By now, everyone is aware of the Equifax data breach affecting up to 143m people in the USA, UK and Canada.
Sophos CISO Norm Laudermilch has put together four simple steps that you can take to make sure your family gets through this with identities and finances intact.
1. Check your credit report
Check your credit report immediately to make sure that you haven’t already been compromised.
In the USA everyone is entitled to one free credit report each year, from each of the major reporting agencies. Free report links can be found on each of their websites. You can go to the Annual Credit Report website to get reports from all three in one swoop instead of having to call them separately.
Unfortunately, the high volume of site visitors may cause delays. In that scenario, you can call 1-877-322-8228. Deaf and hard of hearing consumers can access the TTY service by calling 711 and referring the Relay Operator to 1-800-821-7232.
Instructions for checking your credit reports in the USA are available from the usa.gov’s Credit Reports and Scores page.
If you are in the UK, follow the instructions on how to check your credit reports on the gov.uk site.
Canadian citizens can order free credit reports from Equifax and TransUnion.
2. Ask Equifax if you’ve been affected
Equifax has provided a website dedicated to providing information about the breach and a tool for people in the USA to check if they have been affected by it. Equifax has not provided a similar facility for people in the UK and Canada yet. We will update this guidance when they do but in the meantime, it’s probably best to assume that you have been affected.
3. Consider ID theft protection
Consider using an identity theft protection service if you have been affected. Identity theft protection services LifeLock and IdentityGuard are both offering discounts and free months if you’ve been affected by a breach. Equifax is also offering its own TrustedID Premier service free for a year. Rumours that consumers waive their right to take part in future legal action if they sign up for the services are not true:
To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action … we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.
4. Freeze your credit file
Freeze your credit with all four reporting agencies. A credit freeze stops the agencies from releasing your information to new creditors without authorization. While this doesn’t solve the problem of our leaked personal data, it does limit the potential impact of an identity theft incident. Fees for this service vary from state to state.
There are drawbacks: you will have to “thaw” the freeze for valid purchases like buying a new car or home. It is not a slick process – but the advantages outweigh the annoyances.
The cost to freeze your credit varies by what state you’re in.
Here’s how you can freeze your credit file:
- Equifax: Enter all of your personal information, enter the code verification shown on the screen, accept the terms of use, and hit “Submit” at the bottom of the screen. Pay the fee using a credit card on the next screen. Make sure to write down the “thaw” PIN that is generated because you’ll need that to undo this process later.
- Experian: Enter all of your personal information, accept the terms of use, and hit “Submit” at the bottom of the screen, pay the fee on the next screen, and remember to write down your PIN.
- TransUnion: Click on “Register” to the right and create an account, then follow the directions on the screen, pay your fee, write down your PIN.
- Innovis: Click the button for “Request a Security Freeze”, fill out the personal information and click “Submit Request” at the bottom of the page.
Billy
Step 3 and 4 both cost the consumer monthly or yearly fees. Equifax should be footing the bill. Secondly, step 4 calls for the consumer to freeze their credit file with Equifax by providing a credit card number and paying $10. This is the same way Equifax had consumer credit card numbers in the first place and look how that turned out, so we should give them more numbers? Also, why aren’t they offering to freeze credit files for no charge?!?
Melvin
FYI, It looks like Equifax is waiving the freeze fees for 30 days.
FreedomISaMYTH
That is the problem I have been struggling with…
do we really trust these guys enough to give them the data required for a freeze: *NO*
do we have any other options: *NO*
should the 4 big credit agencies lock all credit files by default and not allow complete unlocks and only 24 hours thaws? *YES*
Would they do this to protect us? *NO*
Why?: *THEY DO NOT CARE*
Seriously though they don’t care about security. They dont care about the users. They dont care about their own employees. Suits only care about Suits. Get out of here peasants!
Steve
I was with you up to that last paragraph. The author of this article is a “suit”, as are many others who are utterly undeserving of your scattergun criticism. Bigotry and stereotyping aren’t always about race or religion. Intelligent people should be able to make judgments of others based on individual merit (or lack thereof). Try it yourself… or don’t complain when others make the same sort of rash assessments about you.
