit report (already free), monitoring for SSNs posted online (how much of the Dark Web is really scanned?), insurance (you might already have it) and a credit report “lock” (a freeze should be free in most states now that you are a victim).
Who did this?
We don’t know, and that’s critical, because knowing who stole the data will help you make intelligent choices about what to do next. Was it a gang connected to a vast ID fraud ring? Run and put credit freezes on your reports. Was it a nation-state? Government employees should be on high alert (though they are probably already victims). Was a it a kid on a joy ride? Well, we can all hope for the best then, and maybe a fraud alert is enough. We don’t know. Equifax needs to tell us.
Well then, what should I do?
First, don’t freak out. Your personal data has probably already been compromised before. Theft of an SSN from a credit bureau certainly sounds worse than other hacks — say, theft of your credit card from Target. But just keep doing the sensible things you are already doing. Check accounts often. Look for suspicious mail. Be alert when interacting with government agencies or loan officers for any signs you might be “sharing” an SSN with someone else. And, consider getting a credit freeze.
Should I get a credit freeze?
Perhaps. There are a lot of good things about freezes, especially if you are in a place in life where you won’t need to apply for credit during the next couple of years. They aren’t perfect, however. They can be a bit of a hassle. Depending on your state, they can cost money. They won’t stop all ID theft (they don’t prevent someone from getting a driver’s license in your name, for example).
My main beef with freezes is consumers often have to pay to freeze their files — 3 times, once at each bureau — and then pay to “thaw” their credit reports when necessary. That’s not fair. You didn’t ask for a credit report in the first place. You certainly didn’t ask to be hacked. Also, when thawing time comes — say you are shopping for a new car loan — un-freezing the reports can be a hassle. Consumers set their freezes and forget them, then years later, don’t remember how to perform the thaw. It’s easy to lose the associated PIN code, for example. And it can be hell to pay to perform the thaw under those circumstances. So, it’s not really consumer friendly. Still, if you were already the type to consider a freeze, now is probably a good time to push you over the edge. Just KEEP ALL INSTRUCTIONS IN A SAFE PLACE.
How do I place a credit freeze on my files?
The rules are different for different states. Sorry, it’s a terrible system. First, review the rules for your state here:
Then, go directly to each credit bureau’s freeze website. If you Google “security freeze” yourself, you’re going to be upsold on a lot of different services that sound like freezes, but aren’t. So be careful. Here are the sites:
Sadly, freezes aren’t free. The fee schedule is actually pretty complex, and varies by state. Trans Union has a very handy state-by-state fee grid (including different fees for different categories of consumers.)
Speaking of being upsold, is this whole thing just a marketing scheme by Equifax?
I highly doubt that. Just look at the firm’s stock price. However, it wouldn’t be unlike the firm to attempt to make chicken salad out of chicken…waste…at a time like this. Early reports indicated consumers who signed up for that “free” ID theft product were required to enter a credit card, and told after 12 months of service were complete, they’d they’ll be auto-enrolled and forced to pay. That sounds like some of the old Free Credit Report service tricks. Fortunately, Equifax “clarified” this on Monday and the firm now says credit cards are not required and victims won’t be auto-enrolled. Kind of amazing the firm had to issue such a clarification, no? (It now says this: “We are not requesting consumers’ credit card information when they sign up for the free credit file monitoring and identity theft protection we are offering to all U.S. consumers. Consumers who sign up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of TrustedID Premier.)
About that website, EquifaxSecurity2017.com. Is it real? It looks like a scammer’s domain.
Yup, it’s real. But it was poorly configured at the beginning, and that rightly led some of you consumers to be suspicious. Good for you, you’ve been trained well. I’m still not crazy about the requirement to enter 6 out of 9 SSN digital onto the site..that’s awfully close to your whole number. I hate that we are training consumers to take steps like that. It’ll be so much easier for the next phisher to ask for such data. So, do it just this once, but never again.
Do we know any more about how this happened? (Geek post)
Not really. One stock analyst blamed a flaw in open-source software called Apache Struts. The analyst didn’t offer evidence, but claimed to have a source inside the firm. Struts, like all software, suffers from occasional serious vulnerabilities. Technically, this one is interesting because it was “discovered” — by good guys, anyway — just a few days ago. So it’s possible hackers used a previously unknown software flaw to steal all this data. That would somewhat mitigate Equifax’s blame. On the other hand, it could have been another flaw announced earlier this year, which would look worse for Equifax. Only folks who have seen the server logs really know, however, and I’m not particularly keen on guessing from the outside like this. (Read more at ZDNet.) (Read even more from Apache.)
This is obviously a very fluid story, and I welcome clarifications and additions. Leave a comment, or email me.
Follow this story: AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.
Thanks for all you do to keep us informed!
I was involved with the Office of Management and Budget hack 20 months ago. I enrolled in MyIDCare through the government. Is MYIDCare a good system to use to monitor this situation?
I had frozen my credit with Equifax (and the other two bureaus) before this incident and received a pin in case I needed to unfreeze it. Is this pin part of the information stolen?
I am almost 70 yrs old and between all the fake pop-ups on the computer about having a Trojan worm & needed to pay some fabulous East Indians $4000 for a firewall, being called 8 times a day by these same people starting at 7:00 a.m., nothing surprises me. A group of Mexicans in Brea, Ca. stole my purse & my SS card, credit cards, and my driver’s license was stolen & it took almost a year to straighten out. I thought the senior years would be more enjoyable!
I am in the process in getting a mortgage on a condo or town house shortly and don’t think I should put a freeze on my accounts right now, what due think. I getting a VA mortgage and just paid everything off to get a good rate.
Thanks for the valuable information. One comment – equifax knew about this weeks ago (but maybe they aren’t included in ‘good guys’). What is especially disgusting is the stock sold by execs after the breach was discovered but before it was announced. These guys must think they are too big to fail.
The link above to freeze your Equifax report is incorrect. Please correct it.
Do you recommend getting a free credit report from all three agencies at one time, or one from each every three to four months? Thanks
I called the automated Equifax line. After taking all my info to do a freeze credit, the response was”We cannot process this request at this time” website not able to do it either. What should I do? Have freeze on other bureaus.
You’re right. The site where you can check if you’re affected does absolutely nothing. I also entered a fake name and a fake number and it returned the same answer to me that “you MAY have been affected….”. It’s a waste of time to check.
I FINALLY made it a few pages in at the Equifax site. However, my only choices were 3 ways to UNDO the credit freeze. NO WAY to put a freeze on.
I had the same (3) Choices as Jan ?? & NO way to Freeze it.
Where do we sign-up for FREE Credit Monitoring from Equifax ?