Thinking Through the Equifax Security Breach

If you’re one of the 143 million Americans who just got screwed by the massive security breach at Equifax, you may be wondering what you can do to protect yourself going forward. I’ve compiled some ideas and hope readers will include additional suggestions in the comments section.

To recap for those who’ve been living under a rock, the personal data that was stolen included names, addresses, social security numbers, and birthdates. In addition, 209,000 had their credit card numbers stolen, 182,000 had dispute documents with personal data stolen, and an undetermined number of people had their driver’s license numbers stolen.

Of course, if you’ve been living under a rock you probably need not worry about any of this. For everyone else, if you had your identity stolen (and the chances are greater than 50% that it was), the actions you take to protect yourself will need to be implemented for the rest of your life since the information has long since been disseminated over the dark web. It’s out there. Forever.

Welcome to our brave new world. It’s hard not to be cynical, skeptical, or downright fuming over the fact that so many organizations collect data on us, even if we didn’t ask them to. And then they get hacked and our information is stolen. But I don’t want to go off on a tangent of commentary on this hideous debacle. I just want to offer some possible solutions. 

First, how do you know if you’ve been a victim of this gargantuan breach? Well, Equifax will tell you. Sort of, slightly, vaguely, and unreliably.

As for the smaller subset of folks who had their credit card number stolen, Equifax plans to send out notifications. If you receive a legitimate notification, cancel your card, request a new one, update your new card number if you have automatic payment set up, and remember that it’s always good practice to review your transactions on a regular basis.

As for the rest of the motherload of data that was stolen from Equifax, no notification will be sent. Instead, you can visit their web site and type in your name along with six digits of your social security number to find out the status of your info.

Yeah, that’s right. Equifax is asking for your name and most of your social security number in order to tell you whether your data may or may not have been breached.

There are several problems with this arrangement: (1) The language is vague. “May?” That’s hardly better than what we already know. (2) Since this breach is being investigated, it’s possible the number of people affected may further expand. (3) If comments on articles about this are any indication, the response you get from Equifax after typing in your information is unreliable. People are reporting that after multiple attempts to check, the messages they receive change. Sometimes the message says their data was likely part of the breach. The next time the message says their data was likely not breached.

So the entire system to check if your information was impacted is absurd. Given the scale of this breach, it seems prudent to assume your data has been compromised. So what, if anything, can or should you do?

There’s a general consensus on a few steps to take (here, here, here).

Check your credit reports at Equifax, Experian, and TransUnion.

·      Under federal law, you’re entitled to a free copy of your credit report on an annual basis.

 

·      Your credit report won’t tell you if money has been stolen from a bank account or if there’s any suspicious activity on your credit card.

Place a fraud alert or a credit freeze on your files.

·      A fraud alert lets creditors know you may have been a victim of identity theft and they should verify anyone seeking credit in your name, though the system isn’t fool proof as not all creditors comply. Most alerts only last 90 days, so you need to keep renewing it for longer coverage.

·      A credit freeze locks your credit report to anyone trying to access it. In order to make it available to potential lenders, you’ll need to unfreeze it. Then, should you desire, you’ll need to freeze it again. A credit freeze is a state-regulated action, so check your state for additional information (here).

·      To read more about credit alerts and credit freezes, see here, here, here, here, here, here, here, and here.

·      Of note: Don’t be lulled into a sense of security because accessing your credit report requires answers to personal questions that only you could know above and beyond all the info that’s been stolen. Scammers have ways to get around those questions.

Monitor all financial resources including bank accounts, social security income, retirement investments, credit cards, etc. Report suspicious activity.

·      Read all your statements carefully and in a timely manner. Be aware that in many cases, theft begins small and occurs across multiple accounts.

·      Contact your bank and other financial institutions to find out about their security measures. If interested, ask if they’re set up to notify you whenever a transaction occurs so you can verify/approve first.

·      Consider hiring a service that monitors credit and provides identity theft protection.

File your taxes early.

·      The idea is to beat the ID theft criminal to the punch. As soon as you have all the information you need to file your taxes, file them.

Meanwhile (and pardon me while I roll my eyes), Equifax is offering free credit monitoring services for a year to all U.S. customers, irrespective of whether their information was stolen (here and here). The deadline to enroll is 11/7/17.

What else? Well, some might be wondering if they should change their social security number. It appears that unless you can prove you’ve been a victim of identity theft, you can’t change your social security number. And in situations when people can prove it and change their number, the implications are far reaching, with many ripple effects (here and here).

One area of risk rarely addressed in articles on the Equifax breach that also has far-reaching consequences is that of medical identity theft. As Consumer Reports notes:

When thieves take your personal data to get prescription drugs, doctor care, or surgery, it can endanger your health and trash your finances.

