Worst US Consumer Data Hack Ever? Equifax Confesses

Your data was likely stolen. Here’s what you can do to protect yourself even after the hack, and Equifax doesn’t want you to do it.

Equifax, as a consumer credit bureau, collects financial, credit, and other data on every US consumer. It has names, birth dates, social security numbers, driver’s license numbers, bank account numbers, credit card numbers, mortgage data, and payment history data, including to utilities, wireless service providers, and the like. It collects data on bank balances, loan balances, credit card balances, credit card purchases, and myriad personal details. It has massive digital dossiers on every consumer in the US and in some other countries. And it sells this data to other companies, such as banks, credit card companies, car dealerships, retailers, and others, as a routine part of its business model. That’s how it makes money.

But when someone breaks in and steals this data without paying Equifax for it, well, that’s a huge deal. And it is.

Turns out, Equifax got hacked – um, no, not today. Today it disclosed that it had discovered on July 29 – six weeks ago – that it had been hacked sometime between “mid-May through July,” and that key data on 143 million US consumers was stolen. There was no need to notify consumers right away. They’re screwed anyway. But it gave executives enough time to sell $2 million worth of shares between the discovery of the hack and today, when they crashed 13% in late trading.

Given the quantity and sensitivity of the stolen data, it may well be the biggest and worst breach in US history.

That stolen data “primarily includes”:

  • Names
  • Social Security numbers
  • Birth dates
  • Addresses
  • “In some instances,” driver’s license numbers.

In addition, the stolen data includes:

  • Credit card numbers of around 209,000 US consumers
  • “Certain dispute documents with personal identifying information” of around 182,000 US consumers.
  • “Limited personal information for certain UK and Canadian residents.”

This is the kind of information with which identities can be stolen and money can be borrowed in your name. Those data points are the crown jewels for hackers.

If you ever looked at your full multi-page credit report from Equifax or the other consumer credit bureaus: that pile of details is just a brief summary of the massive amounts of data credit bureaus collect on consumers.

Equifax said that it “has found no evidence of unauthorized activity” on its “core consumer or commercial credit reporting databases.” That’s where the other consumer data – what you bought, how you paid for it, where you went to buy it, etc. – is apparently kept.

“Found no evidence” doesn’t mean it didn’t happen.

There have been hacks involving more accounts, including Yahoo’s breach that compromised 1 billion accounts, but many of them were inactive, used aliases, and weren’t associated with social security numbers, credit card numbers, and driver’s license numbers.

When EBay reported its mega-breach in May 2014, it refused to disclose how many accounts were compromised but asked 145 million users to change passwords. But given the data Equifax collects on consumers, it’s in an entirely different category.

Here’s what Equifax did to deal with this, according to the statement:

The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities.

It also got its PR and damage control campaign underway, put its legal team to work to defend against class-action lawsuits, and initiated other moves to stem the bloodletting of its shares. It also offers consumers its own 3-bureau credit monitoring service (Equifax, Experian and Trans Union) and identity theft protection.

But here is the most effective way to prevent identity theft:

Put a “security freeze” on each of the three major credit bureaus

A security freeze (aka “credit freeze”) will prevent the credit bureaus from selling your data to anyone. It will not prevent hackers from stealing that info, but it will make it very difficult for them – or for those who buy that data from them – to use this data to open credit accounts in your name and steal your identity. If they submit your data to a credit card company to apply in your name for a credit card, the credit card company checks with credit bureaus to confirm this information and review your credit. But since there is a credit freeze on your account, Equifax cannot disclose that information, and the credit card company will not open an account in your name.

Note: Even if you try to open a new bank account or credit account, you will not be able to, unless you first remove the credit freeze. Credit freezes do not impact current banking and credit relationships; they continue as normal.

Here are the pages of the three major credit bureaus where you can request or lift a security freeze: Equifax, TransUnion, and Experian.

Credit bureaus are required by law to provide this service, otherwise they wouldn’t. They hate it. Selling your data is how they get revenues. Locking this data eliminates those revenues. But it’s the most effective way to protect yourself.

And remember: you’re not their customer; you’re their product.

I initiated a security freeze with these credit bureaus in 2006 after the University of Texas at Austin notified me that all my data, including social security number, had been stolen. It was a great decision. As a positive side-effect, it stopped the “pre-approved” credit card promos since credit bureaus could no longer sell my data to promoters. So good luck.

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  165 comments for “Worst US Consumer Data Hack Ever? Equifax Confesses

  1. BVian says:

    I heard the guys at the top of Equifax quietly sold off shares of company stock before they released the news.

    http://www.businessinsider.com/equifax-executives-sold-shares-after-the-company-learned-of-a-massive-hack-2017-9

    • Hiho says:

      In a civilized society they would be already in jail. Not only have they hidden the atracks, giving people less time to react, but they have also sold their shares using privileged information.

      The rats always jump firsts when the boat sinks.

      • Kraig says:

        Is insider trading not illegal in the USA?

        • Hiho says:

          At this point what is legal and what not is completely irrelevant. Law is not being enforced anymore against fat crooks.

        • walter map says:

          Technically. But not for congress. Or for numerous other swamp-dwellers.

          Inter lucrum silent leges.

        • Ambrose Bierce says:

          only if you are trading your own book. remember Phil Mickelson was accused of using insider information, given to him as a sort of quid pro quo by someone who owed him money. no harm no foul. Phil is a nice guy, Martha Stewart had to spend her summer at camp cupcake.

        • gert7to3 says:

          Yes. However, most of the people who get nailed for insider trading seem to be convicted of lying about their trades, not the trades themselves.

        • c says:

          It is illegal unless you have friends or are a member of congress or a staffer of congress, then it is explicity legal for them.

      • Frederick says:

        You mean like Stanley Fischer?

    • Maximus Minimus says:

      Hm. The two millions seem like the first down payment for legal costs.

    • nick kelly says:

      Insider trading?

    • polecat says:

      Maybe the ‘guy$ @t the top’ should be put in the stocks, so that all those millions of irate CITIZENS can fling their now ‘frozen’ credit cards (to be hurled like ninja stars) at these high faluten miscreants, thus shreading them down to size while being shown extreme displeasure …

    • Mike says:

      There is an applicable rule: 17 C.F.R. 240.10b-5. However, I think that as to regulations as to banks and securities trading, the existing rules are a joke.

      Banksters and crooked executives will never, ever admit to guilt. Proving knowledge and intent when your witnesses are in the boys club of bankster or corrupt executives is very hard.

      They claim as to these events that the executives that coincidentally sold massive amounts of stock were not told of the breach, etc. None of the banksters that encouraged pensions and others to buy mortgage backed securities that another group of banksters bet would fail, knew of those bets… supposedly.

      As long as such crooks do not write incriminating emails (that are not destroyed) and keep the corruption oral, they are safe. That is why so many companies like in house email servers: they can have their crooked lawyers go through the damaging emails and destroy the incriminating ones before producing the rest to authorities.

      The penalties are so slight and the expected profits of crime, e.g., libor rigging, so great that the boys club of crooked banksters and crooked executives will protect its members and keep them quiet. As Maddoff’s case demonstrates, the SEC and other regulatory authorities have been emasculated and are kept on a tight leash.

