Equifax Breach: Follow These Steps to Protect Yourself
You can check to see if you were hit by the Equifax data breach, but the process can be messy. Here's how to do it, and what to do afterward.
Let's be right up front: The Equifax data breach disclosed in September 2017 is still the worst in American history, and the website that Equifax has set up to assist people who were possibly affected hasn't always been easy to use.
Here's how to navigate that site, which is at https://www.equifaxsecurity2017.com. But we must warn you that the site may deliver inconsistent results to people who try to find out whether their information was part of the stolen data.
By all means, go ahead and check to see if you were impacted. When this page was first written, we urged everyone to sign up for TrustedID Premier, the free identity-monitoring service that Equifax offered to anyone who asked. (You gave up no legal rights by enrolling with the service.)
But the last enrollment date for the free Trusted ID protection was Jan. 31, 2018. So that ship has sailed, except for the 2.4 million people whose names and driver's license numbers were disclosed on March 1, 2018, as having been compromised in the breach. (More on that below.) Those people will be notified by mail, along with advice and instructions.
You should then take additional steps to protect yourself, such as requesting a fraud alert on your credit files, and possibly instituting a full-on freeze on those files that won't let anyone access them without your permission. We've got instructions for those as well.
If you need a catch-up: On Thursday, Sept. 7, 2017, the credit-reporting agency Equifax revealed that its servers had been breached by unnamed attackers earlier this year. Highly sensitive personal information on 143 million U.S. residents, and an untold number of Canadian and British residents, was stolen.
[UPDATE March 14, 2018: The Securities and Exchange Commission has charged former Equifax executive Jun Ying with insider trading related to his sale of Equifax stock in late August 2017, before the data breach was publicly disclosed.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
The full complaint alleges that soon after Ying learned that Equifax had been hacked, he exercised his stock options and sold nearly a million dollars' worth of Equifax stock, saving himself about $117,000 in potential losses. If convicted of all the charges, Ying will have to pay back the $117,000, pay an additional unspecified fine, and be barred from serving as an officer or director of a publicly listed company.
Ying is not among the three executives who sold Equifax stock in early August 2017 and became the focus of a Justice Department investigation. Those executives, along with a fourth, were cleared of wrongdoing by an independent panel in November 2017.
[UPDATE March 1: Equifax disclosed that 2.4 million U.S. residents had their names and some driver's license information compromised in the breach. These individuals had not been previously known to be affected by the breach.
Equifax "will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them," the company said.
The company didn't disclose what kind of driver's-license information was affected, but said it most cases, it didn't involve addresses, the state in which a license was issued, the date of issue or the expiration date. That does leave the license holder's date of birth, driver's license number and physical characteristics — height and eye and hair color — as possibly compromised information.]
[UPDATE JAN. 31: As of Feb. 1, Equifax's TrustedID identity-theft protection will no longer be offered to U.S. residents affected by the 2017 data breach. Instead, Equifax is offering a free service called Lock & Alert to all U.S. consumers. It lets consumers freeze and unfreeze their Equifax credit files with a mobile app. Credit files with other credit-reporting agencies are not affected.]
[UPDATE Oct. 10, 2017: Equifax U.K. disclosed that 15.2 million records pertaining to British residents were compromised in the Equifax U.S. breach. Most of those customers had only their full names and dates of birth exposed. However, nearly 700,000 had more sensitive information compromised, including telephone numbers, drivers-license numbers, passwords and partial credit-card numbers. Equifax U.K. will be contacting individuals in the group of 700,000 by post.]
[UPDATE Oct. 2: Equifax stated in a press filing that approximately 145.5 million U.S. residents were affected by the breach, an increase of 2.5 million over the previously stated estimate. On the plus side, the number of estimated affected Canadian residents was lowered from 100,000 to 8,000.]
[UPDATE Sept. 29: Equifax has tossed out its CEO, installed a new one and announced that by the end of January, it will have a new service in place that gives individuals free credit freezes for life.]
[UPDATE Sept. 20: Equifax Canada says 100,000 Canadians were affected, with those individuals' names, addresses, Social Insurance numbers and, in some cases, credit-card numbers affected. Equifax will be notifying affected persons by mail.]
[UPDATE Sept. 19: The earlier Equifax breach may have been an attack on Equifax's payroll services, which was actually disclosed in May. That doesn't rule out the possibility that the same miscreants were responsible for both that and the later, much more serious, attack.]
[UPDATE Sept. 18: Equifax U.K. now says 400,000 British residents were affected, with full names, email addresses, dates of birth and telephone numbers compromised. That information would be useful to spammers, and have some value to identity thieves, but is overall less sensitive than what was compromised for U.S. residents.
Bloomberg News reported that Equifax had suffered, but not disclosed, a separate attack on its systems in March, around the time of the disclosure of the Apache Struts vulnerability that Equifax has said was the cause of the publicized breach. It was not clear whether the Struts vulnerability was part of the earlier attack, but the attack may not have been disclosed because there was no evidence that personal data was compromised, the Bloomberg story speculates.
There have been possible instances of data stolen from Equifax being abused. Security researcher Chad Kreimendahl said in a blog post that an email address he used only to register with Equifax had begun to receive spam email.
