Equifax Data Breach
The Equifax data breach has jeopardized the majority of Americans’ birth dates, SSNs, addresses, and some driver’s license numbers. Unfortunately, the Equifax data breach wasn’t the first of its kind. It’s likely that your information is already out there, and I don’t believe a credit freeze will be effective in protecting you from fraudsters. I’ve outlined the true risks we should be worried about, as well as recommended actions to take.
The Equifax data breach was enabled by a web-application vulnerability, which had a patch available in March 2017 (see this Wired.com article). The Equifax data breach occurred a full two months later, which wasn’t revealed to the public until September 2017. The Wall Street Journal (paywall) reported, “People who purchased credit-monitoring services from Equifax seeking added protection from fraud were among those who had their credit-card information stolen as part of the company’s massive data breach, according to people familiar with the matter.”
The obvious risks
The combination of your data that’s been jeopardized means that someone can attempt to open a credit line in your name. To open a new credit card, for example, a person’s name, address, birth date, and SSN are the only pieces of data needed, all of which were exposed via the Equifax breach.
In case you thought changing your SSN would solve the problem, you can’t change your SSN except in limited circumstances.
The biggest threat: account takeovers
Protective measures like credit freezes, fraud alerts, and monitoring your credit report will alert you to new credit accounts. However, Gartner analyst Avivah Litan wrote in the Gartner blog, “[L]ess than 5% of Americans will have new loans, bank accounts, credit cards and other financial accounts taken out by a criminal in their name over their lifetime. And while everyone is advocating getting a credit freeze on your credit bureau file, my view is that will only protect you from less than 5% [emphasis added] of the types of financial crimes that can happen to you.”
A credit freeze will not prevent a criminal from gaining access to your existing accounts. Litan continues, “Armed with stolen, up-to-date PII [Personally Identifiable Information] data, criminals can more easily impersonate their target victim in order to get into their account.” She states that you should be most worried about “financial account takeover, phone takeover (used to get access to financial accounts), tax refund fraud, Social Security and other government benefit fraud, ransomware on your computer, and social engineering by fraudsters or nation-states who want to get to you or someone you are connected to.”
How to protect yourself (hint: the answer isn’t a credit freeze)
Linza wryly describes how a credit freeze on her file would be worth 30 extra seconds of sleep a night. Instead, she recommends monitoring your financial accounts closely so that you can report a crime quickly improve your chances of getting a refund. She’s also highly suspect of emails and phone calls from unrecognized senders or callers.
- Hang up on suspicious callers, and call the organization yourself. Let’s say you receive a phone call, and the caller claims to be from the IRS. Don’t provide any of your personally identifiable information like your SSN or address. Instead, ask for the caller’s name and a general description of the issue, and then call the IRS’ hotline directly to verify there really is an issue.
- Review all of your financial transactions on a regular basis (at least weekly) to identify suspicious activity. Set up an account on Mint.com or YNAB (You Need a Budget) to view all of your accounts in one place.
- Use a credit card instead of a debit card. Credit card fraud is far simpler to repair than debit card fraud. In the former, you haven’t lost any money; you simply report the fraud and get a credit on your statement. In the latter, your checking account is immediately hit, which could lead to a cascade of financial headaches, such as bounced checks, and large credit card debt if you don’t have an emergency savings account.
Final notes: avoid Equifax’s special site
To add insult to injury, the special Equifax site for setting up credit monitoring, equifaxsecurity2017.com, is also vulnerable to hackers. Instead, Equifax will physically mail notifications to everyone who was exposed in the breach, so you don’t have to use their flawed site to see if you were impacted.
Although there are potential headaches associated with freezing/unfreezing/refreezing your credit file, go ahead and set up credit freezes if you gives you peace of mind. I would rather subscribe to a credit and identity monitoring service like MyIDCare, which was provided for free to victims of the OPM breach. If you have children, I’d enroll the entire family in credit and identity monitoring; children’s identities can be stolen as well, and a service like MyIDCare’s Family Plan will allow you to enroll the entire family unit for one monthly fee.