On Thursday, September 7, 2017, one of the three major credit bureaus in the US, Equifax, announced a data breach that could affect 143 million people (which is nearly half of the country’s population). As the details are continuing to unfold on the Equifax data breach, we want to provide our Glass Jacobson Financial Group community with a summary of the news and recommend steps for protecting your personal information. We will discuss what happened, how this compares to other breaches, how to check if your information was compromised, and what you can do now.
What Happened
Equifax discovered the data breach on July 29. They found that personal information, including names, birth dates, social security numbers, addresses, credit card numbers, and possibly driver’s licenses were part of the leaked data. The initial investigation revealed that attackers exploited an application vulnerability that allowed them to access files with personally identifiable information.
The credit reporting firm is now notifying all impacted customers by mail (not email!) and continuing to work with both private and public investigators. While the majority of impacted consumers are in the US, Equifax said that a portion of UK and Canadian consumers are also affected.
In addition, Equifax created a website – www.equifaxsecurity2017.com – to give more information on the breach.
How This Compares to Other Breaches
Unlike the Yahoo, LinkedIn, and other breaches we’ve seen so frequently over recent months and years, the current belief on the Equifax data breach is that passwords did not play a role in the initial breach. It appears this breach occurred as a result of a vulnerability in the Equifax website and is likely due to an outdated security patch that Equifax failed to update.
How To Check If You Were Affected
To see if you were affected, follow the steps below:
1. Click here to visit the Equifax security site
2. Click “Check Potential Impact”
3. Enter your last name
4. Enter the last 6 digits of your SSN
5. Click “I’m not a robot”
6. Click Continue
The prompt will let you know whether your information has been compromised or not.
You will see an “Enroll” button which will enroll you in a free 12 month credit monitoring service provided by Equifax called "Equifax Trusted ID Premier." You are not required to do this, but it might be helpful if your information was compromised. Please be aware, as it looks as if there is an arbitration clause when signing up for Equifax's free monitoring service. This clause does not apply when you check to see if you were affected by the breach; however, it may force you to waive your right to join a class-action lawsuit. Equifax has said that the clause does not apply to the data breach and consumers can opt out of being bound by the arbitration provision by submitting a request to Equifax by mail within 30 days of enrolling in their free service.
Some lawyers are concerned by the vagueness of the clause and are not sure why Equifax doesn’t simply take it out of their agreement. If you wish to file a class-action lawsuit, be on the safe side and don't sign up for their free monitoring service.  For more information check out this article.
What You Can Do Now
Below are a few things you should do. If you were affected, you'll need to secure any information that has potentially leaked and protect yourself from future incidents.
1. Sign up for credit monitoring:Â You might want to sign up for free credit monitoring through your bank, or a monitoring firm like Credit Karma. Credit monitoring means that future account fraud and identify theft attempts will be noted and immediately brought to your attention.
2. Freeze your credit files: Make sure you’ve signed up for credit monitoring before you freeze your credit. Once you freeze it, you will not be able to sign up for the monitoring to be notified of any unauthorized changes that could occur if your information has been stolen.
The benefit to freezing your credit in this scenario is that it prevents anyone – authorized or unauthorized – from applying for credit in your name. In the wake of the Equifax data breach, where many of us are unsure who has our personal information, these steps will block any and all activity.
To do this, you have to contact each of the credit monitoring firms directly and request a freeze:
- Equifax — 1-800-349-9960
- Experian — 1‑888‑397‑3742
- TransUnion — 1-888-909-8872
It can take some time (and sometimes a small fee), but in this scenario, this is a step we highly recommend for those affected by the leak. When you freeze your credit, each firm will give you a pin code to use when you want to unfreeze your credit. Store each pin in a note in a secure password manager (see below) for simple, secure access when you want to unfreeze it. Learn more about credit freezes here.
3. Use strong passwords: Your passwords are the gatekeepers to everything you do online, whether it’s your bank account, 401(k) account, or your step-tracking app. Unauthorized access to any of these could be detrimental, and using long, strong, unique passwords for every single account will greatly lessen the likelihood of a hacker accessing your account. Storing passwords in a password manager like LastPass is a very good step toward securing your personal information and identity. Although passwords weren't stolen in this attack, they are still incredibly important to consider in securing your information.
4. Monitor your bank and credit cards: In a world where everything happens instantaneously online, it's easy to overlook the activity in our financial accounts. We often assume nothing has gone wrong. Although your bank and credit cards should be notifying you of suspicious activity, small transactions may fly under the radar. It’s important to take note of what’s going on with your accounts, especially after a breach like this one.
5. File your taxes early:Â One of the most common ways that scammers can use your information is to file a fake tax return to receive a refund. File your taxes as soon as you receive all the necessary documentation so that scammers don't have the opportunity to file a fake return!
6. Beware of scam emails:Â As we mentioned above, Equifax will be contacting all impacted individuals by mail. Equifax will NOT contact you by email! Fraudsters are using this breach as an opportunity to try and steal even more personal information through scam emails impersonating Equifax or other services. Unless you are expecting the email, never click on any links or attachments in emails related to this breach.
As always, cyber security is our top priority at Glass Jacobson Financial Group and we know it’s very important to you, too. We want you, as our clients and community, to be informed and know how to protect your personal information. Please comment below and share this post with anyone you think might be affected by the Equifax data breach.
Comments 2
I’ve heard that if you go to the Equifax site and check if you are affected, you agree to mandatory arbitration and waive the right to be a party to a class action law suit. Is this right?
Author
Hi Morgan. Great question! From our analysis, it looks as if the arbitration clause relates to signing up for their free monitoring service, and not checking if you were affected by the breach. The steps to check are in the post above. Equifax has also said that the clause does not apply to the data breach and consumers can opt out of being bound by the arbitration provision by submitting a request to Equifax by mail within 30 days of enrolling in their free service. Some lawyers are concerned by the vagueness of the clause and are not sure why Equifax doesn’t simply take it out of their agreement. For more information check out this article. Thanks for reaching out and let us know if you have any other questions!