The Wall Street Journal reported (story reprinted at The Australian) that the number of fraudulent account-change attempts at a credit-card payment processor jumped in late May and early June, and that credit-card thieves in August claimed in underground web markets to have card numbers stolen from Equifax. All of these anecdotes could be entirely coincidental, however.]
MORE: Best Identity-Protection Services
Best Overall
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Best Tools
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
The stolen data on all the Americans affected included full names, street addresses, dates of birth and, worst of all, Social Security numbers. That's all someone needs to steal your identity. A smaller number of driver's-license numbers and credit-card numbers was also stolen.
Anyone affected by this breach will need to closely monitor his or her financial accounts for the next several years, if not decades.
Unfortunately, the Equifax impact-checker site was initially not very good at telling you whether you were impacted or not — we got different results with the same set of personal data, and positive results with obviously fake data.
Nevertheless, let's start by using the Equifax breach-check page.
How to Check If You Might Be Impacted by the Equifax Breach
1) Skip the message from Equifax's CEO and go straight to the notification check at https://www.equifaxsecurity2017.com/potential-impact/
2) Click the "Check Potential Impact" button. You'll be bounced to a page on the TrustedID website, even though the branding will still say Equifax. (Equifax owns the TrustedID identity-protection service.)
3) On the TrustedID page, enter your last name and the last six digits of your Social Security number, without hyphens.
4) Check the "I'm not a robot" box and click Continue.
At this point, you will see one of two very similar-looking pages titled with "Thank You." One will say that "your personal information was not impacted by this incident."
The other states that "your personal information may have been impacted by this incident."
No matter which response you got, Equifax initially gave you the opportunity to enroll in TrustedID Premier in order to get a year of identity protection at no charge. That offer ended on Jan. 31, 2018.
Back in September 2017, we got inconsistent responses from this page when we entered the same legitimate information more than once. Sometimes it would tell us we were affected, sometimes it wouldn't. In March 2018. obviously false personal information — "smith" and "123456" — still gave us the "you may have been impacted" response. As such, we can't really tell if the Equifax impact-check site works properly or gives you accurate information.
We recommend that whichever response you get from the impact-checker page, you take up Equifax on its Lock & Alert offer.
MORE: Just How Screwed Are You by the Equifax Data Breach?
How to Set Up a Fraud Alert
To really prevent your Equifax stolen data from being abused, you should also:
5) Have a fraud alert placed on your files by calling or contacting one of the Big Three credit agencies — Equifax, Experian or TransUnion — plus a fourth, Innovis, that's not as well known.
A fraud alert is meant to inform you if anyone requests your credit information from that bureau. It's free and lasts for 90 days. The Big Three agency you contact will notify the other two. You may have to contact Innovis separately.
U.S. residents can request a fraud alert online or call each bureau directly: Equifax (1-888-766-0008), Experian (1-888-397-3742), Innovis (1-800-540-2505) and TransUnion (1-800-680-7289).
6) Get a free credit report from each agency if they don't give it to you when you institute the fraud alert. You can also get one through https://www.annualcreditreport.com. Look over all transactions from the past six months for anything wrong.
If something is amiss, notify the credit-reporting agency reporting it in writing, as well as any institutions with which erroneous accounts are held, to dispute the records. If fraudulent charges were created in your name, or a phony account opened, you'll need to file a police report. (The police probably can't do anything, but filing a report makes the incident legally "real.") Keep a copy of every letter you send. You'll want to create a paper trail.
How to Set Up a Credit Freeze
The next step is the most drastic, but in the case of the Equifax breach, it might be warranted. You'll be placing a credit freeze, also known as a security freeze, on your credit reports. Equifax's Lock & Alert page lets you do this easily and for free, but it applies only to your Equifax files.
No one with whom you don't already do business will be able to access your credit file. From each credit bureau, you'll get a PIN with which you can temporarily unlock your credit report in case you're applying for a new loan, credit card or utility account. For Lock & Alert, you can do this with a mobile app.
Be forewarned: This may cost some money, and may be disruptive. A commenter on independent security reporter Brian Krebs' website recounted how his car insurance premiums shot up and routine banking transactions became difficult.
7) Have a credit freeze placed on your files by contacting each of the Big Three agencies, individually, plus Innovis. In most states, instituting a credit freeze will cost a few bucks per credit bureau and will last several years. In some states, it's free. Here's a list of fees state-by-state. Equifax has waived its credit-freeze fees indefinitely.
You can call each of bureau at the U.S. telephone numbers given in Step 7, or request a freeze online with Equifax, Experian, Innovis or TransUnion.It might be better to call, because you will receive your unlocking PIN via snail mail.There have been reports that people who tried to institute security freezes online following the Equifax news never got their PINs.
8) While you're at it, request a credit freeze for any minor children you may have. Equifax and Experian will do this for free; with TransUnion, the fees vary by state.You'll need to include copies of your driver's license, your child's birth certificate and your child's Social Security card, for starters.
For the Future
The consequences of the Equifax breach may be felt for decades. You may have to adjust some behaviors accordingly.
9) File your personal income-tax returns as early as possible. With your name, address and Social Security number, an identity thief can file a return in your name — and get your tax refund from the government. Beat the thieves to the punch by filing early.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.