Updated Sept. 8 with additional comment from Equifax. Also see our guide to see if you're impacted.
There's some terrible news if you do business with consumer credit monitoring agency Equifax (or even if you don't). Your sensitive personal info — including Social Security and possibly driver's license numbers — may be in the hands of data thieves. This is arguably the worst data breach ever.
What to Do Now
- Go to Equifax's website to see if your data was compromised. We have step-by-step instructions that are easy to follow.
- Read our advice on what to do after a data breach. Ignore the parts about passwords and credit cards, as those don't apply in this case, but follow our instructions about how to place a fraud alert on your credit files.
- Look into signing up with an identity protection service.
- UPDATE Sept. 11: We now think it might be best to just institute a credit freeze. Our step-by-step page linked to above shows you how.
What Happened
Equifax on Thursday (Sept. 7) reported a security breach that could impact 143 million consumers. That's not quite as big as last year's Yahoo's breach that compromised up to 1 billion customer accounts, but it's much worse. The data accessed — names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to the company — is critical to your privacy and security. Those first four pieces of data are everything that an identity thief would need to pretend that he's you.
Equifax says credit-card numbers for roughly 209,000 people were also accessed by the hackers, as were dispute documents with "personal identifying information" for about 182,000 people. That may sound worse than getting SSNs, but it's not — credit-card fraud is easily resolved, and customers are almost never on the hook for fraudulent charges. But with your name, address, date of birth and SSN, an identity thief could just have new credit cards issued in your name and sent to the thief's mailing address.
MORE: What to Do After a Data Breach
Equifax discovered the breach on July 29. Hackers apparently used a website vulnerability to access files, with the breach occurring from mid-May through July, according to Equifax's investigation.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax chairman and CEO Richard F. Smith said in a statement posted to a website created by Equifax that details the breach and steps you can take to protect yourself. "I apologize to consumers and our business customers for the concern and frustration this causes."
When asked why Equifax waited until Sept. 7 to inform the public when it discovered the intrusion on July 29, the company's director of social media and PR, Francesca De Girolami, shared the following statement:
As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.
Interestingly, Bloomberg News reported that three Equifax executives sold company shares worth $1.8 million after the breach was discovered by the company, but before today's disclosure.
You can check to see if you're impacted by Equifax's breach with a tool on the company's website. Enter your last name and the last six digits of your Social Security information, and Equifax will tell you if your data was compromised. If so, you'll get a "thank you" with a date notifying you when you can enroll in the TrustedID protection Equifax is offering (see below). If not, you'll see a note that you are "not impacted."
You don't need to have directly done business with Equifax for your sensitive personal information to be in their databases. If you've ever applied for a loan, mortgage or credit card in the United States, the company probably has your information, and it was probably lost to these data thieves. At least one Tom's Guide staffer was affected.
If you're one of the people whose credit-card numbers or dispute documents feel into the wrong hands, Equifax is notifying you by direct mail notices.
Equifax is also offering credit monitoring provided by a service called TrustedID to customers hit by the breach. The TrustedID Premier plan being offered features three-bureau credit monitoring of credit reports by Equifax, Experian and TransUnion as well as the ability to lock and unlock Equifax's credit reports. (Equifax happens to own TrustedID, so there may be an inherent conflict of interest.) You also get identity-theft insurance and internet scanning for your Social Security number. The service is free for a year.
Equifax has also set up a dedicated call center, which is open every day from 7 a.m. to 1 a.m. ET. You can reach the call center at 866-447-7559 with questions about the breach.
To place a fraud alert on your files, contact one of the three major credit-reporting agencies — Equifax, TransUnion, or Experian. To speak to Equifax, call 1-888-766-0008 or visit this web page. To contact Experian, call 1-888-397-3742 or go here. For TransUnion, the phone number is 1-800-680-7289 and the link is here. The agency you place a fraud alert with will contact the other two. You can renew the fraud alert every 90 days (it's free to do so).
Once the fraud alert is in effect, you'll be notified every time someone tries to access your credit report.