      E.g., even though IRS investigations yield returns of 6 fraudulently unpaid tax dollars recovered for every tax dollar spent on the investigations, the funds for those investigations have been cut. It is understandable, with our current corrupt congressmen, why would they want their fellow crooks investigated and forced to disgorge their profits?

      If that become a trend, congressmen might be forced to disgorge their “political contributions” and inflated salaries paid to their relatives, which are called bribes in other countries.

    • Tom Welsh says:

      That would be insider trading. If Martha Stweart was convicted for insider trading, why aren’t those people already in prison??

      • Suzie Alcatrez says:

        Martha was never convicted of insider trading.

      • Mike says:

        Martha Stewart was prosecuted, because she was a nice, visible public face, and she did not have the right connections. She was a nice, visible public personality, so they could prosecute her and hold her case up as evidence that they actually were doing their jobs while carefully not prosecuting the major crooks and banksters.

        If you look at other prosecutions, by the SEC and other agencies, you may notice a trend: many agencies prosecute the politically powerless and give sweetheart deals to the powerful. E.g. Eric Holder’s decisions not to even try to incarcerate most banksters after the major frauds (securities rule violations) in 2000 to 2008, which caused the crash of 2008-9. He deserves a big fat bonus from his superiors, as does bankster protector Geithner.

        E.g., Maddoff had the right connections, so the SEC slept on the evidence despite receiving numerous warnings about Maddoff. See https://www.theguardian.com/business/2010/mar/24/bernard-madoff-whistleblower-harry-markopolos.

        See also http://www.npr.org/templates/story/story.php?storyId=124208012. See also http://abcnews.go.com/Politics/story?id=6802350, which is a story entitled “Madoff Whistleblower Slams SEC.”

        By the way, I think that the U.S. would be better off dissolving the apparently inept, corrupt SEC and creating a new agency. However, under the current Trump mis-administration, slimy Mnuchkin and others would no doubt make that new agency even more corrupt.

        • Guido says:

          @Mike

          Bingo. When Uber announced it was hiring Holder to look into sexual allegations, I wondered if he wasn’t announcing he’s ready for bribes. I was expecting him to exonerate everybody because he could not bring even one case against Wall St. with all the resources at his disposal. The only people to go jail, that McKinsey fellow and his ilk, were prosecuted by Preet Brahara who is definitely not Holder.

          So what was Holder’s take? In this case, he’s asking for so much that no single employee can bribe him off. That meant, he was being paid off by somebody in the board.

          This also means that hiring Holder was move to get Travis out rather than to improve workplace. Uber cares about safe working places, yeah right!

          Now Holder is threatening to run for public office. We are all so badly screwed.

      • Mike says:

        As to former New York Attorney General Eliot Spitzer, for example, he was selectively targeted for crimes that many, many among the wealthiest people commit every day: hiring prostitutes. I believe that his real crime was prosecuting some well connected Wall Street crooks.

        Aside from the prostitutes thing, he seems to have been honest. See http://www.businessinsider.com/eliot-spitzer-prosecutions-following-the-financial-crisis-have-been-a-major-disappointment-2010-10

        If the only honest public officials we can get are those who are sexually addicted to prostitutes, by all means, let us establish a special fund to provide for their needs. Unfortunately, looking at the members of the Trump mis-administration, I wish that former New York Attorney General Eliot Spitzer had been elected president.

        At least then, maybe slimy Mnuchkin would not be Treasury Secretary. Perhaps, we could then have a real, not Trump’s fake misleadingly-named, new Glass Steagal Act. However, the story of former New York Attorney General Eliot Spitzer is a demonstration of the power of connections.

        He annoyed powerful people. To retaliate, they gathered evidence for acts (allegedly prostitution) that they no doubt also engaged in but in private. Former New York Attorney General Eliot Spitzer was condemned then by hypocrites, who saw this tactic as a way of getting rid of someone who had sent too many of their cronies to prison.

        It makes me wonder if deceitful Trump or slimy Mnuchkin were involved.

  2. Jas says:

    Very interesting article, thanks wolf! I wonder if the data that our credit agencies sell is similar to the data that google, facebook also collect and sell. It seems that this data collection is a large part of their profits. Would the security freeze also stop google and facebook from collecting this data. I read a terrifying article that really opened my eyes to the large amount of information about american’s that is for sale, perhaps even used by the russians in their election interference. I’ll post a link.
    https://motherboard.vice.com/en_us/article/mg9vvn/how-our-likes-helped-trump-win

  3. tony says:

    It’s to late, damage done.

    • Wolf Richter says:

      No, a “security freeze” is not too late after your data was stolen. It’s only too late after your identity was stolen. Two different things.

      After your data is stolen, it will require someone to take this data and apply for credit in your name and steal your identity. This period can be months. So it’s not too late to stop that from happening.

      • Mark says:

        I did a security freeze back then as well. A few things I learned:

        1) Be sure and keep a copy of the information you’ll need if you ever want to unlock the freeze. It’s *very* difficult to temporarily unlock the freeze without this information. Which is the whole point.

        2) The freeze will affect things other than obtaining a new credit card. For example, I had to put down a deposit with Cox Communication in Phoenix because they couldn’t verify my credit information because of the freeze (and I didn’t want to bother unlocking it temporarily for them).

        I also had a temporary hold up establishing a new brokerage account because of the freeze. Turns out most institutions have ways to verify who you are without going to the credit agencies. You just have to ask.

        Never-the-less, I still recommend the freeze for piece of mind. The (very) occasional inconvenience is not a big deal.

        • julie cambridge says:

          Thanks so much for this Mark! I assumed there would be some aggravation involved with a security freeze. This helps prepare for it. And now I know how they got my friend’s data. She found out a month ago that she bought a house in Texas. (never been, never owned a house, she’s a 26 year old student in the SF bay area who lives with her parents.)

      • Jas says:

        This unholy data breach is for life and those who had their info stolen (myself included) will have to have a credit freeze for life! What a massive intrusion, breach of trust and burden for those affected.

  4. Mendy Mendelbaum says:

    Wolf, does a credit freeze affect your credit score? I hear that your FICA score goes down by simply requesting more credit. In this way I thought ANY changes to the status quo would be an opportunity for the reporting bureaus to skroo you.

  5. Kubi says:

    This is pure speculation but it would seem that a creative credit rating company (or an employee there) could sell the data on 143 million consumers through the back door, make a killing then claim it was a hack.

    The details of the hack seem preposterous.

    • nick kelly says:

      It would have to be sold for hundreds of times more than the black market pays to equal the value of the company, which will now plummet possibly to zero.

