Equifax Data Breach: What Consumers Need to Know
The company says vital information on 143 million people was potentially put at risk
The credit-reporting agency Equifax disclosed one of the most significant data breaches in recent history, saying information including the Social Security numbers of 143 million consumers was potentially compromised.
While the massive breach that Yahoo revealed last year involved more accounts, topping 1 billion, that intrusion exposed people's phone numbers and passwords. Equifax said its breach includes “names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.”
The company added that credit card numbers for approximately 209,000 U.S. consumers were accessed, along with some dispute documents that contain personal identifying information for about 182,000 U.S. consumers.
Equifax is offering a number of free services to people, including credit monitoring. (You can find more information at a site Equifax set up, and see our expert advice below on protecting your data.)
Equifax originally said that by signing up, you would opt into arbitration and waive your right to take part in a class-action lawsuit for the credit-monitoring service. But this waiver didn't apply to the breach at large. The company later dropped the restrictions for the free credit-monitoring service, saying customers who sign up because of the data breach aren't subject to the clause and won't be prevented from joining class-action suits.
The breach happened mid-May through July and was discovered July 29, Equifax said. It also said it has seen no evidence of unauthorized activity on its core consumer or commercial reporting databases.
“It’s one of the worst hacks imaginable," says Dan Guido, CEO of the cybersecurity firm Trail of Bits. “People should be extraordinarily angry at companies like Equifax. We place a huge amount of trust in them about money matters, but they’re so easily compromised by simplistic attacks like this one.”
Equifax had a much smaller attack in March against one of its subsidiaries, which had not been widely reported before. The company said it notified the few thousand people affected at the time, which included employees of Northrop Grumman, Allegis Group, and the University of Louisville.
Guido wonders whether the major breach over the summer might mark the beginning of a "post-authentication era," in which this widely accepted personal information becomes essentially useless in establishing an individual’s identity.
“There’s no sense in treating this like confidential information anymore,” he says. “When you call up your cell-phone company they typically ask for this information, like your Social Security number or your driver's license number. And it’s simply no longer possible to accurately identify people using these typical trust markers.”
Unlike a credit card company or retailer, consumers generally don't choose to do business with credit-reporting firms. Instead, those companies gather information on consumers as part of their business.
"The credit bureaus collect highly sensitive consumer data, including Social Security numbers and detailed credit histories, and they have a legal and ethical obligation to protect it," says Jessica Rich, vice president of consumer policy and mobilization at Consumer Reports.
"While it’s fine that Equifax is offering consumers free credit card monitoring, that's just a Band-Aid," she adds. "Companies need to take data security much more seriously so these breaches don't happen in the first place. That's why we need stronger data-security laws with tougher penalties.”
Richard Smith, chairman and CEO of Equifax, said in a statement: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes."
What You Should Do
There are some steps you can take to protect yourself and mitigate the potential damage done by this breach.
1. Find out whether your information is potentially at risk.
Equifax has set up a website that allows consumers to determine whether their information was potentially compromised. Click on the tab labeled "Potential Impact" in the center of the home page. You’ll then need to enter your name and the last six digits of your Social Security number.
But even if the scan suggests that you weren’t compromised, don’t be lulled into a false sense of security.
“When breaches like these happen, consumers need to be diligent—and not just in the short term," Matt Schulz, senior industry analyst for CreditCards.com, said in a statement. “Just because nothing looks amiss on your bank statements or your credit report now, that doesn't mean you haven't been compromised."
2. Sign up for credit monitoring.
Equifax announced that it would provide free credit monitoring to all U.S. consumers regardless of whether their information was potentially compromised. Since the service is free and it’s relatively easy to sign up, it’s a worthwhile safety precaution, even if it's a bit of a nuisance.
Equifax is offering five separate services under the program, all free and found on the company's website through a link marked "TrustedIDPremier."
The first is simply getting a copy of your Equifax credit report. The second consists of credit monitoring and automated alerts of key changes to your credit report at any of the three major credit reporting agencies: Equifax, Experian, and Trans Union.
Another scans suspicious websites for your Social Security number. The fourth benefit is up to $1 million worth of identity-theft insurance to pay for out-of-pocket expenses if you’re a victim of identity theft. The fifth is the ability to actually put a freeze on your credit report.
3. Freeze your credit.
Equifax allows consumers to take the next step and actually freeze their credit lines, and you should take advantage of this. It goes a step further than credit card monitoring in that it prevents anyone from taking out a loan or a credit card in your name.
Of course, that includes you. Which means that when you’re actually applying for credit—say, a mortgage, a home equity line, or even a store credit card—you’ll have to unfreeze your credit line before you do so.
“Consumers should deal with this inconvenience and freeze their credit,” Guido says. “It’s significantly safer than credit card monitoring.”
Equifax’s credit-freeze form asks for straightforward information including your name, address, and Social Security number, and you can use the same form to lift the freeze.
4. Check your accounts.
Even if you follow all these steps, some experts suggest that the scope of this breach means that you’ll still have to monitor your own accounts for fraudulent activity indefinitely.
“Digital data is like a genie in a bottle,” says Casey Oppenheim, co-founder of the privacy-software firm Disconnect. “Once it gets out of the bottle it’s extremely difficult, if not impossible, to get it back.”
The bright side of this incident, such as it is, may be that it encourages consumers to take a more active role as watchdogs of their own financial lives.
"Remember that no one cares as much about your money as you do, and you are ultimately your last line of defense against fraud,” Schultz says. “This is reason number 10,000 to check your online bank statements and credit card statements on a regular basis, ideally weekly."
One way of making that task a little easier is by setting up online alerts on your credit card and bank accounts triggered by parameters like your balance or the size of a transaction.
Editor's Note: This article was updated to reflect changes regarding whether signing up for Equifax's credit-monitoring service included an arbitration clause and a class-action waiver. It has also been updated to include the March attack, which had not been widely reported before.