While we’re all vulnerable to medical identity theft, some demographic groups are at greater risk than others, including people on Medicare (because the Medicare ID number is the social security number), people with frequent interaction with the health care system (because the more active your health-related accounts the more vulnerable they are), people who post personal information on social media (because scammers can connect social media information with other identifying information they already have), and children (because parents usually don’t see their child’s credit report until the child turns 18 and can secure credit in their own name).

Here are some ideas on how to monitor and protect your medical identity, culled from research with some of my own thoughts sprinkled in (here and here):

  • Routinely check the following for accuracy: medical records, communication from your health care providers, medical bills, communication from health insurance companies including Explanation of Benefits statements, as well as your prescription records.

 

  • Refuse to provide your social security number if a health care provider asks for it. (The main reason they want it is if past due bills need to be sent to collections.) Ask if there is some other identifying number they’ll accept. More importantly, ask why any of these numbers are being requested.

 

  • Before divulging any of your medical information, be sure the person you’re dealing with is legitimate.

 

  • Don’t post health-related news on social media.

 

  • Contact your health care providers and health insurance company to find out what measures they’re taking to protect you.

 

  • Insist health care providers be diligent about asking for a photo ID when patients check in.

 

  • Find out if the medical records department would put an alert on your file so you’re contacted when a records request is submitted.

 

 

Some general tips about identity theft include creating good habits with respect to your personal information, shredding sensitive documents you no longer need, keeping important paperwork in a safe deposit box, locking your file cabinet when you go out and storing the key in a secure place, maintaining good computer habits when managing and saving sensitive data, using a secure computer and an encrypted network connection when accessing personal information online, and being aware of your surroundings when having phone conversations where you may need to divulge personal information.

If criminals use your identity to impersonate you, it can take months or years to recover from the impact which may occur on multiple fronts – financial, medical, and/or criminal. AT readers, please take care. And as you move forward, proceed with caution. There are a load of scams out there, including people posing as callers from Equifax. Don’t trust people making wild claims and/or who have part or all of your social security number. Make sure everyone you’re dealing with is legit.

To read more about the Equifax breach, about identity theft in general, and for resources to help, see here, here, here, here, here, here, here, here, and here.

If you’re one of the 143 million Americans who just got screwed by the massive security breach at Equifax, you may be wondering what you can do to protect yourself going forward. I’ve compiled some ideas and hope readers will include additional suggestions in the comments section.

To recap for those who’ve been living under a rock, the personal data that was stolen included names, addresses, social security numbers, and birthdates. In addition, 209,000 had their credit card numbers stolen, 182,000 had dispute documents with personal data stolen, and an undetermined number of people had their driver’s license numbers stolen.

Of course, if you’ve been living under a rock you probably need not worry about any of this. For everyone else, if you had your identity stolen (and the chances are greater than 50% that it was), the actions you take to protect yourself will need to be implemented for the rest of your life since the information has long since been disseminated over the dark web. It’s out there. Forever.

Welcome to our brave new world. It’s hard not to be cynical, skeptical, or downright fuming over the fact that so many organizations collect data on us, even if we didn’t ask them to. And then they get hacked and our information is stolen. But I don’t want to go off on a tangent of commentary on this hideous debacle. I just want to offer some possible solutions. 

First, how do you know if you’ve been a victim of this gargantuan breach? Well, Equifax will tell you. Sort of, slightly, vaguely, and unreliably.

As for the smaller subset of folks who had their credit card number stolen, Equifax plans to send out notifications. If you receive a legitimate notification, cancel your card, request a new one, update your new card number if you have automatic payment set up, and remember that it’s always good practice to review your transactions on a regular basis.

As for the rest of the motherload of data that was stolen from Equifax, no notification will be sent. Instead, you can visit their web site and type in your name along with six digits of your social security number to find out the status of your info.

Yeah, that’s right. Equifax is asking for your name and most of your social security number in order to tell you whether your data may or may not have been breached.

There are several problems with this arrangement: (1) The language is vague. “May?” That’s hardly better than what we already know. (2) Since this breach is being investigated, it’s possible the number of people affected may further expand. (3) If comments on articles about this are any indication, the response you get from Equifax after typing in your information is unreliable. People are reporting that after multiple attempts to check, the messages they receive change. Sometimes the message says their data was likely part of the breach. The next time the message says their data was likely not breached.

So the entire system to check if your information was impacted is absurd. Given the scale of this breach, it seems prudent to assume your data has been compromised. So what, if anything, can or should you do?

There’s a general consensus on a few steps to take (here, here, here).

Check your credit reports at Equifax, Experian, and TransUnion.

·      Under federal law, you’re entitled to a free copy of your credit report on an annual basis.

