Equifax credit data hack – what you can or should do
(finally!) finished addressing this issue for myself
and my parents, and
I was about to send an e-mail to friends and family, with info I’ve
and recommendations, etc., and I thought, Hell, probably easier for
I just put it up here, and let anyone see it who wants to.
Where I’m coming from I don’t work for these people, and I’m not trying to sell you anything; if you buy my book, that’s great, and if not, that’s fine, too, one thing has nothing to do with the other. Basically my take here is, We’re all in the same boat, we each pull on our oar, we’ll get where we’re going. You can e-mail me here with corrections or additions for this page, but please don’t write with questions; this isn’t my job, and I don’t know any more than what’s here. If you want to share this page on Twitter, see bottom left corner of page, if you want to share on Facebook or other social media, just copy and paste the URL above – I'm not a programmer, and I find those icons hard to work with.
bureaus in the
Information collected by the credit bureaus includes:
· name, birthday, Social Security Number (SSN)
· current and previous addresses
· current and previous employers
· debts and obligations – loans, mortgages, credit cards, lease contracts, etc.
· driver's license numbers (less often?)
Who buys this information from the credit bureaus includes:
· banks, credit card companies
· other lenders - mortgage companies, car lease firms, etc.
· prospective employers
· prospective landlords
· government agencies?
happened One of the credit
bureaus, Equifax, was hacked in July of this year. This was
the 3rd or
4th hack that Equifax has experienced in the past 4 years, but this one
much larger – data was stolen on an estimated 143 million individuals,
near half the population of the
What this means to you The thieves may use the stolen data to apply for credit cards, loans, etc. in your name, and because they have all the required information about you, they may succeed. You would then be on the hook, and liable for the money they borrowed or charged on ‘your’ new credit cards. My understanding is that this can usually be corrected, but only through a long, difficult process – you have to file a police report, and chase it down through legal channels, etc., and, during that process, your own ability to borrow might be restrained.
I’ve also read that the bad guys may be able to access medical records with the stolen data – I don’t quite follow that, myself, but it’s certainly not a pleasant thought.
One big aspect of this problem: it’s not going to go away. You’re not going to change your SSN, or your date of birth, etc. So, ten years from now, the bad guys will still have critical data on you, and the same problem will still be there? Unless the credit bureaus find a whole different set of data by which to identify people? Hard to imagine.
What you can or should do
There seem to be 3 basic steps you’ll want to consider:
1. Put a credit freeze on yourself at each of the 3 big credit bureaus
2. Put a fraud alert on your credit file, at the 3 big credit bureaus (not necessary if you do the above step)
3. Get a copy of your credit report from each of the credit bureaus
This seems to be the recommended choice of action. A credit freeze means that the credit bureau is not supposed to release your credit file to anyone, which should make it virtually impossible for anyone to get a new loan or credit card in your name – no firm will approve an application if they haven't first seen your credit file. I’ve seen different definitions of how exactly a credit freeze works – most sources say the credit bureaus will show your report only to firms or banks that already have you as a customer, and other sources say the bureaus won't show it to anyone at all.
A credit freeze goes on when you start it, and stays there until you temporarily ‘lift’ it, or take it off altogether.
You have to put on a freeze separately for each of the 3 large credit bureaus. It may cost you a couple of bucks to put it on, at each bureau; it depends on what state you live in, and may run from zero to maybe $10. It will probably cost you the same again, each time you lift and reinstate it and when you take it off.
While the freeze is on, you will not be able to get a new loan or credit card yourself, because the banks won't extend credit to you, either, if they can't see your credit file. (That's why you might want to 'lift' it and put it back on again, after you get a new loan or whatever business you may have.)
Credit Fraud Alert
If you don't put on a credit freeze, you should definitely do this at least. If you DO put on a credit freeze, you don’t need to do this.
A credit fraud alert puts a sort of 'red flag’ on your credit report, telling any prospective lender that your credit data may be compromised and they should contact you personally before issuing any credit, to make sure the new application is legit. Hopefully the bank would follow this notion, especially given what's happened and all the publicity, etc. (N.B. I had the mistaken impression that this meant the credit bureau would alert ME, any time someone requested credit in my name – that’s not what this is.)