  6. robt says:

    I found Equifax to be totally incompetent. I had subscribed to their credit watch service, with the identify-theft ‘protection’. I had occasion to phone them a couple of times for reasons I can’t remember, but each time they had a hard time even finding my account.
    During the course of my subscription, someone started making bogus charges to my credit card; fortunately the bank caught it right away, and froze the charges, and the charges were quickly cancelled. I was issued a new credit card.
    Anyway, back to Equifax, a couple of weeks after receiving the new card, and of course I had to give them the new credit card number for the automatic monthly billing. Again, it took me a half hour on the phone for them to find my account, using my official Equifax account number, supplemented with much personal info. Not a peep about any alerts from their so-called ‘protection’ system; even when I asked directly about any suspicious activity, nothing was found, and this was 3 weeks after the fraud event. I managed to cancel the service after many ‘Are you really sure you want to cancel?’, and attempts to upsell the service.
    I really question whether they knew what they were doing, and the state of their data system. Just the fact that their database was directly vulnerable from hackers and was not compartmentalized tells us they probably didn’t, and don’t have a clue. And the fact that it took over 5 weeks for the news to be made public is unforgiveable.
    It’s also amusing the Chief Financial Officer had no idea of the data breach 3 days later when he sold his stock. Either he quickly forgot, or that’s more evidence that their ‘alert’ system needs fixing, even if only for senior executives.

    • curious cat says:

      I think the state of their data systems speaks for itself. The major problem is that the top execs in these companies have no skin in the game. They can lose 143 million lives and it won’t matter to them one iota.

      • Dave says:

        “They can lose 143 million lives and it won’t matter to them one iota.” That’s exactly why they are hired because they are psychopaths! They do what ever it takes to make profits!

    • intosh says:

      It’s a scam through and through. This kinda of business should be illegal. Brokers of information on you and they elect walls and roadblocks to make it difficult for you to regain control of your information. It’s criminal.

    • Stan Barber says:

      In U.K. We have a company called Experian.
      It purports to be able to provide you with your credit rating.

      If you want to see what credit rating they have about you, you have to become a “member” and give them data about you, including say your mum’s maiden surname.

      When all of that happens, you still cannot see your credit rating but suddenly the credit card companies don’t want to give you no more credit.

      When you realise this whole “credit rating business” is just another data harvesting and reselling scam, and you tell Experian to delete your data as you want out, they say “computer says no”.

      F^*^#$€ng rape it is, that’s what it is.

  7. curious cat says:

    I placed a credit freeze with all three organizations about 5 or 6 years ago. Costs $20 each if you are a Delaware resident, which I am. (Some states are free, but Delaware did a curtsy to the banking industry that was big here at the time.)

    About 5 or 6 weeks ago I got a letter from a business that said I had applied for a credit account to purchase a diamond ring (the ugliest I have ever seen) for a valentine gift for a woman in Texas. Message: I love you, Smith. The company told me how to unfreeze my credit so they could complete the transaction. Later they sent another letter saying that the credit card number I sent them was invalid and I should send another card. They gave the last four digits, and no card I have ever had those numbers.

    I realized what was going on and naturally I felt this rush of good fortune that I had frozen my accounts. If not, once that trial transaction was complete the bad guys could do virtually anything else.

    I realized they must have gotten my SS number, name, and address from somewhere, but I couldn’t begin to guess where. So, today I think I can guess where.

    Freeze your credit info folks. Much smarter than paying Lifelock or other similar companies.

    By the way… if you are a Medicare beneficiary, which I am, your name, address, and SS number is laying around the office of every medical professional you ever visited.

    • walter map says:

      “your name, address, and SS number is laying around the office of every medical professional you ever visited.”

      In point of fact, any number of unscrupulous persons with perfectly legal access could conceivably exploit your personal financial information for illegal profit – including the credit reporting services themselves. For all you know they have back-room third-party operations in place to do just that. On a sufficiently-large scale such exploitation could crash the entire system.

      Who’s going to stop them? Your brave government watchdogs, themselves hopelessly corrupted by the FIC?

  8. Suzie Alcatrez says:

    Part of me hopes someone steals and publishes everyone’s name and Social Security numbers sothat businesses will stop using Social Security numbers as identifiers.

    • nick kelly says:

      When the Social Security card and number was introduced in Canada it was made illegal to ask or use it for purposes other than the delivery of social services.
      British influenced Canada has (had?) a horror of an identity card, (where are your papers?)

      Don’t know if it’s still on the books but it was widely ignored when it was.

  9. Michael Mulligan says:

    I’m trying to put a credit freeze on my Trans Union account and all it wants to do is charge me $19.95 per month to “monitor” my credit. At least Equifax and Experian were fairly simple and only charged $3.

    • Mark says:

      Check again. You can do a freeze, they just make you jump through hoops to get there.

    • Old Engineer says:

      I had to call Trans Union. I had to wait about twenty minutes to get through but it didn’t take but 3 or 4 minutes after that. 888-909-8872. We did all three for my wife and two for me online. But Trans Union has never let me do anything without calling them.

      I really appreciate Wolf alerting me to this option. I wasn’t aware of it prior to reading the article.

      I think it would be prudent to keep your accounts in a state of “freeze” and only open them up for short periods when you need to. It is really very cost effective considering the risks.

    • Mike says:

      Here is a FTC.gov page that lists direct links to all three credit agencies’ Freeze pages. Using these links, putting the freeze on each one is straight forward.

      https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

      My only snag was that I had an account with TransUnion that I didn’t know about. Recovering the password and getting into it was frighteningly easy though. :(

      I also thank Wolf for posting this and walking through the logic behind putting the freezes in place. Many people are thinking about doing it, but are afraid to.

      • Mike says:

        If many people freeze their credit, I predict that these companies will later give you a hard time when you eventually try to unfreeze it. It is a good idea, no doubt, to freeze your credit.

        However, having been a lawyer for nearly 30 years and having repeatedly dealt with big companies, the fact that they may be legally required to freeze and unfreeze your credit does not mean that they will do it easily. They will resist.

        If it does not benefit them, and here apparently it would diminish the information that they can sell, I predict that these credit companies will impose whatever hurdles/fees they can to discourage it. Protector-of the-wealthy Trump will no doubt later seek to alter laws authorize the imposition of substantial hurdles or fees, if thousands of people freeze their credit.

        Thus, if you do it, I suggest that you carefully gather and carefully keep whatever information you will later need to unfreeze your account, as someone else said.

        By the way, using a company’s in-house servers for messages, as many, many companies require, or communicating with companies only orally, means that you will have no evidence later to prove your communications with companies or their lack of action. Remember my warning, if any serious matter later arises.

        Companies destroy evidence that would be prejudicial to them routinely, like in house emails or recordings of calls. Many, many crooked judges wink at that and refuse to punish a company: e.g., in one case a company claimed to have “lost” the relevant two years worth of payroll records of ALL of their employees. The LA judge chuckled.

        Remember also that our current litigation system is mostly designed to give people the impression that attaining justice is possible: in actual fact, only a few people that have many witnesses and a lot of evidence actually recover damages. Most get turned down by lawyers that know how their case might be lost.

        As to class actions, while they provide some relief, the lawyers often get huge fees and the members of the class may get minimal benefits per person. I opine that a lot of class action lawyers may have close connections with the defendant companies: they bring the lawsuits to help the companies limit huge potential liability, because class actions lead people to believe that they will receive full recovery for their losses then the lawyers later settle for very low amounts per victim.

        I am sorry that the truth, as I have seen it, is so depressing. I will never work in house again, because I have seen what it involves.

    • Gershon says:

      You could ask your elected officials to take the side of consumers against the corporate grifters and their lobbyists.

      I slay me….

