Oh, man, this Equifax data breach: It’s the worst. And that was true before the company asked for six Social Security number digits when people tried to find out if they were affected. Or put language (now gone) that took away your right to sue upon signing up for its conciliatory credit monitoring service. Or provided ridiculously weak PINs to folks signing up for a credit freeze.
What’s so bad about the Equifax data breach?
See, Equifax is one of the three major credit bureaus (the second largest, in fact, behind Experian and ahead of TransUnion) — which means it knows pretty much everything. About everyone. That might sound like exaggeration, but credit bureaus are in the business of collecting data on the U.S. populace. It’s literally what they do. Third parties provide them with info, which then gets compiled into a report those businesses can pull to vet new customers. (It’s the circle of life.) We mostly associate the process with lenders, but lots of companies get and give data from and to the credit bureaus. Car insurance companies, for one, use credit scores when setting premiums.
That’s why so many people are potentially affected: 143 million of the 323 million people in the U.S. (or roughly 44% of the population). And why the list of information hackers obtained includes pretty much everything you never want a hacker to obtain: names, Social Security numbers, birth dates, some addresses, credit card numbers and dispute documents with personal identifying information.
Criminals can do plenty with all that: Take out loans, run up credit card bills, file fraudulent tax returns, create synthetic IDs. It all sounds terribly dire, we know, but breathe. There are things you can do to survive this data breach from hell. Here’s a handy guide on what to do next.
1. Read all of the fine print you encounter.
This might go without saying after that whole “you’re giving up your right to sue” thing, but still: If you decide to sign up for any monitoring service post-breach — whether it’s the free stuff from Equifax or another product — be sure to read the terms of service. Lots of places have arbitration clauses that take away your right to a class-action lawsuit. Plus, most paid credit monitoring services auto-renew each year. You want to know exactly what you’re signing up for. Ditto goes for any identity theft insurance you’re thinking about. Identity theft insurance, in case you're wondering, provides credit monitoring and resolutions services, should someone steal and use your good name. It also covers the costs of recouping your identity (think notary, certified mail and possibly lawyer's fees) and even, sometimes, certain financial losses related to fraud.
2. Check your credit reports.
You’re actually entitled to a free credit report from each major consumer credit reporting agency every 12 months. (It’s the law. There’s a website you can go to request them and everything.) If you haven’t checked yours this year, now’s the time. Request a copy of all three (Experian, Equifax and TransUnion). If you did so recently, you should be able to get a second report from Experian and TransUnion for a nominal fee. Plus, there are plenty of websites online that offer free credit scores that can help you spot fraud. Signs of nefarious activity include new loans or new applications you didn’t take out yourself and even mysterious addresses on your credit report.
3. Familiarize yourself with dealing with identity theft.
If you spot fraud, you’ll need to do a number of things, like file a police report, dispute charges or accounts with creditors and/or the credit bureaus and notify the Federal Trade Commission. For more on how to deal with identity theft, you can actually check out this guide from the FTC.
4. Monitor your bank statements.
You’re looking for fraudulent charges. If you spot them, call your issuer immediately. Most financial institutions tout zero-liability policies that let you off the hook when it comes to unauthorized charges. There are federal laws in place that limit when a financial institution can hold you responsible, too. But for debit cards specifically, those limits change the further you get away from the purchase’s post-date. So it’s a good idea to log into all your credit card and debit card accounts every day or at least once or twice a week to make sure everything’s on the up-and-up.
4. Sign up for every alert imaginable.
Constantly checking accounts sounds like a lot of work, we know, but banks and credit card issuers offer a ton of alerts these days that can cut down on your log-in time. Most financial institutions will text or email you when something truly outrageous appears on your bank statements. Like if you buy lunch at your local coffee shop and two seconds later someone buys a diamond necklace overseas. But you can also set up alerts that’ll notify you whenever a charge posts to your bill. And, if that sounds like overkill, you can set an amount (like $150 to $300) you’d like to be looped in on.
5. Change your passwords.
Sure, no passwords were involved in the Equifax data breach, but hackers are great at putting together information. A little breach here, another breach there, some malware and — oh, look — they’re good to go into your financial accounts. Minimize the odds of them getting that access by updating all your passwords. Make sure they’re long and strong and, more importantly, different across accounts. Otherwise, a thief will be able to get into all of them once they crack into one of them.
6. Consider a credit freeze.
Not to fear-monger or anything, but a thief can do a whole lot with a stolen Social Security number. You can, at least, make it much more difficult for them to take out new lines of credit, get insurance, or lease an apartment in your name by putting a credit freeze on your credit report. A credit freeze essentially blocks access to your credit report.
Of course, it makes it a bit more difficult for you to do those things, too. When you apply for any of the above, you’ll need to temporarily “thaw” your credit report so the third-party you’re trying to do business with can see it … which takes time. It also will probably cost you some money. Freezing and even temporarily unfreezing credit reports can run you about $5 to $10 a pop, though there are state laws that limit what you can be charged and even let identity theft victims do so for free. [Update: Equifax is now waiving fees associated with freezing its version of your credit report until November 21.] Still, that friction and expense could prove worthwhile, given all the havoc someone can wreak with your SSN.
If you don’t want a credit freeze, at least put a fraud alert on each of your credit reports. That way, the credit bureaus will notify you of any funny business. You can request freezes or alerts by contacting each credit bureau directly.
7. File your taxes early this year
Not-so-fun fact: Thieves use stolen Social Security numbers to steal tax returns and, while the IRS is instituting new safeguards to mitigate the problem, there’s still no great way to guarantee you won’t fall victim. Your best course of action is to beat any fraudster to it by filing your taxes as soon as possible this year. And every year moving forward. Not always ideal, we know, but at least you won’t be scrambling come April anymore.