Epic Equifax Breach Hits 143 Million: What to Do Now
Updated Sept. 8 with additional comment from Equifax. Also see our guide to see if you're impacted.
There's some terrible news if you do business with consumer credit monitoring agency Equifax (or even if you don't). Your sensitive personal info — including Social Security and possibly driver's license numbers — may be in the hands of data thieves. This is arguably the worst data breach ever.
Credit: Jeramey Lende/Shutterstock
What to Do Now
- Go to Equifax's website to see if your data was compromised. We have step-by-step instructions that are easy to follow.
- Read our advice on what to do after a data breach. Ignore the parts about passwords and credit cards, as those don't apply in this case, but follow our instructions about how to place a fraud alert on your credit files.
- Look into signing up with an identity protection service.
- UPDATE Sept. 11: We now think it might be best to just institute a credit freeze. Our step-by-step page linked to above shows you how.
What Happened
Equifax on Thursday (Sept. 7) reported a security breach that could impact 143 million consumers. That's not quite as big as last year's Yahoo's breach that compromised up to 1 billion customer accounts, but it's much worse. The data accessed — names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to the company — is critical to your privacy and security. Those first four pieces of data are everything that an identity thief would need to pretend that he's you.
Equifax says credit-card numbers for roughly 209,000 people were also accessed by the hackers, as were dispute documents with "personal identifying information" for about 182,000 people. That may sound worse than getting SSNs, but it's not — credit-card fraud is easily resolved, and customers are almost never on the hook for fraudulent charges. But with your name, address, date of birth and SSN, an identity thief could just have new credit cards issued in your name and sent to the thief's mailing address.
MORE: What to Do After a Data Breach
Equifax discovered the breach on July 29. Hackers apparently used a website vulnerability to access files, with the breach occurring from mid-May through July, according to Equifax's investigation.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax chairman and CEO Richard F. Smith said in a statement posted to a website created by Equifax that details the breach and steps you can take to protect yourself. "I apologize to consumers and our business customers for the concern and frustration this causes."
When asked why Equifax waited until Sept. 7 to inform the public when it discovered the intrusion on July 29, the company's director of social media and PR, Francesca De Girolami, shared the following statement:
As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.
Interestingly, Bloomberg News reported that three Equifax executives sold company shares worth $1.8 million after the breach was discovered by the company, but before today's disclosure.
You can check to see if you're impacted by Equifax's breach with a tool on the company's website. Enter your last name and the last six digits of your Social Security information, and Equifax will tell you if your data was compromised. If so, you'll get a "thank you" with a date notifying you when you can enroll in the TrustedID protection Equifax is offering (see below). If not, you'll see a note that you are "not impacted."
You don't need to have directly done business with Equifax for your sensitive personal information to be in their databases. If you've ever applied for a loan, mortgage or credit card in the United States, the company probably has your information, and it was probably lost to these data thieves. At least one Tom's Guide staffer was affected.
If you're one of the people whose credit-card numbers or dispute documents feel into the wrong hands, Equifax is notifying you by direct mail notices.
Equifax is also offering credit monitoring provided by a service called TrustedID to customers hit by the breach. The TrustedID Premier plan being offered features three-bureau credit monitoring of credit reports by Equifax, Experian and TransUnion as well as the ability to lock and unlock Equifax's credit reports. (Equifax happens to own TrustedID, so there may be an inherent conflict of interest.) You also get identity-theft insurance and internet scanning for your Social Security number. The service is free for a year.
Equifax has also set up a dedicated call center, which is open every day from 7 a.m. to 1 a.m. ET. You can reach the call center at 866-447-7559 with questions about the breach.
To place a fraud alert on your files, contact one of the three major credit-reporting agencies — Equifax, TransUnion, or Experian. To speak to Equifax, call 1-888-766-0008 or visit this web page. To contact Experian, call 1-888-397-3742 or go here. For TransUnion, the phone number is 1-800-680-7289 and the link is here. The agency you place a fraud alert with will contact the other two. You can renew the fraud alert every 90 days (it's free to do so).
Once the fraud alert is in effect, you'll be notified every time someone tries to access your credit report.
Lets all start at an 800 rating from here.
I think Experian and TransUnion did he hacking.
Tyler Durden did it
NOT TOO EMBARASS THE "POOR" AMERICAN CITIZENS!!!
Could you stop shouting?
It is.
I saw it on the news last night, and again this morning.
There is also the other little news story...a major hurricane about to decimate Florida.
Also try running the https URLS using Mozilla Observatory - https://trustedidpremier.com Fails.
Furthermore, this breach more than a credit risk exposure. The compromised data is the key to most of your financial accounts: bank accounts, broker accounts, Social Security, pensions, etc.. If you need to reset your password for an account, what data do companies use to validate your identity? They use the same data that was exposed in this breach: birth date, social security number, and address. Even if email addresses and phone numbers were not exposed in this breach, that data can be derived from cross referencing public databases with names and addresses that were included in the breach. Also, just using the data that was compromised, anyone could file a fraudulent tax return for a tax refund.
Most of the major breaches in the past have involved credit card numbers, email addresses, or passwords. OK, I can fix that by cancelling a credit card, changing my email address, or changing a password. Is Equifax going to issue me a new Social Security number and birth date? I think not so the risk caused by this breach will follow me for the rest of my life.
In a nutshell, here is Equifax's response to this breach: We gave away the keys to your financial assets for your entire life so we are compensating you by providing a credit monitoring service free for one year. Wow, what a deal.
In case you haven't figured this out yet, I'm mad as hell about this breach. I've spent many hours of my life protecting my identity by shredding documents, limiting exposure to personal data (not publicly listing birth date, phone numbers, or email addresses), monitoring credit reports, and securing accounts with complex passwords. Now, thanks to Equifax, all of that effort was for naught. Millions of Americans have been digitally exposed, naked so to speak, thanks to Equifax. I hope this breach bankrupts them. That would be an appropriate punishment because they have exposed millions of Americans to the same risk.
Yes now, but not at the time of my post. Furthermore, they have been aware of the breach since jun-july '17. After allowing some time for discovery; the public should have been notified 3-4 weeks ago.