      • Mike says:

        Was that a joke? Who pays them more? Follow the money. Judges, politicians, and other public officials seem to ‘coincidentally’ always benefit the companies that pay them the most.

        As a former Republican, I can only be sad at how low the party of Lincoln and Reagan has been brought. However, in California, if you Google for information, you may find that a certain Democrat senator is corrupt. Unfortunately, while I hope there is less corruption in the Democratic party, there is plenty of corruption in both.

        Please google Goldman Sachs and Clinton millions.

  10. JohnR says:

    I just did a credit freeze at the three credit bureaus. Good advice!

    • Johnny A says:

      I’m trying to freeze my account. FYI to all, Experian says my MAC book pro is on “private browser” so it has to be turned off to apply for the freeze. HUH?

      These cheap bastards have been getting away with doing nothing for us for years. I’ll make sure I get the freeze done.

      • David Calder says:

        Got something similar from Experian. Mine was Safari private browser setting was incompatible with their website. Equifax was an easy fix and TransUnion took a couple of tries.. Experian phone number is 877-284-7942.. To get a real person; 888-379-3742 but you have to have your Experian account # .. I had no idea we even had an account let alone a number.. Good luck..

  11. Flying Monkey says:

    I place a credit freeze years ago on all three agencies . I pay nothing. I use an Indiana address since I am an expat. I would be furious if I had to pay a monthly fee for the them not to be selling my data (credit freeze). I have been fortunate so far.

  12. Guido says:

    If you live in California, here’s the way to freeze your credit report. Do read the FAQ.

    https://oag.ca.gov/idtheft/facts/freeze-your-credit

    • California Bob says:

      Huh … Experian charged me $10 but the others didn’t. Did they waive the fee out of the goodness of their hearts, or are their systems so screwed-up they can’t even properly gouge their products (‘customers’)?

      Yes, I’m in CA and under 65–just barely–and AFAIK haven’t been hit (yet).

  13. Dogstar says:

    Just attempted to freeze my info at Equifax, received thee following:

    We are currently unable to service your request.

    Please try again later.

    • Wolf Richter says:

      That’s funny… seems you’re not the only one who is trying to do this. I can imagine millions of people trying to do the smart thing, all in one day. Give it a day or two and try again.

      • Carl says:

        I was just able to freeze on all three sites. Thanks for the links!

      • David Calder says:

        Thank you, Wolf, for the info.. Just one more reason many of us read your site everyday, multiple times daily. I got through to Equifax but not the other two. TransUnion is down for the day and Experian says Safari is not compatible and I need to disable it..

      • NotMyPresident says:

        Now they are forwarding from the link you provided to a landing page promoting their (deceptive) credit monitoring service. It wasn’t that way yesterday since I’ve tried over 20 times to use their online form to freeze my account to no avail. Their customer service pages also seem to be intermittently showing odd error messages.

        The current way to get to the links by going to:

        https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

        • Wolf Richter says:

          THANK YOU!!!!!!!!!!!!!

          These people are becoming DEVIOUS!

          TransUnion changed the page so that the link on Wolf Street, the New York Times, the Wall Street Journal, etc. no longer leads to the correct credit freeze page anymore.

          So here are the new link TransUnion:

          https://www.transunion.com/credit-freeze/place-credit-freeze2

          Experian has kept it the same. Equifax has updated its page to where it gives additional info but still leads to credit freeze part. So it’s OK.

          I have now changed the link in my article.

        • Wolf Richter says:

          I’ve changed my comment some. The Equifax page is now working properly.

        • NotMyPresident says:

          Hi Wolf. Not to be a bother, but the link (above) for Equifax in your article…

          https://help.equifax.com/s/article/ka137000000DSDjAAO/How-do-I-place-a-security-freeze-on-my-Equifax-credit-file

          …still leads to a “Sign up with our Credit Monitoring Service” page. The link I provided…

          https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

          …goes directly to their Freeze page.

        • Wolf Richter says:

          If you scroll down the Equifax page past the new red “Click Here” button, you will see the credit freeze explanation and link. This used to be at the top. So it requires scrolling to see it (so this is slightly devious), but many websites do that.

        • NotMy President says:

          OK. I’ve managed to freeze Equifax and Experian. However, I am wondering about the free lock/unlock service that TransUnion offers called TrueIdentity.

          TrueIdentity membership seems to allow you to waive the fees for both locking and unlocking, and can be controlled via a web interface on their site. It also seems to perform the same action of blocking outside entities doing credit report checks.

          Barring the ability to hack people’s (hopefully complex) account passwords, wouldn’t this also be a good solution for that site?

        • NotMyPresident says:

          Answered my own question. That’s what you get for free. Buried in the “fine print” of TransUnion’s Service Agreement…

          “TRANSUNION INTERACTIVE AND TRANSUNION EXPRESSLY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THIS AGREEMENT OR FRAUD RESOLUTION SERVICES HEREUNDER. TRANSUNION INTERACTIVE AND TRANSUNION DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, AND FITNESS FOR A PARTICULAR PURPOSE. TRANSUNION INTERACTIVE AND TRANSUNION DO NOT WARRANT THAT ANY FRAUD RESOLUTION SERVICES PROVIDED PURSUANT TO THIS AGREEMENT ARE NON-INFRINGING, THAT THEY WILL MEET YOUR REQUIREMENTS OR THAT THEIR OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. TRANSUNION INTERACTIVE AND TRANSUNION’S LIABILITY IS LIMITED TO THE SERVICES EXPLICITLY SET FORTH IN THIS AGREEMENT. IN NO EVENT SHALL TRANSUNION INTERACTIVE OR TRANSUNION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, (WHICH SHALL INCLUDE WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR OTHER PECUNIARY LOSS). IN NO EVENT SHALL TRANSUNION INTERACTIVE OR TRANSUNION BE LIABLE FOR ANY LOSS ARISING OUT OF TRANSUNION INTERACTIVE OR TRANSUNION’S PERFORMANCE OR NON-PERFORMANCE OF ITS SERVICE. IN NO EVENT SHALL TRANSUNION BE LIABLE FOR ANY DELAY IN PROVIDING SERVICES, OR DAMAGES RESULTING FROM ANY DELAY IN SERVICES. IN NO EVENT SHALL TRANSUNION INTERACTIVE OR TRANSUNION HAVE ANY ADDITIONAL LIABILITY TO YOU EXCEPT AS STATED HEREIN. IN NO EVENT SHALL THE LIABILITY OF TRANSUNION INTERACTIVE AND TRANSUNION EXCEED THE FEES YOU PAID FOR THE FRAUD RESOLUTION SERVICES IN THE PRECEDING TWELVE MONTHS.”

    • Anon1970 says:

      If you want to credit report freeze your account, you will probably have to send them a check for the fee ($10 when I did it several years ago) and a specific written request to place the freeze on your account. Check your state Attorney General’s web site.

  14. Stevedcfc72 says:

    So if im right the correct way to protect yourself is to security-credit freeze
    your credit information.

    If you require to unfreeze your info-credit report (for example going for a mortgage) and then refreeze once the credit company-bank has done the credit check.

    • Wolf Richter says:

      Yes, that’s the idea.

