If you were one of the estimated 143 million Americans whose sensitive personal data was exposed in the recently revealed hack of the credit bureau Equifax, one of the first things you should do is put a freeze on your credit files.
In an analysis yesterday of the Equifax breach, IT security writer Brian Krebs recommended that people who believe their data is at risk should file a security freeze with the major credit bureaus. In the U.S., those reporting agencies include Experian, Equifax, Innovis, and TransUnion.
A freeze on an individual's credit files ensures that identity thieves will not be able to use that person's personal information to obtain loans or lines of credit. Anyone with a credit freeze can still seek loans or lines of credit by personally agreeing to unfreeze the information for those purposes.
On Thursday, Equifax revealed that a security breach that occurred between the middle of May and July could have exposed the names, Social Security numbers, birth dates, and other information of as many as 143 million U.S. consumers. An unspecified number of people in Canada and the U.K. might also have been affected, the company said.
File for Credit Freeze
People can usually file a credit freeze online, although some reporting agencies might require a request by phone or in writing, Krebs said. Filing can also sometimes require paying a fee, although that payment can be waived in most states with proof of a legitimate identity theft threat, he added.
"With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file)," Krebs wrote on his security blog. "And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it."
In addition to seeking a credit freeze, potential victims of the Equifax hack should regularly request a copy of their credit reports and sign up for free credit monitoring with a verified provider, Krebs said. To avoid difficulties that could be caused by a freeze, he recommended that people first obtain credit reports and sign up for monitoring before requesting to freeze their files.
Krebs said it's also a good idea to ask for fraud alerts from ChexSystems, which monitors applications for new checking and savings accounts, and to opt out of pre-approved credit offers through optoutprescreen.com.
Officials Question Company's Response
Equifax is under serious fire not only for the breach, but for its responses since then. Security experts and officials alike slammed the company for a poorly designed response Web site, and for initially requiring potential victims to give up their rights to sue before they could obtain free credit monitoring. The company has since dropped its credit-freeze fees and requirement for binding arbitration in consumer disputes.
Members of the U.S. Senate Finance Committee yesterday sent a letter to Equifax chairman and CEO Richard F. "Rick" Smith asking for a detailed timeline of the breach and more information about what the company is doing to "identify and limit potential consumer harm."
Committee members also want to know more about the timing of sales of Equifax shares by three company executives before the breach became public. Chief financial officer John Gamble, president of U.S. information solutions Joseph Loughran, and president of workforce solutions Rodolfo Ploder reportedly sold a combined $1.75 million in Equifax stocks on Aug. 1 and 2. Equifax scheduled meetings with investors yesterday and today to discuss the company's outlook for 2017.
Yesterday, the company also posted a progress update for consumers on its security site to summarize its latest actions in response to the breach. Among the steps Equinox said it has taken are changes to ensure random PIN generation for users requesting security freezes, ramped-up call center support to reduce call wait time, improved security links from its Web site, and reversal of a policy that would have automatically charged customers seeking free credit monitoring for renewal of its TrustedID Premier service after one year.
As of today, at least 23 class-action lawsuits have already been filed against Equifax in federal courts across the U.S. DoNotPay, a legal chatbot that launched this summer, is also inviting consumers to automatically sue Equifax in small claims court.