If you put on a credit alert to any one of the 3 major credit bureaus, it automatically goes to all of them, you don’t need to contact all three..
Your Credit Report
Regardless of which of the above steps you take, seems a good idea to get your credit report from each of the 3 bureaus. It won’t change anything, but if something does go wrong, at least you'll have some evidence or documentation, that this is where you were before the bad stuff started.
You can get your credit reports for free, once a year, from each of the credit bureaus; if you want it more frequently than that, they may charge you, but I think at least 2 of the 3 now say you can have it monthly without any charge.
How and where to do this stuff
I’m reminded of an old joke, about an Irishman’s version of foreplay: ‘Brace yourself, Brigid.’ (I’m half-Mick, I’m allowed to say that.) But no, this ain’t pretty, so cinch up the hip waders and bump up the patience a bit, you’re gonna have to wade through some heavy undergrowth at the least.
I’d love to tell you you could take care of one person in an hour or so, at all 3 credit bureaus, but that’s probably optimistic. Work in the middle of the day if you can, when most folks are at work, you’ll hopefully run into less web or phone traffic.
Theoretically, the above things should be easy to do, but the credit bureaus are currently swamped with traffic, because everyone is trying to do the same thing at the same time. And, unfortunately, the credit bureaus are not set up for this – they're used to concentrating on the banks, not millions of individuals hitting their website. So, help lines don't get answered, websites are slow or unresponsive, etc. The phone lines are not much help - probably no fault of the staff on the other end, I'm guessing Equifax probably hired an army of temps and trained them very little, but, basically, they won't be able to tell you much, probably just point you to websites.
For whomever you're trying to do these things, you'll need some basic info: name, birthday, SSN, address, e-mail address, and probably some other random pieces of data – employer and/or former employer, what town / county they used to live in, what state their SSN was issued in, etc. Note: If you're doing this for more than one person, you need to use a different e-mail address for each of those people. Crazy, I know, with all that data, the credit bureaus still identify your application by your e-mail address, NOT your SSN or something like that; that makes zero sense to me, but I found out the hard way. I did this for myself and my parents, and it took me forever to figure out why they kept telling me I'd already registered that person, and then, when I used a different e-mail address for that next person, Yup, fine, we're off to the races. So, you may have to do the G-mail thing.
Also, if you end up trying to accomplish things by phone, for more than one person, you may need to call in each different person from a different phone number. I phoned in a credit freeze for my Dad with Experian credit bureau, from my landline, then tried to call in a freeze for my Mom and got rejected, by the same credit bureau at the same phone number. I thought about it a minute, called back from my cell phone and it went fine.
Credit freeze Go to each credit bureau’s website individually, and request the credit freeze there. You will have a
different experience at each website, as described below.
Equifax is offering free 'credit monitoring' for a year, presumably because they're the cause of all this. It’s called TrustedID Premier Credit Monitoring, and that includes what they call a ‘credit lock’ – as far as I can tell, that seems to be about the same as a credit freeze and should do the job. (And don't worry, they don't ask for a credit card number, so they can't do a sneaky auto-renew on you in a year and charge you $.)
Equifax was the bureau that got hacked, and the first thing they'll do is ask you for some info and then tell you that you 'may' or 'may not' be impacted by the hack. I don't know that I'd rely on that answer; I'm not sure that they actually know.
After they tell you that you ‘may’ or ‘may not’ be impacted by the hack, they'll point you to another web page, and it may be immediately available to you, or it may be another day or two before you can go there. And you'll enter more info on this second web page, and then they'll tell you that they’re sending you a customized e-mail, with a link for you to complete enrollment in the Trusted ID Premier program. That e-mail will probably arrive within hours, but it could take longer.
When you get the e-mail and go to the website to complete your enrollment, you may well hit a wall and be unable to finish. At the website, you’ll enter your birthday (I think), and a password that you make for yourself; the website may then tell you that they're unable to complete your on-line enrollment, or some wording like that.