      • David says:

        Quick question Wolf, the equifax site asked for a specific CC to put a freeze on, but I hold 3 of the 4 listed cards, do you have to do it for each one? Not sure why they did not offer an all option at $10 dollars
        a crack? Thank you for all you do!

        • Wolf Richter says:

          You should be able to put a security freeze on your entire data at Equifax (and the other two bureaus). I would not settle for anything less. I’m not sure what you’re seeing, or why you’re seeing it. It sounds strange. Another commenter here pointed out that the Equifax system was overloaded. So there may be an issue. I’d try again later.

        • Pavel says:

          FWIW I just tried to put a freeze on Equifax. They took my details and then said I need to pay $5 for a “temporary freeze”. I don’t like the sound of “temporary”.

          I then found their security alert and they claim to offer a way to find out if your data have been hacked:

          https://www.equifaxsecurity2017.com/enroll/

          When you begin, you will be asked to provide your last name and the last six digits of your Social Security number.
          Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier.
          You will receive an enrollment date. You should return to this site and follow the “How do I enroll?” instructions below on or after that date to continue the enrollment and activation process. The enrollment period ends on Tuesday, November 21, 2017.

          I put in my info and they said I hadn’t been affected. But this is truly an evil, greedy institution (and an incompetent one). Another reason if needed to avoid using credit cards as much as possible.

          (Slightly OT but I wonder how all those folks preaching the utopian life offered by the “cashless society” would fare in say Puerto Rico or other places hit by Irma where the power will be off for weeks or months?)

  15. Enrique Bermudez says:

    At some point I wonder when peak “you are the product” gets reached and there is some sort of massive backlash against this whole despicable tech/surveillance/advertising complex.

    Doesn’t feel like this is it yet unfortunately.

    I think the intrinsic “for sale” nature of the US political system and the fact that the tech industry is so important there keeps the political pressure off. For now. But constantly seeing a drip-drip-drip of positive things out of the EU (and India) lately.

    I tell people all the time: you don’t want to be “long Facebook” when that worm finally turns. At some point the overall consensus for any issue can tip enough to where even the miserable cretins in DC may actually see it in their own interest to start doing the right things.

  16. Frederick says:

    Living in America has sure gotten to be a nightmare You can’t trust any institution to do what’s right anymore Very sad indeed This all stems from 911 and it will NOT end well in my opinion

  17. Mike says:

    Hi Wolf,

    Many thanks for the useful credit freeze info which I am using.

    Unfortunately IN FLORIDA (home of scams) Experian charges $10 to place and remove the credit freeze each and every time you use it.

    NO such fee for Transunion.

    The Equifax site was identified by my browser (Firefox) as being compromised. On a side security note, I refuse to use Google as they maintain every bit of data you generate for eternity.

  18. walter map says:

    The fees required to implement a security freeze constitute a form of extortion and should be illegal.

    If a credit reporting service wants to make some extra money, all they have to do is arrange for a data breach and then collect from millions of potential victims who are required to pay to protect themselves from the irresponsibility, if not actual criminality, of the credit reporting services.

    It’s another racket. No one is safe from the bankster mafia.

  19. Bill says:

    Excellent article, very helpful. It is shocking how much of our personal information is available for sale. Recently it was reported that Google plans to obtain everyone’s credit card statements in order to match off-line purchasing with on-line ad viewing! https://www.washingtonpost.com/news/the-switch/wp/2017/05/23/google-now-knows-when-you-are-at-a-cash-register-and-how-much-you-are-spending/?utm_term=.16a53d064f41

    Perhaps this Equifax mess will begin the swinging of the pendulum back in favor of real personal privacy. If the hackers have stolen Charles Schumer’s and Ivanka Trump’s personal info, there is hope.

  20. Mike R. says:

    Tech. Isn’t it wonderful?
    Biggest con job in American economic history.

  21. Dave P says:

    Thank You for this information, accounts now all frozen. SOB’s got $10 each to freeze. PA resident

  22. doug says:

    can we ‘products’ have a class action suit ?

    • robt says:

      There should be hundreds of offers to choose from in a couple of days, then starts the competition to see who represents the class. Eventually everyone would get a few bucks settlement and the lawyers get 33% of the gross plus disbursements; it’s a growth industry.
      Considering a $2B settlement can make $700 million and keep recent graduates who work cheap busy for years it’s easy to see why.
      If you sign up you could end up with 100 bucks in 5 years if you’re lucky.

  23. Wolf Richter says:

    Update, sort of….

    I just spent about 25 minutes on radio (Chicago, 7 am Central Time). We were going to talk about hurricanes and Carmageddon and all kinds of things, but from get-go, the topic changed, and the first half of the interview was entirely focused on the Equifax mess, and the broader implications. There is a lot of interest and anger about this, it seems.

    But my guess is, nothing will change :-]

    • penfold dangermouse says:

      something would change if the elites in at least one political party were interested in the interests of the bottom 90%.

      Keep pushing that virtue-signalling with the left hand and taking financial industry cash with the right, Democrats.

      And if you’re a concerned Republican, throw out your establishment RINO in the next primary.

    • Judyg says:

      Social Security Administration is going to start issuing random numbers for all those having social security numbers beginning April 2018 for 1 year. This suupposedly is so the social security number will not be used as an identifier, and instead the random number assigned to you will be used. What if any impact will there be on the freezes that we have done with the 3 agencies? Will they require us to go in and freeze again using our random numbers since SSs can no longer be used as identifiers? Ideally they should have a cross match that will automatically do that, but then they don’t try to make it easy for us as we are their product.

      • Wolf Richter says:

        My understanding is that the SS administration started issuing random numbers in 2011 to new applicants. And I think you can apply for a replacement (and now randomized) SS#. The fact that you now have a different number protects you from ID theft under the new number. Your old number could still cause you problems. But I imagine you will have a host of new problems since all your records are under your old number.

        Random numbers don’t prevent identify theft if the number is stolen, as in the Equifax hack. They just make it impossible to guess the number with knowledge of where you were when you applied for the number, which the old numbering system allows you to do.

  24. Eric says:

    Thank you for the tips, Wolf. Much appreciated. I initiated a security freeze on all three bureaus.

  25. mvojy says:

    Levy a fine of $100 per impacted individual or business. Equifax would then have done the math and invested more money into data security to avoid paying a fine of $14.3 billion. Increase the cost of noncompliance and you will see companies invest in compliance.

    • Pavel says:

      Hear, hear! Of course it will never happen, as the congresscritters have all been bribed by BigPharma, BigEnergy, BigFinance etc never to do anything to protect the average guy on the street.

  26. Anon2017 says:

    Wolf, what is the likelihood that the PIN number tied to your frozen Equifax account was also compromised? Can we request a new PIN number?

    • Wolf Richter says:

      I have no idea about either question :-]

      But I doubt those who try to monetize this stolen data will go through the hassles of trying to unlock your credit freeze. They pick the low-hanging fruit – the people without credit freezes on their accounts.

  27. Vern says:

    Just tried to use the Equifax link. Firefox says the site is not secure and won’t allow access.

    Bastards…

    • Wolf Richter says:

      Another commenter said this also. I tried the link on Firefox and it worked fine (at least up to the page where you put in the data). So I don’t know what the issue is. Try again a little later.

