By ROBERT MARTIN and RENEE CONDE
The dust is still settling on the Equifax data breach in which hackers accessed personal records of the majority of American adults. This breach was so huge that you should presume your information has been compromised.
Equifax (a big three credit reporting agency or “CRA”) has only come forward now to reveal that between May and July, records of 143 million persons were hacked. What makes it more serious than prior breaches (Equifax itself has had four breaches in the last two years) is that the stolen records include not just credit card numbers, but also Social Security numbers and birth dates.
These are the first building blocks for identity thieves. With this information, thieves can potentially open fraudulent new credit accounts – in our names.
How should people protect themselves? This is a slightly complicated topic, and the answer depends somewhat on personal preferences. To guide consumers, there is useful information from reputable sources, such as the U.S. Public Interest Research Group (www.uspirg.org), Consumer Financial Protection Bureau (consumerfinance.gov), and Federal Trade Commission (ftc.gov).
Briefly speaking, here are some steps that you can take.
- Everyone should monitor their bank and credit card accounts to spot unauthorized activity. Everyone should obtain a free credit report each year from each of the three major credit reporting agencies by to going to annualcreditreport.com. (We suggest getting one report every four months.)
- You should also place a fraud alert with each of the three major CRAs. Do this by visiting their websites: equifax.com, experian.com, and transunion.com. A fraud alert will require any company receiving an application for credit to make special efforts to verify your identity. A fraud alert is good for 90 days and you can renew it.
- You can consider signing up for Equifax’ credit monitoring service. After the breach was made public, they offered a free year. But Equifax included a hidden and outrageous arbitration clause that would prevent consumers from ever joining in a class-action lawsuit (of which several have already been filed) over the data breach. Although Equifax claims to have withdrawn the clause, it is still unclear what rights you may give up by enrolling in credit monitoring at this time.
- You may want to take an additional step: placing a security freeze. A freeze provides the most security, although it requires you to “un-freeze” your credit if you apply for a credit card or loan. There are also some fees. (If you live in New York, a credit freeze is free; the un-freeze fee is $5.)
As the Equifax situation develops, there is no shortage of questions.
What caused the breach in the first place?
Did Equifax have reasonable and adequate procedures in place to prevent hacking? (Answer: Obviously not!).
Why did Equifax wait so long after it discovered the data theft to go public?
Why did two top Equifax executives unload their personal stock at a profit before the breach came out?
What assurances are there that these breaches won’t continue? Do Equifax and the other CRAs fall through the regulatory gap, and is more regulation needed?
Why has Equifax offered consumers only one free year of credit monitoring rather than permanently free? Hacked Social Security numbers don’t have a shelf life. And why isn’t Equifax waiving all fees for security freezes?
The biggest question of all is: What’s going on here anyway? We all have a right to demand answers – and real solutions – to the continuing problems with credit reporting agencies.
Associate Director Robert Martin and Legal Assistant Renee Conde work for the Municipal Employees Legal Services plan.