Anonymous
Its disgraceful that consumers are expected to spend $40 to freeze their credit when we did nothing wrong and most of us would prefer that Equifax never had our personal information to begin with. Major fail by the American government and financial industry.
Anonymous
I just tried to freeze my credit with all 4 services. They all gave me errors and said I have to send them a letter. Awesome.
FreedomISaMYTH
freedom!
Laurence Marks
There are actually two problems with the inadequate Equifax response. I just finished a with the “Trusted Premier” call center and both the agent and her supervisor “John” declined to help with either one, or even give me an email address or phone number to which I could communicate my concerns. They had no interest in fixing the problem and weren’t very friendly about it. They wouldn’t even agree to find out who I could contact and call me back. The supervisor said “I’m too busy.”
1) The Equifax freeze does not automatically freeze TransUnion, Experian, and Innovis. Equifax should have arranged this (paying for it if necessary) to protect consumers. who don’t realize they need to do that.
2) The Equifax freeze and TrustedID Premier offering expire for a year. My name, address, date-of-birth, and SSAN will be the same after a year. There is nothing to stop the hackers from sitting on the data for a year-and-a-day and then committing ID theft.
Equifax is talking big, but their action is taking the cheapskate way out.
Sal
There are some US states where there are laws that state if you are over a certain age, these credit reporting companies must provide their Freeze services for free. Connecticut is on of those states.
Sal
See the link below, if you are from Connecticut and younger that 18 or older than 62. You won’t have to pay anything for the Freeze from any of the four credit reporting companies. Yes four; don’t forget Innovis. It’s used by some banks and credit unions.
https://www.cga.ct.gov/2015/rpt/pdf/2015-R-0176.pdf
Zeek
I was amused by being asked for the last SIX digits of my SSAN to be submitted to a company that has been known to “secure” some of its own portals using the username “admin” and the password “admin.”
Melissa
#2 seems to give random responses. I’ve tried a number of random name/number combos and either I’m really good at guessing or it’s not very good at deciding who is affected.
Wolfgang
because of a case of ID theft we had in 2011, we froze all our credit reports back then and have not regretted it one bit. Even getting a new travel credit card was painless. But the companies are in the business of providing important information to lenders and would dig their own grave if they all now would freeze everybody’s reports. You have to be smarter than them and that’s not easy.
Rhonda
Recently, I heard that all credit reporting agencies sell your information. Is this true? If it is true, what’s the point of freezing your credit? A couple of years ago, someone attempted to open a credit card in my name, had all my information, etc. I froze my accounts with the credit bureaus. About 6 months later, I went to my bank to obtain a credit card, then realized I had freezes on my credit. The financial person helping me said don’t worry, he clicked a few keys on his computer and had my credit score.
Hq
Freezing your credit is OK if you live in the US. What about other countries where our data has been lost. E.G. UK?
blackorchid
Although it makes for better PR and promotes fear propaganda to blame foreign governments, it is very possible that the data breach at Equifax is an internal action, aka – a server dump, whether accidental or intentional (such as if the company is facing bankruptcy), and not stolen information. Equifax’s indemnity insurance likely covers external attacks, as well as offers more legal protections. So, it would make (dishonest) sense for them to make that claim.
If the intrusion was from an external source (citizen anon), it is likely deleted information – rather than stolen information. Those are two very different things. This can be seen as a result of implementing egregiously long prison sentences for those executing DDoS attacks; anons revert to more permanent and less detectable hacks.
In addition, the US government has a vested interest in the recovery of our personal data. Staffing agencies, and other third parties, are beginning to request SF 86-style background checks from employees, clients, and patients for no practical or legitimate reasons.
I agree with @FreedomISaMYTH – this may well mean freedom.
Mark Stockley
See Hanlon’s Razor.
Anonymous
If you had a credit freeze in place before the Equifax Breach, you must unfreeze or thaw your account in order to complete the final step(s) of registration for the free one year of TrustedID Premier credit monitoring service according to Customer Service. I doubt the credit monitoring service is worth the additional effort and I feel as if I am likely exposing myself unnecessarily.