It’s time for all of us to play defense, because Equifax clearly did not.
In the wake of the epic breach of as many as 143 million of our Social Security numbers, names and addresses from the company’s credit files, the company put up a website that attempted to make sense of things for consumers.
The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.
On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.
By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.
So my default assumption quickly switched to this: Equifax has no earthly idea who is affected. I tried calling a phone representative for clarification, too, but she gave me incorrect information about the nature of the company’s offer to consumers and then told me to just use the website when I went about correcting her. On Friday evening, the company issued a statement claiming to have fixed the problems and tripled the number of people in its call center.
Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so.
That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete.
And why just a year? Who knows? Isn’t this an invitation to the thieves to sit on the data for a while and then use it when all of us have moved on?
Meanwhile, people can’t easily change their Social Security numbers to thwart the thieves. So if any bad actors have your personal data, those numbers will be useful for years, maybe decades, depending on how the credit system changes over time.
Equifax should have made the monitoring last forever. Since it didn’t, it will now be able to solicit everyone who signs up for its year of free service. And what do you want to bet that the company will offer an extension bright and early on day 366 for, say, $16.95 per month?
So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.
In the meantime, here’s hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files. I’ve used them for years, and here’s how they work. You sign up (and pay some fees, because you knew it wasn’t going to be free to protect data that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s and TransUnion’s websites. Christina Bater, managing director at Barrett Asset Management in New York, suggests freezing your file.
Once you do (and it may take a little time to complete the process), the bureaus are not supposed to release your credit report to any company except the ones that already have you as a customer. Why is this important? When a thief shows up with your Social Security number and address to apply for credit in your name, the lender will go to fetch your credit report before anything else happens. If it can’t retrieve the report because of the freeze, then no new account for the thief.
You can thaw your freeze every time you want to apply for new credit by using a personal identification number that the companies give you, which you absolutely should not lose. This costs a few more dollars. (Would it kill Equifax to waive these fees for a while, given the circumstances? Or how about forever?) The process is annoying, but it takes only about 15 minutes to do this at all three of the big agencies. Those precious minutes, by the way, are also why the credit bureaus hate freezes. They gum up the works and make it harder for them to peddle your files to credit card companies and such, thus making ever more money off your data.
A credit freeze is different from a fraud alert, though you should also request one of those in the wake of the Equifax breach, for the longest possible time on offer, from Equifax, Experian and TransUnion as well. Once that free alert is in place, potential creditors should contact you for confirmation anytime you (or a thief) tries to open up a new account.
Some people also use credit monitoring services that ping you every time there’s a change in your credit report, but I’ve always found them to be anxiety-producing. Instead, I check one of my credit reports for free every four months at annualcreditreport.com. That plus the permanent security freezes are enough to keep me sleeping well at night.
Or at least it used to be. I have always worried that a giant breach would someday come to one of the big credit reporting agencies, and now here we are. The data is out there, and thieves may use it in ways that freezes cannot thwart. They may try to gain access to other people’s health insurance, file tax reports in their names on Jan. 2 to claim a big refund and do other things that we haven’t even thought of yet.
And then there’s this: A security freeze doesn’t protect you if the thieves break into the vault of the company that maintains the freeze. That’s what happened here, and we will now spend years seeing what happens next.
- Content by: Ron Lieber on Sept. 8, 2017
- Orginally posted at: https://www.nytimes.com/2017/09/08/your-money/identity-theft/equifaxs-instructions-are-confusing-heres-what-to-do-now.html?action=click&contentCollection=Business%20Day&module=RelatedCoverage®ion=Marginalia&pgtype=article
- Image credit: Pixby.com
Ready to protect your data? What You Can Do:
- Immediately, install a FREE 30-day Trial of EZProtect Antivirus and connect it to your Salesforce org(s) to start scanning files, document uploads, or chatter for viruses or malicious content. Once this is complete, you will have a sense of how many files your organization scans per month and you will be well poised to convert to a paid plan.
- You may also download the full brochure with FAQs and schedule a demo to better understand how the tool works inside and outside of Salesforce by visiting www.adaptus.com/portfolio/ezprotect/.