·      It doesn’t matter if you have or haven’t contracted with any of the three credit agencies or their services. They all collect data on us. One resource where you can check all three places is Annual Credit Report.

·      Be aware there’s often a lag time from when criminals try to open a line of credit in your name and when that activity shows up on your report. In addition, there are situations when nefarious activity doesn’t show up at all. But if it does, you should report it to the Federal Trade Commission where you’ll receive guidance on what to do next.

 

·      Your credit report won’t tell you if money has been stolen from a bank account or if there’s any suspicious activity on your credit card.

Place a fraud alert or a credit freeze on your files.

·      A fraud alert lets creditors know you may have been a victim of identity theft and they should verify anyone seeking credit in your name, though the system isn’t fool proof as not all creditors comply. Most alerts only last 90 days, so you need to keep renewing it for longer coverage.

·      A credit freeze locks your credit report to anyone trying to access it. In order to make it available to potential lenders, you’ll need to unfreeze it. Then, should you desire, you’ll need to freeze it again. A credit freeze is a state-regulated action, so check your state for additional information (here).

·      To read more about credit alerts and credit freezes, see here, here, here, here, here, here, here, and here.

·      Of note: Don’t be lulled into a sense of security because accessing your credit report requires answers to personal questions that only you could know above and beyond all the info that’s been stolen. Scammers have ways to get around those questions.

Monitor all financial resources including bank accounts, social security income, retirement investments, credit cards, etc. Report suspicious activity.

·      Read all your statements carefully and in a timely manner. Be aware that in many cases, theft begins small and occurs across multiple accounts.

·      Contact your bank and other financial institutions to find out about their security measures. If interested, ask if they’re set up to notify you whenever a transaction occurs so you can verify/approve first.

·      Consider hiring a service that monitors credit and provides identity theft protection.

File your taxes early.

·      The idea is to beat the ID theft criminal to the punch. As soon as you have all the information you need to file your taxes, file them.

Meanwhile (and pardon me while I roll my eyes), Equifax is offering free credit monitoring services for a year to all U.S. customers, irrespective of whether their information was stolen (here and here). The deadline to enroll is 11/7/17.

What else? Well, some might be wondering if they should change their social security number. It appears that unless you can prove you’ve been a victim of identity theft, you can’t change your social security number. And in situations when people can prove it and change their number, the implications are far reaching, with many ripple effects (here and here).

One area of risk rarely addressed in articles on the Equifax breach that also has far-reaching consequences is that of medical identity theft. As Consumer Reports notes:

When thieves take your personal data to get prescription drugs, doctor care, or surgery, it can endanger your health and trash your finances.

While we’re all vulnerable to medical identity theft, some demographic groups are at greater risk than others, including people on Medicare (because the Medicare ID number is the social security number), people with frequent interaction with the health care system (because the more active your health-related accounts the more vulnerable they are), people who post personal information on social media (because scammers can connect social media information with other identifying information they already have), and children (because parents usually don’t see their child’s credit report until the child turns 18 and can secure credit in their own name).

Here are some ideas on how to monitor and protect your medical identity, culled from research with some of my own thoughts sprinkled in (here and here):

  • Routinely check the following for accuracy: medical records, communication from your health care providers, medical bills, communication from health insurance companies including Explanation of Benefits statements, as well as your prescription records.

 

  • Refuse to provide your social security number if a health care provider asks for it. (The main reason they want it is if past due bills need to be sent to collections.) Ask if there is some other identifying number they’ll accept. More importantly, ask why any of these numbers are being requested.

 

  • Before divulging any of your medical information, be sure the person you’re dealing with is legitimate.

 

  • Don’t post health-related news on social media.

 

  • Contact your health care providers and health insurance company to find out what measures they’re taking to protect you.

 

  • Insist health care providers be diligent about asking for a photo ID when patients check in.

 

  • Find out if the medical records department would put an alert on your file so you’re contacted when a records request is submitted.

 

 

Some general tips about identity theft include creating good habits with respect to your personal information, shredding sensitive documents you no longer need, keeping important paperwork in a safe deposit box, locking your file cabinet when you go out and storing the key in a secure place, maintaining good computer habits when managing and saving sensitive data, using a secure computer and an encrypted network connection when accessing personal information online, and being aware of your surroundings when having phone conversations where you may need to divulge personal information.

If criminals use your identity to impersonate you, it can take months or years to recover from the impact which may occur on multiple fronts – financial, medical, and/or criminal. AT readers, please take care. And as you move forward, proceed with caution. There are a load of scams out there, including people posing as callers from Equifax. Don’t trust people making wild claims and/or who have part or all of your social security number. Make sure everyone you’re dealing with is legit.

To read more about the Equifax breach, about identity theft in general, and for resources to help, see here, here, here, here, here, here, here, here, and here.

RECENT VIDEOS