This post was updated September 20, 2017 and September 26, 2017. See below for most recent news.
With all due respect to those injured by Hurricane Harvey and Hurricane Irma, it’s the question of the week: What should you do about Equifax and your credit in the wake of the largest credit breech in history?
With as many as 143 million people potentially impacted, it’s no small question. And while television pundits and credit experts from all quarters have been quick to weigh in, the government has stepped into the middle of it as well: The Federal Trade Commission (FTC.gov) and the Consumer Financial Protection Bureau (CFPB) have launched investigations and published information on their websites that consumers can use to evaluate their next steps.
And don’t think the lawyers have been left out: No fewer than 23 class action and other lawsuits have been filed against Equifax, although the outcome of those won’t be known for years.
I’ve heard from a number of readers this week, all of whom are asking very good questions, including this one from Brian: “What is your advice on dealing with the recent Equifax hacking? Should we freeze our credit or NOT freeze? What are the long term issues we should be concerned about? We would like you to address how we should proceed. Should be important advice for many people. Thanks!”
I know it’s a scary time. But there are actions you can take that will help. Here’s what I think you should do – and what I did (and recommended to everyone in my family).
Step 1: Determine if you’re a victim (or a potential victim). I went to Equifax.com and clicked on the top of the website that talks about their “cybersecurity incident.” Then, I clicked the link to take me to the EquifaxSecurity2017.com website. Equifax is updating this site nearly every day and the last entry (dated September 14), talks about how there is a high volume for implementing credit freezes (more on this in a moment) and they’re having technology issues. However, the website also states that it is going to refund everyone who had to pay for a security freeze (which at $10/person is far cheaper than dealing with another fine from the CFPB or paying lawyers to deal with lawsuits). It’s also the right thing to do.
Step 2: Sign up for the free Equifax credit monitoring program. If, after you put in your social security number, it comes back with a “likely” notification (meaning it’s likely or possible that your personal information has been hacked), you should sign up for the free credit report monitoring and ID theft production Equifax is offering. Why? Because it’s free, it’s as good a product as any on the market, and because you might as well take advantage of this free offering while you can get it rather than paying for something else from someone else. Whether or not your information was exposed, you can get a year of free credit monitoring and other services. This site, which is the official site Equifax has produced, will give you a date when you can come back to enroll. Write down the date and come back to the site and click “Enroll” on that date. You have until November 21, 2017 to enroll.
Let me be clear: I signed up for it and I did it even though I’m already a paying customer of a credit monitoring product.
Step 3: Freeze your credit. A credit freeze makes it much harder for someone to open up new credit in your name. The problem is, every time you place or lift a credit freeze, it costs you between $5 and $10. Today, Equifax announced it would refund any credit freeze fees it had collected since the incident was reported. That’s a good start, but Senator Elizabeth Warren (D-MA) and more than a dozen other Democrats have introduced legislation requiring Equifax and the other credit reporting bureaus to freeze everyone’s credit for free. Hopefully, this legislation will pass quickly and provide all consumers with complete control over who has access to their credit information.
I placed a credit freeze on my account at Equifax, and I will file a fraud alert for my credit history with all of the credit reporting bureaus. You should do this, too. It may make it harder to apply for new credit, but it will make you a bit safer (and maybe a lot safer).
Visit IdentityTheft.gov for more information about what to do following a data breach. We also have plenty of resources for you at ThinkGlink.com. I will update this page as more information becomes available.
Update 9/20/2017: I was on WTTW, Chicago’s PBS station, to talk about the Equifax Breach. Here’s the video, which I think could provide additional information:
Update 9/26/2017: Equifax’s CEO, Richard Smith, has retired.
Equifax announced this morning that CEO Richard Smith has retired, effective today. In a press release posted on the company’s website, the company announced its board of directors appointed board member Mark Feidler to serve as Equifax’s nonexecutive chairman. Paulino do Rego Barros, who served as the president of the company’s Asia Pacific division, will become the interim chief executive.
“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Smith said in the statement. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.” Smith will stay on as an unpaid consultant to assist with the transition, Equifax’s statement noted.
Mark Feidler stated, “The Board remains deeply concerned about and totally focused on the cybersecurity incident. We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the Board, I sincerely apologize. We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.”
This announcement doesn’t change the fact that if you have been a victim of the Equifax breach, and the company has determined that it is likely some of your information has been accessed, you should take steps to protect your credit by freezing or locking it. In addition, you should consider filing a fraud alert, which will be shared with the other two major reporting bureaus. A regular fraud alert will only last for 90 days, but if you can prove you have been the victim of identity theft, you may renew it for up to 2 years.
Ilyce Glink is the Publisher of ThinkGlink.com and Founder/CEO of Best Money Moves.