Your data was likely stolen. Here’s what you can do to protect yourself even after the hack, and Equifax doesn’t want you to do it.
Equifax, as a consumer credit bureau, collects financial, credit, and other data on every US consumer. It has names, birth dates, social security numbers, driver’s license numbers, bank account numbers, credit card numbers, mortgage data, and payment history data, including to utilities, wireless service providers, and the like. It collects data on bank balances, loan balances, credit card balances, credit card purchases, and myriad personal details. It has massive digital dossiers on every consumer in the US and in some other countries. And it sells this data to other companies, such as banks, credit card companies, car dealerships, retailers, and others, as a routine part of its business model. That’s how it makes money.
But when someone breaks in and steals this data without paying Equifax for it, well, that’s a huge deal. And it is.
Turns out, Equifax got hacked – um, no, not today. Today it disclosed that it had discovered on July 29 – six weeks ago – that it had been hacked sometime between “mid-May through July,” and that key data on 143 million US consumers was stolen. There was no need to notify consumers right away. They’re screwed anyway. But it gave executives enough time to sell $2 million worth of shares between the discovery of the hack and today, when they crashed 13% in late trading.
Given the quantity and sensitivity of the stolen data, it may well be the biggest and worst breach in US history.
That stolen data “primarily includes”:
- Social Security numbers
- Birth dates
- “In some instances,” driver’s license numbers.
In addition, the stolen data includes:
- Credit card numbers of around 209,000 US consumers
- “Certain dispute documents with personal identifying information” of around 182,000 US consumers.
- “Limited personal information for certain UK and Canadian residents.”
This is the kind of information with which identities can be stolen and money can be borrowed in your name. Those data points are the crown jewels for hackers.
If you ever looked at your full multi-page credit report from Equifax or the other consumer credit bureaus: that pile of details is just a brief summary of the massive amounts of data credit bureaus collect on consumers.
Equifax said that it “has found no evidence of unauthorized activity” on its “core consumer or commercial credit reporting databases.” That’s where the other consumer data – what you bought, how you paid for it, where you went to buy it, etc. – is apparently kept.
“Found no evidence” doesn’t mean it didn’t happen.
There have been hacks involving more accounts, including Yahoo’s breach that compromised 1 billion accounts, but many of them were inactive, used aliases, and weren’t associated with social security numbers, credit card numbers, and driver’s license numbers.
When EBay reported its mega-breach in May 2014, it refused to disclose how many accounts were compromised but asked 145 million users to change passwords. But given the data Equifax collects on consumers, it’s in an entirely different category.
Here’s what Equifax did to deal with this, according to the statement:
The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities.
It also got its PR and damage control campaign underway, put its legal team to work to defend against class-action lawsuits, and initiated other moves to stem the bloodletting of its shares. It also offers consumers its own 3-bureau credit monitoring service (Equifax, Experian and Trans Union) and identity theft protection.
But here is the most effective way to prevent identity theft:
Put a “security freeze” on each of the three major credit bureaus
A security freeze (aka “credit freeze”) will prevent the credit bureaus from selling your data to anyone. It will not prevent hackers from stealing that info, but it will make it very difficult for them – or for those who buy that data from them – to use this data to open credit accounts in your name and steal your identity. If they submit your data to a credit card company to apply in your name for a credit card, the credit card company checks with credit bureaus to confirm this information and review your credit. But since there is a credit freeze on your account, Equifax cannot disclose that information, and the credit card company will not open an account in your name.
Note: Even if you try to open a new bank account or credit account, you will not be able to, unless you first remove the credit freeze. Credit freezes do not impact current banking and credit relationships; they continue as normal.
Credit bureaus are required by law to provide this service, otherwise they wouldn’t. They hate it. Selling your data is how they get revenues. Locking this data eliminates those revenues. But it’s the most effective way to protect yourself.
And remember: you’re not their customer; you’re their product.
I initiated a security freeze with these credit bureaus in 2006 after the University of Texas at Austin notified me that all my data, including social security number, had been stolen. It was a great decision. As a positive side-effect, it stopped the “pre-approved” credit card promos since credit bureaus could no longer sell my data to promoters. So good luck.
Enjoy reading WOLF STREET and want to support it? Using ad blockers – I totally get why – but want to support the site? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.