I can tell from the email I’m getting — and, honestly, from friends calling me and even stopping me at church— that you still have many questions about the Equifax hack last week. So do I. Equifax is still not providing enough answers, so I can’t be as helpful as I’d like. Meanwhile, the company’s initial bungled response created even more confusion, and it’s still not all sorted out. Still, here’s a quick rehash of where we are and what you should be doing.
What happened, again?
One of the nation’s three large credit bureaus, Equifax, said hackers stole information on up to 143 million Americans – and it was the motherlode. Social security numbers, names, addresses, and in some cases, even driver’s licenses.
Equifax says go to a website to check if my information was stolen. Should I?
Probably. But there are lots of problems with the website and as of now, it doesn’t really do very much for you, so it’s not necessary. In fact, I’d wait. You can just assume your data was stolen — three-quarters of adults with credit reports are probably victims — and await further instructions.
I heard the website is a trick, and if I use it, I waive my right to sue Equifax. Is that true?
That’s probably not true, but there’s a lot of truth in it. On that site, Equifax is offering victims the chance to sign up for a free ID theft service it owns. The terms and conditions of that service include a now-infamous “Ripoff Clause” that forces users to surrender their rights to join a class action lawsuit against the company if a dispute arises. This is a typical mandatory arbitration clause that appears in many standard-form contracts, a bad habit by corporate America that consumer advocates are trying to eliminate. In response to an outcry, Equifax issued a statement saying the ripoff clause doesn’t apply to hacking victims, and ultimately changed the terms to state that explicitly. Still, arbitration clauses have been interpreted very broadly by federal courts (even the Supreme Court) so I wouldn’t want to give a judge a chance to rule on that.
Still, I should go to the website to see I was hacked, right?
No, I don’t think so. It appears that website does nothing at all. Users initially reported vague answers like “you may have been hacked” and a message to revisit the site later. Then, clever programmers started feeding the site with dummy data like 123-456 and found erratic answers. I think it’s quite possible the site is just a placeholder to give consumers busy work, and it checks nothing.
I heard the site doesn’t work. Is that true?
See above. I don’t know, but it doesn’t look good. I’ve had at least one person tell me she entered the correct information on separate occasions and got different answers. So maybe it’s generating a random response. Until we get more answers from Equifax, I can’t recommend using it.
But then I’d give up the free service Equifax is offering. Shouldn’t I sign up?
It’s probably not a terrible idea to ultimately accept the Trusted ID Premier offering from Equifax, but there’s no rush. Meanwhile, the service isn’t going to do that much for you. It includes credit monitoring (of dubious worth) and a credit report (already free), monitoring for social security numbers posted online (how much of the Dark Web is really scanned?), insurance (you might already have it) and a credit report “lock” (a freeze should be free in most states now that you are a victim).
Who did this?
We don’t know, and that’s critical, because knowing who stole the data will help you make intelligent choices about what to do next. Was it a gang connected to a vast ID fraud ring? Run and put credit freezes on your reports. Was it a nation-state? Government employees should be on high alert (though they are probably already victims). Was it a kid on a joy ride? Well, we can all hope for the best then, and maybe a fraud alert is enough. We don’t know. Equifax needs to tell us.
Well then, what should I do?
First, don’t freak out. Your personal data has probably already been compromised before. Theft of a social security number from a credit bureau certainly sounds worse than other hacks — say, theft of your credit card from Target. But just keep doing the sensible things you are already doing. Check accounts often. Look for suspicious mail. Be alert when interacting with government agencies or loan officers for any signs you might be “sharing” a social security number with someone else. And, consider getting a credit freeze.
Should I get a credit freeze?
Perhaps. There are a lot of good things about freezes, especially if you are in a place in life where you won’t need to apply for credit during the next couple of years. They aren’t perfect, however. They can be a bit of a hassle. Depending on your state, they can cost money. They won’t stop all ID theft (they don’t prevent someone from getting a driver’s license in your name, for example).
My main beef with freezes is that consumers often have to pay to freeze their files — three times, once at each bureau — and then pay to “thaw” their credit reports when necessary. That’s not fair. You didn’t ask for a credit report in the first place. You certainly didn’t ask to be hacked. Also, when thawing time comes — say you are shopping for a new car loan — un-freezing the reports can be a hassle. Consumers set their freezes and forget them, then years later, don’t remember how to perform the thaw. It’s easy to lose the associated PIN code, for example. And it can be hell to pay to perform the thaw under those circumstances. So, it’s not really consumer friendly. Still, if you were already the type to consider a freeze, now is probably a good time to push you over the edge. Just keep all instructions in a safe place.
How do I place a credit freeze on my files?
The rules are different for different states. Sorry, it’s a terrible system. First, review the rules for your state here.
Then, go directly to each credit bureau’s freeze website. If you Google “security freeze” yourself, you’re going to be upsold on a lot of different services that sound like freezes, but aren’t. So be careful. Here are the sites:
Sadly, freezes aren’t free. The fee schedule is actually pretty complex and varies by state. Trans Union has a very handy state-by-state fee grid (including different fees for different categories of consumers).
Speaking of being upsold, is this whole thing just a marketing scheme by Equifax?
I highly doubt that. Just look at the firm’s stock price. However, it wouldn’t be unlike the firm to attempt to make chicken salad out of chicken waste at a time like this. Early reports indicated consumers who signed up for that “free” ID theft product were required to enter a credit card, and told after 12 months of service were complete, they’d they’ll be auto-enrolled and forced to pay. That sounds like some of the old Free Credit Report service tricks. Fortunately, Equifax “clarified” this on Monday and the firm now says credit cards are not required and victims won’t be auto-enrolled. It’s kind of amazing the firm had to issue such a clarification, no?
It now says this: “We are not requesting consumers’ credit card information when they sign up for the free credit file monitoring and identity theft protection we are offering to all U.S. consumers. Consumers who sign up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of TrustedID Premier.”
About that website, EquifaxSecurity2017.com. Is it real? It looks like a scammer’s domain.
It’s real, but it was poorly configured at the beginning and that rightly led some of you consumers to be suspicious. Good for you, you’ve been trained well. I’m still not crazy about the requirement to enter 6 out of 9 social security digits onto the site. That’s awfully close to your whole number. I hate that we are training consumers to take steps like that. It’ll be so much easier for the next phisher to ask for such data. So, do it just this once, but never again.
Do we know any more about how this happened?
Not really. One stock analyst blamed a flaw in open-source software called Apache Struts. The analyst didn’t offer evidence but claimed to have a source inside the firm. Struts, like all software, suffers from occasional serious vulnerabilities. Technically, this one is interesting because it was “discovered” — by good guys, anyway — just a few days ago. So it’s possible hackers used a previously unknown software flaw to steal all this data. That would somewhat mitigate Equifax’s blame. On the other hand, it could have been another flaw announced earlier this year, which would look worse for Equifax. Only folks who have seen the server logs really know, however, and I’m not particularly keen on guessing from the outside like this.
