Let's be right up front: The Equifax data breach disclosed last week is the worst in American history, and the website that Equifax has set up to assist possibly affected people is an ungodly mess.
Here's how to navigate that site, which is at https://www.equifaxsecurity2017.com. But we must warn you that the site is delivering inconsistent results to people who try to find out whether their information was part of the stolen data.
By all means, go ahead and check to see if you were impacted. Whatever the answer you receive, we urge everyone to sign up for TrustedID Premier, the free identity-monitoring service that Equifax is offering to anyone who asks. (Equifax has clarified that you give up no legal rights by enrolling with the service.)
You should then take additional, more difficult, steps to protect yourself, such as requesting a fraud alert on your credit files, and possibly instituting a full-on freeze on those files that won't let anyone access them without your permission. We've got instructions for those as well.
If you need a catch-up: On Thursday, Sept. 7, the credit-reporting agency Equifax revealed that its servers had been breached by unnamed attackers earlier this year. Highly sensitive personal information on 143 million U.S. residents, and an untold number of Canadian and British residents, was stolen.
[UPDATE Sept. 18: Equifax U.K. now says 400,000 British residents were affected, with full names, email addresses, dates of birth and telephone numbers compromised. That information would be useful to spammers, and have some value to identity thieves, but is overall less sensitive than what was compromised for U.S. residents.
Bloomberg News reported that Equifax had suffered, but not disclosed, a separate attack on its systems in March, around the time of the disclosure of the Apache Struts vulnerability that Equifax has said was the cause of the publicized breach. It was not clear whether the Struts vulnerability was part of the earlier attack, but the attack may not have been disclosed because there was no evidence that personal data was compromised, the Bloomberg story speculates.
There have been possible instances of data stolen from Equifax being abused. Security researcher Chad Kreimendahl said in a blog post that an email address he used only to register with Equifax had begun to receive spam email. The Wall Street Journal reported (story reprinted at The Australian) that the number of fraudulent account-change attempts at a credit-card payment processor jumped in late May and early June, and that credit-card thieves in August claimed in underground web markets to have card numbers stolen from Equifax. All of these anecdotes could be entirely coincidental, however.]
[UPDATE Sept. 19: The earlier Equifax breach may have been an attack on Equifax's payroll services, which was actually disclosed in May. That doesn't rule out the possibility that the same miscreants were responsible for both that and the later, much more serious, attack.]
The stolen data on all the Americans affected included full names, street addresses, dates of birth and, worst of all, Social Security numbers. That's all someone needs to steal your identity. A smaller number of driver's-license numbers and credit-card numbers was also stolen.
Anyone affected by this breach will need to closely monitor his or her financial accounts for the next several years, if not decades.
Unfortunately, the Equifax impact-checker site is not very good at telling you whether you are impacted or not — we've gotten different results with the same set of personal data, and positive results with obviously fake data.
Nevertheless, let's start by using the Equifax breach-check page.
How to Check If You Might Be Impacted by the Equifax Breach
1) Skip the message from Equifax's CEO and go straight to the notification check at https://www.equifaxsecurity2017.com/potential-impact/
2) Click the "Check Potential Impact" button. You'll be bounced to a page on the TrustedID website, even though the branding will still say Equifax. (Equifax owns the TrustedID identity-protection service.)
3) On the TrustedID page, enter your last name and the last six digits of your Social Security number, without hyphens.
4) Check the "I'm not a robot" box and click Continue.
At this point, you will see one of two very similar-looking pages titled with "Thank You." One will say that "your personal information was not impacted by this incident."
The other states that "your personal information may have been impacted by this incident."
No matter which response you get, Equifax is giving you the opportunity to enroll in TrustedID Premier in order to get a year of identity protection at no charge.
For the past few days, we've gotten different responses from this page when we entered the same legitimate information more than once. Obviously false personal information — "smith" and "123456" — gave us the "you may have been impacted" response. As such, we can't really tell if the Equifax impact-check site even works properly, or gives you accurate information.
5) Click the Enroll button on the "Thank You" page.
You'll land on yet another "Thank You" page, but this one has a date displayed. (The "09/12/2017" displayed below is just an example.) Write that date down and/or make a calendar-app reminder on that date — it's the first day when you can sign up for the TrustedID protection service.
(On Sept. 7, this page was where you landed immediately after submitting your last name and partial SSN. Then as now, it didn't tell you whether you were actually impacted — unless you weren't, in which case it said "Not Impacted" in big letters.)
6) On or after your assigned enrollment date, return to https://www.equifaxsecurity2017.com/ and sign up for TrustedID. At least, that's the way it's supposed to work. You have until Nov. 21, 2017, to enroll.
Now that's only the first part. Identity-protection services such as TrustedID Premier are really just identity-MONITORING services. They generally can't stop identity theft from happening. They often can only tell you that something unusual is going on (which is better than never finding out) and spur you to take action quickly.
How to Set Up a Fraud Alert
To really prevent your Equifax stolen data from being abused, you should also:
7) Have a fraud alert placed on your files by calling or contacting one of the Big Three credit agencies — Equifax, Experian or TransUnion — plus a fourth, Innovis, that's not as well known.
A fraud alert is meant to inform you if anyone requests your credit information from that bureau. It's free and lasts for 90 days. The Big Three agency you contact will notify the other two. You may have to contact Innovis separately.
8) Get a free credit report from each agency if they don't give it to you when you institute the fraud alert. You can also get one through https://www.annualcreditreport.com. Look over all transactions from the past six months for anything wrong.
If something is amiss, notify the credit-reporting agency reporting it in writing, as well as any institutions with which erroneous accounts are held, to dispute the records. If fraudulent charges were created in your name, or a phony account opened, you'll need to file a police report. (The police probably can't do anything, but filing a report makes the incident legally "real.") Keep a copy of every letter you send. You'll want to create a paper trail.
How to Set Up a Credit Freeze
The next step is the most drastic, but in the case of the Equifax breach, it might be warranted. You'll be placing a credit freeze, also known as a security freeze, on your credit reports.
No one with whom you don't already do business will be able to access your credit file. From each credit bureau, you'll get a PIN with which you can temporarily unlock your credit report in case you're applying for a new loan, credit card or utility account.
Be forewarned: This may cost some money, and may be disruptive. A commenter on independent security reporter Brian Krebs' website recounted how his car insurance premiums shot up and routine banking transactions became difficult.
9) Have a credit freeze placed on your files by contacting each of the Big Three agencies, individually, plus Innovis. In most states, instituting a credit freeze will cost a few bucks per credit bureau and will last several years. In some states, it's free. Here's a list of fees state-by-state. Equifax says it will waive its credit-freeze fee until Oct. 10.
You can call each of bureau at the U.S. telephone numbers given in Step 7, or request a freeze online with Equifax, Experian, Innovis or TransUnion.It might be better to call, because you will receive your unlocking PIN via snail mail.There have been reports that people who tried to institute security freezes online following the Equifax news never got their PINs.
For the Future
The consequences of the Equifax breach may be felt for decades. You may have to adjust some behaviors accordingly.
10) File your personal income-tax returns as early as possible. With your name, address and Social Security number, an identity thief can file a return in your name — and get your tax refund from the government. Beat the thieves to the punch by filing early.