Equifax Scandal: New Developments & Tips to Protect You & Your Customers' Identities (Last Updated: Sept. 13 at 1:53AM ET)
Note: This post is being amended as developments occur. Scroll to the end to read the most recent updates.
In the world of cyber attacks, the Equifax data breach is not only a public relations nightmare, but also one of the biggest cyber incidents ever reported in the United States (U.S.).
Between May and July of this year, 143 million people in the U.S. may have had their names, Social Security numbers, birth dates, addresses and even driver's license numbers accessed. In addition, the hack compromised 209,000 people's credit card numbers and personal dispute details for another 182,000 people.
It wasn’t until last Thursday, September 8 - SIX (6) WEEKS AFTER THE BREACH WAS DETECTED - that Equifax reported that it had discovered signs of unauthorised access to data, and - whoopsee daisy - 143 million of you are at risk of identity theft and fraud.
So why did it take Equifax so long to publicly announce that anyone impacted by the breach is now at risk of identity theft and fraud — because any of this info can be sold to thieves, who can in turn use it to secure credit cards, open new loans of credits, buy goods and services, and - oh, yeah! - drain your bank account?
Well, a key reason is because of how credit reporting agencies operate. Equifax is different than other companies that have recently been hacked: Consumers aren’t Equifax’s target demographic. Whereas the Targets and Yahoos of the world have to scramble to retain customer loyalty after a cyber incident, Equifax doesn’t have that incentive. Unfortunately and annoyingly, consumer data is what Equifax sells to other people and other companies. It doesn’t really need to cater to our concerns because Equifax isn’t dependent on retaining our business.
And, if Equifax’s unconscionable notification delay isn’t bad enough, how "coincidentally convenient" criminal is it that that three Equifax Board Members and Senior Execs sold $1.8 million dollars of Equifax stock in the days following the breach? Yeah, if it quacks like a duck and walks like a duck, it’s probably…. insider trading.
Back to the Equifacts, let’s explore a few actions you can take, but also recommend to your customers, to protect yourselves.
In its statement about the breach, Equifax announced that it’s offering consumers the option to sign up for credit file monitoring and identity theft protection.
On Friday, we published a blog post that said “you may want to encourage your customers to sign up for Equinox’s free identity theft protection and credit file monitoring program.” Upon further review, and in light of details that have since emerged, we no longer advise you to use this service.
It may sound like a great offer, but the company that just exposed all of your most personal and sensitive information is now going to protect you from identity theft?
Further, Equifax won’t tell you if there’s a problem. Equifax said it would mail notices - yeah, like using the U.S. Postal Service - to all folks affected by the breach, but even if you don’t receive that notification, your info still could have have been revealed.
The bottom line is it’s up to you to monitor your credit.
So, let’s nix this hokey offer of “free credit monitoring” from Equifax, and talk about other actions you can take protect your information.
We advise you to inform your accountholders and members about the merits of adding a credit freeze. And this goes for anyone, not just those impacted directly by this breach.
A freeze is the only and best way to truly protect your identity and money because it prevents criminals from opening new lines of credit in your name. So even if your information was exposed in the Equifax breach, if you freeze your credit file, then you won’t be at risk if fraudsters try to use your information in the future.
So how does a credit freeze work, exactly? Well, a freeze seals your credit reports and issues a PIN to you - if you need to apply for credit and services in the future, you’ll have to use this PIN to temporarily “thaw” your credit. This PIN is the key to your protection.
But, you do need to know the drawbacks. Even though freezing your credit files will prevent hackers from using your personal info, it can be a real hassle. First, you have to add a security freeze to all three credit data reporting companies - Equifax, Experien, and TransUnion - so this is a time consuming process. It’s pretty frustrating that these three can coordinate to sale credit scores and turn a profit, but cannot cooperate when its in the interests of almost half of the American public.
Another reason freezing your credit is annoying is because if you add a freeze, your credit report will be locked to everyone - including yourself. You will not be able to open a new credit account. Third, credit freezes usually cost money. Fee levels vary by state and your unique consumer criteria. If you are interested in learning the specifics of your state's freeze laws, National Conference of State Legislation has compiled a list of Consumer Report State Freeze Laws.
In sum, a credit freeze is a very serious step to take, but it is the best way for you and your customers to protect your money and your identities.
Perhaps you’re interested in some less drastic measures?
One thing you can and should do is sign up for a non-Equifax provided credit monitoring service. Credit Karma provides a free credit monitoring service. All you have to do is visit CreditKarma.com to sign up for an account and get access to free credit monitoring. If suspicious activity is detected, CreditKarma will send you an alert. CreditKarma also provides complimentary access to credit scores and credit reports.
