The massive Equifax breach just got a bit bigger. The national credit reporting bureau said that 2.5 million more Americans were affected by the hack than originally disclosed, bringing the total number of victims to 145.5 million—or more than half of the U.S. adult population.
Equifax plans to mail out notices to the additional affected consumers. Its online tool at www.equifaxsecurity2017.com will be updated by Oct. 8.
The bureau said on Sept. 7 that hackers accessed names, Social Security numbers, driver’s license numbers, birth dates and addresses. The scope and sensitivity of the data stolen is alarming enough that every American should take immediate steps to safeguard their personal finances. That’s because the hacked data provides all that’s required to open fraudulent loans and credit cards in your name, says credit expert John Ulzheimer. Other big data breaches--like last year’s Yahoo breach--didn’t include Social Security numbers.
“It’s a big deal,” Ulzheimer says. “And odds are good that your info has been exposed.”
Additionally, the hackers swiped credit card numbers of 209,000 Americans and documents from disputes, including personal data, for 182,000 consumers. Equifax is sending direct notices by mail to consumers whose credit card numbers or dispute documents were hacked, but not to the other millions of affected consumers. That puts the onus on you to take action. Here’s what you should do.
Step 1: Check to see if you have been affected. Go to Equifax’s online tool at www.equifaxsecurity2017.com to determine if your data was involved in the breach. The site will ask for your last name and the last six digits of your Social Security number to confirm. It will offer two responses:
• "Based on the information provided, we believe your personal information was not impacted by this incident." • "Based on the information provided, we believe your personal information may have been impacted by this incident."
It's unclear whether Equifax's investigation has concluded what information was accessed and who was affected, according to a recent update on the breach website. Until Equifax says that it has definitively identified all affected consumers, ValuePenguin recommends that consumers check their status regularly on the site if they initially received a "not impacted" response. Or, they can take the same following steps as those who have been affected as an extra precaution.
Step 2: Place a fraud alert on your credit reports. You need to contact only one credit bureau--either Equifax, Experian or TransUnion--to do this because, by law, the bureau that receives the request must notify the remaining two bureaus.
Here are the three websites to go to:
The alert requires lenders to contact you to determine if any new credit application they receive is valid or fraudulent. These alerts stay on your report for 90 days. To get an extended alert that lasts seven years, you will need a police report or affidavit showing you are in fact a victim of ID theft, with such consequences as having fraudulent credit opened in your name.
Step 3: Pull your credit report from all three major credit reporting bureaus at www.annualcreditreport.com. Carefully go over every account listed in the report and make sure you opened it. Be especially wary of recently opened accounts, since the hack occurred from mid-May through July of this year. If you see a suspicious account, call the credit bureaus right away to report and dispute the account. Contact the lender of the account, as well, to lodge a dispute. Last, call local law enforcement to file an identity theft report and, then request an extended fraud alert from the credit bureaus.
Step 4: In addition to a fraud alert, strongly consider a credit freeze on your credit reports, the most drastic and effective way to protect your credit. This step means that lenders won’t be allowed to pull your credit report for an application for new credit. This ostensibly keeps fraudsters from opening new accounts in your name. However, since this keeps you from getting a new mortgage, credit card or other credit, the step makes the most sense if you have no plans for any such transactions in the near future. You must contact each bureau separately to put the freeze in place. You will be given a personal identification number (PIN) that allows you to unfreeze your report when you need to apply for new credit. Equifax recently improved its system for generating PINs after receiving complaints about the system's potential vulnerability.
In some states, there is a small fee for a credit freeze, which is waived for those who had unauthorized accounts opened in their name and filed a police report. Other groups of people--such as seniors over 65 years, minors and other protected consumers--may have credit fees reduced or waived altogether, depending on the state. Equifax is waiving the fees for credit freezes for all consumers through the end of January and refunding fees paid since the breach was disclosed, according to the company's Twitter account.
Here are the three websites to go to:
TransUnion also offers its free TrueIdentity service that allows consumers to lock and unlock their TransUnion credit reports. When the report is locked, it's off limits to anyone requesting it.
Step 5: Because of the information stolen, it’s best to take extra steps to protect all of your accounts. Using information from the Equifax hack and other breaches, fraudsters may be able to gain access to your other financial accounts, such as checking and savings accounts, brokerage accounts and retirement accounts. It's prudent to check those accounts and contact the financial institutions if you see any odd activity.
Step 6: Continue to monitor everything closely. Hackers are known to sit on information they have stolen and use it down the road, after the immediate hysteria following a breach may have subsided. It’s wise to carefully watch all of your financial accounts—credit cards, loans, bank accounts, brokerage account and retirement accounts—for any unusual activity like unauthorized purchases or withdrawals. Given the severity of the breach, check these statements weekly. Pull your credit reports every six months to check for any fraudulent accounts. The information that was stolen has value in perpetuity, says Ulzheimer, so the risk will last.
Step 7: Consider ID theft services. Equifax is offering its TrustedID Premier service to all U.S. consumers for free for a year. You must enroll before the end of January. This monitors your credit reports at all three bureaus and alerts you whenever changes on the reports occur. There was confusion over whether the arbitration clause in TrustedID Premier's terms of service would prevent consumers from joining a class-action lawsuit related to the breach. But Equifax recently removed the clause from the credit-monitoring service's Terms of Services on the breach website at www.equifaxsecurity2017.com and. If you plan to enroll, do it through that site. Additionally, Equifax says it's not asking for credit-card information to sign up for the service.
There are other credit-monitoring services available from the other two bureaus, FICO and other companies, typically for a monthly or annual fee. It's important to note that all of these credit-monitoring services are reactive and report only when a possible fake account has been opened. If you have a credit freeze, there’s no need for these services.