An Equifax logo on a digital display

It’s been exactly one year since the credit reporting agency Equifax discovered that its vast trove of consumers’ sensitive personal data had been breached, exposing more than 145 million Americans to potential identity theft.

The breach, one of the biggest in U.S. history, included the theft of millions of Social Security, driver’s license, and credit card numbers, along with tax-ID information and more. The sheer size and scope of it sparked calls for new consumer protections—not to mention a pending class-action lawsuit. But while consumers have gained some new rights in the last year—including free credit freezes, which go into effect Sept. 21—consumer advocates say much still needs to be done.

More on Protecting Your Data

For example, a year later, consumers still largely lack control over how credit reporting agencies collect and use their data, and companies that employ weak cybersecurity measures, as Equifax is accused of having done, still suffer no significant consequences, says Maureen Mahoney, a policy analyst at Consumers Union, the advocacy division of Consumer Reports.

In fact, in the year since the breach, Equifax has had to pay no major fines or other penalties from government regulators, Mahoney says. 

And while a handful of states have taken action to mandate tougher data security or give consumers the right to opt out of data collection, for the most part Equifax and the other credit reporting agencies continue to conduct business as usual, consumer advocates say.

“Even though it’s been a year, there’s no reason to think that consumers are any safer now,” says Christine Bannan, consumer privacy counsel of the Electronic Privacy Information Center, a public interest research organization in Washington, D.C.

Equifax, which declined an interview, said in a statement that it plans to increase its investment in security and technology by $200 million this year. It has told investors that it is improving call centers and creating new processes to respond faster to potential breaches. 

“We also have advanced our efforts to provide consumers with more control of their Equifax data, including introducing our free Lock & Alert service in January 2018,” according to a statement from spokeswoman Ines Gutzmer.

(You can read Consumer Reports’ review of Lock & Alert here.)

Some Steps Forward

However, the fallout of the Equifax breach did lead to one major victory for consumers: a new federal law, passed in May and effective Sept. 21, that requires credit freezes to be free for consumers and that extends the duration of fraud alerts consumers can place on their credit file.

Credit freezes. These restrict access to your credit report, blocking most lenders from seeing your credit history and thereby thwarting scammers trying to open fraudulent accounts in your name. They are in force until you remove them.

“Previously, the cost varied by state,” says Kimberly Palmer of NerdWallet, a personal finance website that has studied consumer behavior in response to the Equifax breach. “It’s also free when you lift the credit freeze, where before you had to pay to unfreeze your credit, which was frustrating.”

Currently, credit freezes are free or cost to up to $10, depending on state law, and consumers must contact each of the agencies to place a freeze.

One drawback of a credit freeze: It also shuts out most companies you may want to do business with. If you plan to open a new account with an insurer, say, you will have to temporarily lift the freeze and set a date for it to be reinstated.

“There are reasons why people may choose not to freeze their credit, but it shouldn’t be an economic one,” says Eva Velasquez, CEO of the Identity Theft Resource Center.

Consumers can go to EquifaxExperian, and TransUnion, as well as a smaller credit-reporting agency called Innovis, to set up freezes, although they may have to pay a fee before Sept. 21, depending on the law in their home state.

Credit alerts. Also starting Sept. 21, consumers gain the right to place a fraud alert on their file for a year. Currently, fraud alerts expire after 90 days. 

Fraud alerts require businesses to take reasonable steps to verify an individual’s identity before offering new loans, credit cards, or other financial products. 

It’s important that consumers understand that a fraud alert isn’t the same as a freeze, which offers stronger protection, says Catherine Fleming, a consumer protection attorney who represents consumers who claim they were hurt by the Equifax breach. For maximum protection, consumers can place both a freeze and a fraud alert on their accounts.

(Learn more about the difference between freezes and fraud alerts.)

Your Safety Checklist

Practicing “good identity hygiene” is the ticket for keeping your privacy and your money safe, Velasquez says. This could involve paying to subscribe to an ID theft protection service, Velasquez says, but for the most part, the kind of crediting monitoring you pay them to do for you, you can do yourself free of charge. Here are the do-it-yourself steps she and other consumer advocates recommend:

  • Enroll in a free credit freeze Sept. 21. If you have children, enroll them as well. You’ll have to reach out to each credit bureau separately.
  • Place a fraud alert on your credit report. If you contact one credit bureau, they will alert the other two agencies. You can place a fraud alert as well as a freeze on your account.
  • Monitor your credit reports. Consumers receive one free credit report per year from each of the three credit-reporting agencies. Consumers Union’s Mahoney recommends staggering the requests throughout the year.
  • Check your financial accounts frequently. Don’t disregard small yet unfamiliar charges, because fraudsters often make a small charge to test whether the account is still open.
  • File your taxes early. Credit card fraud isn’t the only fallout of the Equifax breach. With your Social Security number, address, and birthdate—information in your Equifax file—scammers can file fraudulent returns. Filing early is one way to circumvent them.
  • Fraudsters are also opening utility accounts with fraudulently acquired credentials because telecom companies and some others do not use information from the big credit rating agencies, such as Equifax. Contact the National Consumer Telecom and Utilities Exchange to request your NCTUE Data Report, which summarizes accounts opened in your name with utilities and pay-TV services.
  • Guard against fake checking accounts. Contact ChexSystems, a credit-reporting agency for banks, for a free copy of information about bank accounts in your name.