Another credit monitoring service you can use is LifeLock, but do note that this is a paying service. Memberships start at 9.99 per month and can be purchased at lifelock.com.
One other tip to help you protect yourself is checking your credit report now. You can go to AnnualCreditReport.com to get a copy of your credit report. You should also mark your calendar for December 12 to get another copy to review for suspicious activity.
You also need to be on guard for phishing attempts and other scams. Hackers are going to milk consumer fear to the very last drop. Even If your info wasn’t compromised, you could still receive communication for a fraudster who wants to take advantage of the post-Equifax fall out. Be aware - watch out for phony emails or anyone offering to help you determine if you were affected by the Equifax hack.
Watch out for unexpected emails that have links or attachments. Tell you customers that you’ll notify them through their online accounts - so they should look for new notices in their accounts, and avoid clicking on links or opening attachments. If all else fails, tell them to pick up the phone and contact you directly to verify the validity of the message.
Also, check your bank accounts every week, and get your annual social security benefits statement online - make sure no one else is benefiting from your identity.
Finally, inform your accountholders and customers about DoNotPay, an artificially intelligent chatbot that provides free legal advice that has been configured to help victims sue hacked credit report giant Equifax without a lawyer.
Depending on the state, consumers can sue Equifax for up to $25,000.
Even though we’re not going to take Equifax up on its credit monitoring offer, it is important to note that since the breach was announced, Equifax has amended its company policy. Initially, the policy said that if you used their free credit monitoring, you’d give up your right to sue. But, after the entire internet and a large swarth of politicians freaked out, Equifax removed their arbitration and limitation of liability clause and updated its policy to say that you can enroll in the free credit monitoring program without giving up your right to take legal action.
I’d also like to take a moment to say a big thank you to the members of the bipartisan Senate Finance Committee for their outrage and commitment to investigating this breach. In this unstable political climate, it is refreshing and appreciated to see our lawmakers taking swift action and working across party lines to protect their constituents. Thank you especially to top Republican Senator Orrin Hatch and ranking Democrat Ron Wyden for signing and sending a strongly-worded leader to Equifax and for pursuing an investigation.
Thank you for relying on iTod to keep you updated on the latest developments in the Equifax Scandal. Please feel free to contact me directly if you have additional questions or if I may otherwise be of assistance. My direct line is 305.767.2784 and you can also reach me via email at email@example.com.
Although iTod has attorneys on staff, this is not legal advice nor should it be relied on as such. Please consult with an attorney licensed to practice law in your state if you have specific questions about how your Institution should handle the Equifax data breach.
Correction - 5:21PM ET, September 12:
The vlog incorrectly states that CreditKarma is affiliated with TransUnion. CreditKarma does not appear to have any relation to TransUnion. We apologize for this misidentifcation. You can read more about CreditKarma here.
UPDATE - 1:18AM ET, September 13: Jann Alexander (@AustinDetails) tweeted about her attempt to freeze her Equifax credit file. According to Alexander, Equifax asked her "to snail mail my SSN, DoB and ID (!!) to freeze my file."
UPDATE - 1:45AM ET, September 13: TransUnion provides customers with the option to "Lock" their credit file for free using a service called TrueIdentity. Per TransUnion: "Locking your account puts you in control with no waiting and no PIN to remember and no fee for this service. Enroll in TrueIdentity free – no credit card required – and you’ll have access to your Transunion credit report, the ability to lock and unlock you credit whenever you want and, free monitoring alerts."
At this time, we do not know enough about TrueIdentity to give an informed opinion about whether you should use the program. In an article published six hours ago, The New York Times offers a word of skepticism:
[TransUnion] seems to want people to sign up for that product instead of freezing their files.
It’s not clear whether the mechanism TransUnion says it uses to “lock” files with that product provides the same protection as a freeze, or whether it is a lesser form of protection meant to shield TransUnion from some regulatory or legal perspective. A giant hat tip, however, to the person on Twitter who pointed out the company’s draconian terms and conditions.
The Times continues, explaining, "It is also unclear whether consumers’ use of the TrueIdentity product would make it easier for TransUnion to continue selling those consumers’ data (in the same way that Equifax and Experian do) than if they froze their files outright. I have repeatedly asked a TransUnion spokesman, David Blumberg, for clarification, but I have not received it yet."
UPDATE - 1:53AM ET, September 13: Equifax has announced that it will waive all fees for consumers who want to freeze their credit files until the 21st of November. If you've already paid the fee, Equifax will refund you (no word on how long that will take). As of now, TransUnion and Experian still have fees in place.