You’ll be confronted with several different phone numbers, once you start poking around – the one that worked for me was 877-394-7074. (I don't THINK that's the one the website told me to call.) Call and tell them you‘re trying to complete on-line enrollment or activation; they'll know what you’re talking about. You’ll need your SSN, date of birth, and they may ask you to name 2 major credit cards you have, and the balance, so you'll want that with you when you call. They'll ‘activate’ you, and your password will be the one that you originally set up on the website.
Then, after a day or two, your activation will be complete, and you must go back, log in and ‘Lock’ your credit file. There, now wasn’t that a walk in the park?
Tip: if at first you don't succeed, you might try again with a different e-mail address. I applied twice in a week with my Yahoo address, and I never got the e-mail, so I couldn't enroll; Yahoo seemed to be acting a bit iffy, so I went and applied again with a G-mail addy, and I got the magic e-mail that evening. I honestly don’t know if the problem was Yahoo or Equifax.
The rest is NOT this difficult!
So, anyway, good luck: For Equifax, go here.
TransUnion is also offering a free program, called TrueIdentity, which looked sufficient to me, and possibly preferable to a credit freeze. Go to their website and follow the instructions.
If their website is overwhelmed and not getting it done, you may want to just put on a regular credit freeze with them (see above for details). You can do this on the website, or you can do it on the phone.
If you put on a credit freeze on-line, I believe the website will give you a PIN – you want to hang on to that PIN, just like a password; you will need it to later lift or end the credit freeze. If you put on a credit freeze by phone, you'll make up your own 6-digit PIN, you want to hang on to that just the same.
If you call on the phone, an automated voice will ask for some basic info to identify you, and then it will ask you to enter a 6-digit PIN that you’ve made up, so have that ready when you call. As above, you want to hang on to that PIN. You can call TransUnion at 888-909-8872.
On-line: TransUnion, go here
To put on a credit freeze with Experian, go to their website or you can call them on the phone. If you do it on-line, when you complete it, they'll display a screen with your 10-digit PIN – write it down, take a screen print, whatever, but keep it. If you call them, they say they'll send you the 10-digit PIN by US Mail.
You can call them at 888-397-3742
Credit Fraud Alert
To put on a Credit Fraud Alert, go to any of the above credit bureaus. You only have to put on the Fraud Alert with one of the 3 bureaus, and it will be automatically added to the other 2 bureaus. Use the above links or these phone numbers:
Equifax – 888-766-0008
TransUnion – 800-680-7289
Experian – 888-397-3742
You can get your credit reports from each of the 3 bureaus, but do yourself a favor and go to the below link – you can get all 3 reports there, and you can download ’em in soft copy PDF, which is kind of handy. (N.B. I wouldn't keep those PDFs on my hard drive – if your home machine got hacked and a bad guy got your credit reports, that’d be a bummer.) I wouldn’t worry too much about checking the various balances various credit reports – those balances will be dated, and one report may show ’em from 2 months ago and another from 1 month ago, so they wouldn’t even agree. But it’s probably worth checking whether you know all the credit cards shown on the reports.
I use different IDs and passwords for all the websites I use, etc. And, of course I only remember the ones I use frequently, so I keep them all listed in a Word doc. But, I DON’T keep that Word doc on my hard drive; I keep it on a flash drive that’s only connected to my PC when I’m using it. So, you can hack the hell out of my PC and you ain’t getting my passwords; not unless you break into my home, happen to grab that flash drive and happen to look at that particular file. (And, call me paranoid, but I did not name that file ‘passwords.doc.’) Just a thought.
Another helpful notion – most major credit cards can be set up, on their website, to text or e-mail you if a charge is made over a certain dollar amount, or without the card present, i.e., on-line.
In signing up for the Equifax credit monitoring program, there's apparently some legal language that says you can't sue Equifax. There was public outcry over this, and I think Equifax may have removed that language; in any case, they clarified that the language applied only to the free credit monitoring program – if that doesn't work, you can’t sue them, but that apparently has nothing to do with suing them over damages from the hack itself.
Sources and links