    • cdr says:

      I read on another site that someone might be spoofing the site to look thing up on. Don’t know for certain. Anyway, the reply back from them is fuzzy, according to other articles.

    • Vern says:

      An update … This may explain some of the issues (h/t Axios):

      “… The problems, per ArsTechnica:

      If you use the equifaxsecurity2017.com site, you forfeit your legal right to pursue any class-action lawsuits, per the site’s legal language.
      The domain to the site doesn’t belong to Equifax.
      The site is hosted on the WordPress content management system, meaning it doesn’t have the proper security in place, particularly for a site that hosts users’ SSNs.”

  28. c smith says:

    Unreal. Equifax is using the data breach as a marketing tool – trying to get people who go to their site to find out if they are affected by the breach to sign up for their security service!

  29. Wilbur58 says:

    Two things:

    1) Last week, there was fraudulent activity on one of my credit cards? Thankfully, the bank reversed the charges in two seconds and issued a new card. But is the timing a coincidence?

    2) I went to Equifax’s site to see if my info got taken. The stupid fucking site doesn’t even work. I got a screen that simply says “Thank You” and provides a link to their “FAQ”. Idiots.

    This is really significant. Mainly it affects two areas of American life, auto loans and mortgages. If someone screws up your credit score, it could highly impact a mortgage to the tune of thousands and thousands of dollars, if getting approved at all.

    I don’t think now is the time to get a mortgage, obviously. But if there were a crash and person wanted to pounce, they’d be screwed if they’ve had a major identity theft.

    The execs who sold stock should go to jail.

  30. Winston says:

    “You must freeze your credit report at each credit bureau individually since there’s no way to freeze all three credit reports at once.”

    THAT alone is pure BS. Considering how often this sort of thing happens, the government might do something useful for a change and require a central contact point for all three credit bureaus.

    • cdr says:

      Agree. I thought about freezing once but never got around to it. This time I will after the rush from others doing the same thing dies down. Maybe someone will force Equifax to do it for me … doubtful but slightly possible?

    • polecat says:

      I donno … that would make for quite a large ‘cloaking device’ .

      • polecat says:

        I mean, when in the last 35-45 years, has our federal government done ANYTHING according to best principles, at least with respect to the mopes ?? I would wager none … and to think that the S•E•C, or some other .gov acronym of false repute is going to anything but hurl a feather #anyoffender.org(an blood sucker), is dreaming !

        “winter is coming”

  31. Winston says:

    Also, don’t forget Innovis who, unlike the big three, has a very CLEAR and simple instruction page for submitting a freeze and, unlike the others, has a simple PDF form for MAIL IN submissions, the likely best way to get around phone and online logjams.

    https://www.innovis.com/personal/securityFreeze

    • Mike D says:

      I wish there was a way to vote this up to the top of the comment section. There are indeed more than 3 credit reporting agencies. The big three listed in Wolf’s article are joined by Innovis, the next largest, and PRBC. While I know little about PRBC, Innovis is large enough to warrant considering a Security Freeze if you are freezing the other three.

  32. kato Nokto says:

    Mini Rank…
    I have noticed the protocol for a US citizen applying for Technology Security employment requires a background check and references…
    However most companies have no problem exporting their security software development without even a clue about the people ultimately doing the work.

    Equifax: “We hired a Cyber-Security firm to evaluate….”

    Sorry to tell you this… but the horse is gone… Homer :)

    • Winston says:

      Also note their preference, undoubtedly for cost reasons, of on-line submissions of security-related freezes, fraud alert requests, etc., as if ANYTHING that is done online should be trusted right after an internet related security breach or, for that matter, ever again.

    • polecat says:

      ‘We Cybered Some Folks!’

  33. Bruce Turton says:

    Some years ago I got a call about a survey with a lot of questions from some “reputable” online survey company in Florida – I live in Canada. At the end of the survey I was asked about my race – asking that is illegal in Canada! I was also asked to give my Social Insurance Number. The only people who get that number are those who are going to pay me $$$$! When I refused the woman at the other end was insistent that many others did give their S.I.N.’s.
    Have to wonder: do these “survey companies” do the same thing to Americans? What do they do with the information they collect?
    Point is that there are many ways for criminals to get the information necessary to steal identities.

    • Anon2017 says:

      Next time don’t be so polite and hang up on these “survey takers”. Get caller ID for your phone (if you can afford it) and don’t answer calls from people you don’t know. If the call is legitimate, the caller will leave a voice mail message. Con artists and survey takers rarely leave messages.

      • California Bob says:

        Check out nomorobo.com. They’ll flag any non-legitimate number but, unfortunately you’ll still get one ring (and one ring only).

    • Wolf Richter says:

      If a “survey” company asks you for your Social Security number (Americans) or Social Insurance number (Canadians), that “survey” is a phishing expedition and a fraud.

      And they’re doing it because, as you pointed out, enough people fall for it.

  34. Winston says:

    Outstanding guide, better than anything I’ve ever found elsewhere, on what to do:

    08 JUN 15
    How I Learned to Stop Worrying and Embrace the Security Freeze

    https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

  35. CAD_Weasel says:

    Looks like millions of angry product managed to bring TransUnion™ to its knees.

    At the time of this comment, their website is displaying: “This website is temporarily unavailable–Please check back later. We apologize for the delay.”

  36. mean chicken says:

    Luckily for hackers, Equifax has (and uses, distributes, etc.) our SS numbers!

  37. Jim H. says:

    Unable to access equifax security freeze site. I input the required info, type in the code, “submit” it and receive this message: “Please enter only numbers, letters spaces…” Anyone else have this problem or find a way to resolve? (Tried using two different browsers.)

  38. GSH says:

    Wolf, thanks for reminding us to freeze our credit reports. I was able to do all of them except Transunion – their site is overwhelmed-maybe on purpose. Will try again later

  39. Gershon says:

    Equifax is now trying to con consumers whose data it failed to protect into unwittingly signing away their legal right to participate in a class-action lawsuit against the company.

    http://www.marketwatch.com/story/why-some-equifax-customers-have-unwittingly-waived-their-rights-to-a-class-action-lawsuit-2017-09-08

  40. Old Engineer says:

    Don’t forget if your spouse has their own credit cards or bank accounts their credit bureau accounts have to be frozen as well. Doing one member of marriage doesn’t get both.

    I did experian and equifax for my wife and I online about 8:00 central time this morning with no issues or delays. Did Trans-Union as well for her but had to call them for me (have had to call Trans-union for me for the last 10 years) and waited about 30 minutes. Called TU back later though and got through in less than a minute.

    Thanks again Wolf, that was a great public service and I appreciate the warning and the legwork you did to get the links. I’ve forwarded to 4 people so far who, like me, hadn’t been aware of the breech or the option to do a freeze.

  41. Gershon says:

    I always find it baffling that ‘Muricans rage at corporate fecklessness and rip-offs, then invariably vote for the corporate-owned Republicrat duopoly that ensures these grifters can defraud or be criminally negligent with impunity while our co-opted regulators, enforcers, and judiciary turn a blind eye.

    • California Bob says:

      Unfortunately, we don’t really have alternatives. ‘Waste’ your vote on a protest candidate and the worst one can win (see: Bush, George W.).

