Just the Equifax, ma’am

Two weeks ago, it was reported that Equifax, one of the largest credit reporting agencies in the United States, was recently the victim of a massive cyber attack — an attack that may have compromised the personal information of 143 million people.

The breach itself occurred between mid-May and July 2017 when cyber criminals gained access to sensitive data by exploiting a weak point in website software. As a result, sensitive information like Social Security numbers, birthdays, addresses, and driver’s license numbers were compromised. In addition, 209,000 credit card numbers were stolen, including information from international customers in Canada and the United Kingdom. The attack is so severe, in fact, it’s likely that anyone with a credit report was affected.

Since then, there have been a flurry news stories reporting on the breach. The flow of information has moved so quickly that a lot of confusion has arisen, as well. So, as Detective Joe Friday used to say on Dragnet, let’s get down to “just the facts.” That way, we can figure out what we need to do to protect ourselves.

How do I find out if I was affected?

Equifax has set up a response site, www.equifaxsecurity2017.com. This should be your first stop. Using this site, you can determine if you were affected, and, if you were, how to enroll in the free credit monitoring offer they’ve made from TrustedID (TrustedID is a credit monitoring service that Equifax has partnered with to provide this service to clients free of charge). To enroll, you will need to give them your personal information (Social Security number, name, address, and more).

I’ve had clients ask if this site is trustworthy, and if they should give TrustedID all of this information. First, this site is trustworthy; many reputable government and news outlets have directed their readers to it, including the Federal Trade Commission, USA Today, the Washington Post, and Krebs on Security (a prominent data security blog). Second, yes, you will need to give TrustedID your information in order for them to identify and monitor your particular credit report.

Wait — I heard that if I sign up for free credit monitoring, I’m giving up my legal rights?

That’s not true. Equifax notified the public via their online FAQ: “To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. We have already removed that language from the Terms of Use on the site www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident. Again, to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”

So I signed up for credit monitoring. I’m good, right?

Wrong. As Brian Krebs points out, credit monitoring is inherently a reactive process, not a proactive process. This service will alert you to any changes to your credit reports, but will not prevent access to them (with the exception of Equifax; TrustedID will lock your Equifax report to prevent access by third parties). It’s recommended that you place a credit freeze on all three of your credit bureau reports. Why? Because the data that may have been accessed by the hackers can be sold to cyber criminals, and those criminals can use that information to apply for credit in your name. The lender (a bank, credit card company, etc.) may not use your Equifax report to make their lending decision. They may use TransUnion, Experian, or another bureau. If you freeze just the Equifax report, you’ve done nothing to prevent fraud on your other reports.



All right, I froze all of my credit reports. NOW am I okay?

Nope. (Sensing a pattern yet?) Freezing your credit reports will help prevent credit identity theft, but using the information that may have been compromised, criminals can do more than just apply for credit. Think tax identity theft and medical identity theft. With your personal information in hand, criminals might try to file fraudulent tax returns in your name or attempt to claim health insurance benefits in your name. To combat these, make a plan to file your tax return as early as possible and keep a close eye on any medical invoices and explanation of benefits statements. In addition, make a plan to continue monitoring your credit after the free credit-monitoring period has ended.

Got it. I’m feeling secure now. Anything else I can do?

There’s always more to do! One additional step to prevent identity theft is to opt out of pre-screened credit offers. Many times a week, you probably receive offers from credit card companies, banks offering to refinance your auto loan or your home mortgage, and more. These are not only annoying and bad for the environment (so much paper …), they also expose you to identity theft. Identity thieves have been known to intercept these offers and apply for the offers in your name. Stop the offers, stop the theft.

We live in an age when your personal information has become valuable to more than just you. Preventing harmful impacts to your credit will save you a lot of time, headache, and money. And while the victims of a theft were always happy to see that Joe Friday was on the case, you can bet they’d rather not have needed him there in the first place.

David Kruse, CISR, is a client executive with Hausmann-Johnson Insurance.

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.