  42. Gershon says:

    Our worthless, captured regulators, enforcers, and judiciary will pretend to conduct “investigations” into the data breach and Equifax’s response to it, which will culminate in the usual blowhards of Capital Hill bloviating about Equifax’s fecklessness while cashing checks from their lobbyists and refusing to pass any legislation with real teeth to deal with these grifters. Our “enforcers” will levy a few slap-on-the-wrist fines in return for banal pro-forma “mistakes were made” statements from the Equifax CEO. And the crony capitalist swindles, negligence, and larceny will continue unabated.

    Unless, of course, a jury finally slaps these scumbags with a judgement that will bankrupt them and send a message to their fellow grifters that it’s not okay to be so haphazard with the secure information entrusted to them by millions of Americans.

    http://www.thedailybeast.com/equifax-stung-with-multi-billion-dollar-class-action-lawsuit-after-massive-data-breach

  43. Volvo P-1800 says:

    In Britain 11,377 people had their bank cards and details stolen by bribed Royal Mail postmen:

    http://www.bbc.com/news/uk-england-41081396

    • Gershon says:

      The fish rots from the head first.

      Amoral people, seeing how the really big criminals operate with impunity thanks to their capture of enforcers and the judiciary, will have few qualms about running their own rackets.

  44. Carlada says:

    143M of us need to spend $10 at minimum to [temporarily] freeze our reports… = $1,430,000,000 payment to said credit bureaus. “Oops!”

    $1,430,000,000 !
    $1,430,000,000 !!
    $1,430,000,000 !!!
    $1,430,000,000 !!!!

    One billion, four hundred thirty million dollars. Nice scam.

    • Wolf Richter says:

      If that happened – if 143 million consumers put a credit freeze on their accounts at Equifax – the company’s revenues would collapse to near zero and it would be finished as a “going concern.”

      • Wolf Richter says:

        Come to think of it, that would be an interesting idea….

        • Winston says:

          Consider what would happen to our credit system if all of the data stolen was stolen by a nation-state hacking team and automated fraud was then foisted en masse upon the system using that data, perhaps holding that data in reserve for use in a time of crisis.

          Same for the millions of credit card numbers stolen and offered for sale on the dark web, most of which from what I’ve read don’t actually sell and, therefore, whose owners would never know were compromised. A nation-state team could probably easily compromise the dark web sites and steal all of that data, once again to be used in a mass, automated fraud attacks using those numbers in a time of crisis.

      • James says:

        Hmmm…I wonder how long before Equifax would start screaming/whining/begging/pouting/moping/sulking for a bailout.

    • KDMaz says:

      All states allow different fees. I just froze things in Kansas and was charged $5. I see some states are free.

  45. Dimitri says:

    I would suggest everyone get a free Initial fraud alert. A fraud alert allows creditors to get a copy of your credit report as long as they take steps to verify your identity. For example, if you provide a telephone number, the business must call you to verify whether you are the person making the credit request. Fraud alerts may be effective at stopping someone from opening new credit accounts in your name, but they may not prevent the misuse of your existing accounts. You still need to monitor all bank, credit card and insurance statements for fraudulent transactions.
    More options and information is available here: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

  46. Maximus Minimus says:

    What are the chances that Equifax will be downgraded by a credit rating agency? /s

  47. RD Blakeslee says:

    Wolf, have your credit freezes affected your insurance rates?

    Insurance companies use credit scores as an element in their decision re the rate they charge individuals for insurance and I womder how they deal with denial of access to credit rating data?

    • Wolf Richter says:

      I have had the same auto insurance all these years, so that hasn’t changed. Health insurance is not dependent on credit history, it goes by different factors, such as age [GRRR!]. So I have not seen any difference.

      Remember existing relationships continue to have access to your credit history.

      However, once you decide to get new auto insurance, rent a different apartment, open an account at a different bank, buy anything you want to finance, such as a house or a car, etc… you need to unfreeze the credit freeze. For people whose lives change all the time, a credit freeze can be somewhat cumbersome — but still worth the trouble.

      • polecat says:

        ‘Existing relationships’ …. how far back does the list go ? .. is it finite, and what’s to say said credit agencies don’t set ‘certain priorities’ for ‘certain relationships’ of ‘certain individuals’ !?!

        • Wolf Richter says:

          Remember that these companies are the customers of Equifax (you’re the product). Those companies are paying for this data (you). They’re going to get treated right by Equifax. Both sides would want to keep this relationship smooth. I would think as long as this relationship is considered “active” – so if you still get monthly statements and the like – you will not encounter any problems.

          However, if you want to reactivate an old bank account at a bank you left 20 years ago, you might have to start over again (unfreeze the credit freeze, etc.)

        • polecat says:

          I guess what I’m saying is that, with all the blatant grifting that’s occured over the last 8-12 years, I’ve completely lost trust in Any authority: .gov .. big corp.se .. all of it !

          It’s Big studded Club and all that !!

      • RD Blakeslee says:

        Thanks Wolf. That’s helpful to know.

      • polecat says:

        Ok, I’ve just seen your responce Wolf … so what your saying is that the relationship between any retailer/business and customer/consumer is not affected negatively .. Correct ??

      • Winston says:

        From the Experian web page:

        Security freezes are designed to prevent a credit reporting company from releasing your credit report without your consent. However, you should be aware that using a security freeze to take control over who is allowed access to the personal and financial information in your file may delay, interfere with or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular telephone, utilities, digital signature, Internet credit card transaction or other services, including an extension of credit at point of sale.

  48. Gershon says:

    “When plunder becomes a way of life for a group of men in a society, over the course of time they create for themselves a legal system that authorizes it and a moral code that glorifies it.”

    ― Frédéric Bastiat

    • Junior_kai says:

      Yep, and the reason you know .gov won’t do a thing is because they are just as bad – anyone remember the OPM hack? Military, .gov employees and contractors were hung out to dry.

  49. Petunia says:

    Stealing this much data takes many hours on a good day. It is the equivalent of a burglar spending an entire day or more going through your house. What the hell do the IT people at Equifax do all day. They certainly aren’t paying attention to the programs running on their systems.

  50. ron says:

    finished all three for my wife and I, took awhile but will sleep better. Thanks

    • Wolf Richter says:

      You’re ahead of me. I’ve been badgering my wife for years about this, and she hasn’t acted yet [“mendokusai,” she says, meaning “too much hassle”]. But I think this episode has motivated her to do it this weekend :-]

  51. Winston says:

    Equifax data breach: Find out if you were one of 143 million hacked

    https://www.cnet.com/how-to/equifax-breach-find-out-if-you-were-one-of-143-million-hacked/

    Editor’s note, September 8: We recommend that anyone with a credit history assume they were affected by the hack, as Equifax’s hack-checker tool proved unreliable in our tests.

    Also, Equifax will suggest you enroll in Trusted ID, which includes a Terms of Service agreement that waives your rights to a class-action lawsuit against the company. (Scumbags…) CNET is investigating the issue and is not yet sure if these terms will hold up in court.

    Equifax has set up its own program to help people find out if they were one of the millions affected in the hack. It includes a tool that lets you check to see if you were affected and a program, Trusted ID, that may help prevent identity theft. But, be aware: the checker that lets you know if you were hacked might be broken and — per the above note — enrolling in the program might prevent you from participating in a class-action lawsuit against the company.

  52. will says:

    For people looking for more/better (sorry Wolf) information on credit freezes Brian Krebs did a great write-up for the process a while back. For anyone thinking of doing this it generally provides everything one needs to know (like, for example, there are 4 reporting agencies not 3 (innovis), and there is also the Chex system that’s worth freezing)..

    http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

    As an aside, I had to fiddle with unfreezing my credit in August and did notice that for some reason Equifax did not charge me $5 to do this (which is the legislated max amount in my state). I thought that this was odd but was like: “oh, that’s weird, but ok – nice of them.” I really should have simply asked the next question: “ok, wtf is going on and why aren’t they charging me” then proceeded to buy a bunch of deep out of the money puts on the company.

    Ah… regrets. … but speaking of regrets – freezing my credit has never been one of them..

    • will says:

      Oh, as a side note, Krebs also has some excellent recent posts on the breach. One of the things that he notes is that the site Equifax set up to deal with the hack is a joke and doesn’t even work (like at all).

      You can just type anything into it and it’ll say “you’re now enrolled” …
      My theory is that they’re just generating a DB and will run it against their DB of breached users. So when the 143 million letters go out some of them will include a “we’ve noted that on date xyz you enrolled in our monitoring service, free of charge – so now you have this” … followed by another letter one year later saying “if you want to keep our awesome service it’ll now cost you money”..

      Although at some level it is interacting with some sort of hacked-account DB because it’ll randomly tell people that they /were/ part of the breach, although only sometimes. You’ll have to read Krebs for more info. I expect this to be the best site for information on this issue going forward..

      Hope this helps, cheers

  53. phil m says:

    We have all these busy bodies in Washington DC ( Congress) who love to stick their noses in all kinds of specious issue ( Confederate statues for example), yet sit by while the citizenry is raped and pillaged on privacy -personal data issues. I almost hesitate to say this but maybe we should look to the EU for inspiration. Their GDPR ( General Data Protection Regulation) which goes into effect next May has the potential to wreak havoc on Online publishers who accumulate personal data from their site visitors without explicit permission.

  54. Russell says:

    Do all three agencies need to be locked? I heard there were issues with locking Experian related to future lawsuits

  55. mtnwoman says:

    Look at your PIN number for the Equifax freeze. The first six digits are the date you froze the credit.

    So millions have identical or very similar first six digits to their PIN. In effect, Equifax’s PIN for the credit freeze uses only FOUR digits. That’s extremely crappy security.

    It baffles the mind that such incompetence rises to the top.

    • Wolf Richter says:

      That’s interesting. I just checked my own pins. You’re correct on all points, including “…that such incompetence rises to the top.” Turns out, according to my pin, I put the credit freeze on my accounts several years before 2010 (the year mentioned in the article), which was confirmed by additional checks of other records. How time flies :-]

      Experian and Transunion use different number systems, and I don’t see a pattern there.

  56. Wilbur58 says:

    I want to partake in any and all class action lawsuits on this one.

    The way I see it, my personal information was compromised and I now have no choice but to purchase a $200-$300 credit locking product for the rest of my life. Equifax must pay for this.

    Of all the companies to have a data breach, it’s unfathomable that it would be one of the three credit bureaus.

    • Wilbur58 says:

      Adding to my last comment, and with respect to Wolf, what’s even the point of a six month freeze? Our info has been compromised permanently. This means we all need a permanent freeze.

      I’m wondering what the best product is to keep one’s credit permanently frozen. Does that even exist? Or do you just get alerts? Does Lifelock do this?

      • Wolf Richter says:

        Wilbur, credit bureaus will freeze your account until you lift the freeze. This is as close to “permanent” as you can get.

  57. Jeff Lill says:

    In Washington State (at least), a consumer can request a freeze from all of the credit reporting agencies if a police/FBI report detailing the identify theft/breach is included.

    I’ve been Googling for the actual reports Equifax filed with the FBI, FTC, Atlanta Police (where their headquarters is located) but haven’t found anything yet.

    I’ve submitted a request to Equifax support, the FTC, and to the WA State Attorney General (to see if he’d file a report on behalf of all state residents). Not to hopeful this will work though.

    Does somebody else, perhaps with a law enforcement background, have any ideas?

    It sure would feel good to be able to see millions of people be able to freeze their credit for free!

  58. Magic says:

    Are there laws covering who can set up shop as a personal data collection bereau?

    Seems that anyone can create their own database and sell it once those 143 million records are made public.

  59. Miss Lacy says:

    First – thank you Wolf, and commentators, for this information.

    Next: my experience has been: Equifax: “we are unable to complete your request.” Transunion: 1. We are unable to connect to Safari. 2. We are unable to complete your request. Try by telephone. 3. On hold on telephone for 20 minutes. No humans available. The prompt system did not work.

    So apparently I’m fucked. Interestingly, Transunion later sent me an email (!!!!) saying that I could mail them a letter and in tow to four weeks they would respond to my request.

    My question is, why should we, the “product” which these private companies mine for dollars need to spend so many uncompensated hours struggling with their failures? I’m going to check into that class action suit.

  60. Richard J says:

    As of today, the Equifax site says that the arbitration agreement requirement has been removed, and that no credit card number is needed to sign up for the “free” monitoring system, so they have no ability to autobill for year 2 and onward.

  61. Richard J says:

    $5 will get you $10 that the breach was an insider job, created to enable massive profit-taking from the guaranteed drop in share price. It was a sure thing!

  62. Jean says:

    Help? Advice?
    Transunion terms state: ” BY USING OUR SITE, YOU ACKNOWLEDGE AND AGREE THAT NEITHER TRANSUNION, ITS DOMESTIC SUBSIDIARIES, NOR ITS AFFILIATES HAVE ANY LIABILITY TO YOU (WHETHER BASED IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE) FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES ARISING OUT OF OR IN ANY WAY CONNECTED WITH YOUR ACCESS TO OR USE OF OUR SITE, CONTENT, PRODUCTS OR SERVICES (EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), INCLUDING LIABILITY ASSOCIATED WITH ANY VIRUSES WHICH MAY INFECT YOUR COMPUTER EQUIPMENT.”

  63. Wondering what's really up says:

    Maybe they should keep their customer service operation in the US instead of out sourcing to India. Don’t get me wrong….I do like Indians….very hardworking and nice people that I have come across. However, I wonder how the employees there are vetted…..my experience with them in trying to figure out why something was denying me credit even though nothing specific appeared in my report was very troubling to say the least.

  64. doug says:

    I tried the link this Monday am, did the entire process, only to receive a ‘500 system unavailable try again later’
    AT THE VERY END OF THE PROCESS.
    Feature? or Bug?

  65. Mike in SLO says:

    @Doug – Keep trying… I had to do it twice but it finally took and gave me a pin number. The site is probably being bombarded! The other two were much easier, but charged me $10. Equifax didn’t charge anything (they’d better not).

  66. Samurai says:

    Thanks Wolf! Done, for all 3 credit agencies.

Comments are closed.