If this is new news to you, sorry to be the bearer of bad news.
You can find details as well as recommended solutions from the FTC.
In this post I’m going to detail what we did in response to this nightmare.
Equifax Is Evil
Before we get to that, let me spend a few minutes ranting about how bad Equifax is.
Let’s begin with some dates:
- The hack happened (according to Equifax) “from mid-May through July 2017.”
- As they also admit, they discovered they were hacked on July 29.
- The public was informed of this on September 7.
With these pieces of information I’d like to state the following:
- They are incompetent. I think that goes without saying. They were hacked and it lasted 2.5 months before they found out about it. So they were bozos because 1) the hack occurred in the first place and 2) it went on for so long without them knowing. Unbelievable.
- Once they found out about the hack, it took SIX WEEKS before they told the public. This seems criminal to me. Yes, the data had already been exposed for a long time, but did waiting six weeks help or hurt? Answer: It helped Equifax (prepare for the looming business disaster) and hurt consumers (who unknowingly had their data floating around out there for an extra six weeks). Again, unbelievable.
Clearly this company cares about one thing: itself.
Yes, hacks happen, so I can give them a partial pass on that (even though it’s their primary business to PROTECT DATA). There’s nothing that’s ultimately unhackable.
But to sit on it for six weeks shows how self-serving the company is. I am done with them and hope they crash and burn in a financial disaster.
Here’s the reason they gave for why it took so long for them to tell us:
As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.
Uh huh. That’s a well-crafted PR piece if I’ve ever seen one (and I was in marketing for almost three decades, so I know what one looks like). It’s called “spin.”
What Really Happened
I had a long career in business and I’m pretty sure I know exactly what happened.
I am almost certain it went something like this:
Person 1: “We just found out we were hacked and 143 million people had all their private information exposed.”
Person 2: “Holy ^$@#*&! If this gets out we’re dead in the water!!!!!”
Person 1: “Exactly. We need to make sure we have a well-thought out PR plan in place if we have any hope of survival!”
Then they spent the next six weeks crafting their message while we were oblivious to our data issues.
Have I mentioned how unbelievable this all is?
What I Did
So I think you know how I feel about them. 🙂
Now let’s get to what I did about it.
Here are the steps I took:
1. I went to the Equifax website to see if we were impacted.
I put in information for both me and my wife and got a message that said we “may” be impacted. Not that we were. Not that we weren’t. But we MAY be impacted. Wow, that was really helpful. Did I mention bozos above? BTW, I took it to mean that we were impacted and I needed to take action.
2. I went to AnnualCreditReport.com.
I got credit reports from all three credit reporting agencies for me and for TransUnion and Experian for my wife (Equifax was overwhelmed and hers wouldn’t go through. We tried a couple days later and it wouldn’t give it to us based on the answers we provided — WTH????).
I printed out the reports and saved them electronically as well.
As of today, we still haven’t been able to get the report from Equifax.
3. I spent an hour or so going through every credit report in detail. (At least this helped me get one item off my New Year’s Resolution list).
It was interesting to see them all together — they are quite different. The Equifax one was the worst as it didn’t have credit card account numbers on it (not sure if they used to have them and removed them after the breach or what.) Anyway, trying to identify whether a card was legit or not was a hassle without all the info. It would simply say something like “Chase card” and then give details on when I opened it, the balance, etc. Uh, do they know how many Chase cards I have? Why not put something like “Chase card ending in 1234” so I could easily identify it?
That said, at least Equifax tried to make the report look nice. They are apparently the only ones who let someone who knew something about design work on it a bit (not a lot, but it was MUCH more readable than the other two). Experian’s and TransUnion’s reports looked like something an accountant would spit out. However, their information was more detailed and I guess that’s the main point.
Everything looked ok on all the reports, thank goodness.
4. I put a credit freeze on our accounts at TransUnion and Experian.
I did mine online and my wife did one online and one on the phone (for some reason we couldn’t do it for her online with one of them). Neither of us could get through to Equifax because the “system was unavailable” and I’m assuming they were slammed. We kept trying and still haven’t been able to freeze our credit with Equifax. Ugh.
I’m not too worried about Equifax as the hold-out freeze company since 1) no company looking to approve a card or account is likely using Equifax at this moment anyway and 2) the other two were locked down tighter than a drum.
But I will freeze Equifax ASAP. I may have to write them to do so!
5. I contacted the main institutions where we keep our money and asked them about security.
I wanted to be assured that my money was safe.
Of course they gave me the standard “we have very high security standards” line. Uh yeah. Equifax had very high security standards too — until they were hacked.
I expanded the alerts on my bank accounts. Now if so much as a bee breathes in the direction of my accounts, I get a notice via email and text. It panicked me the first couple of days but now I know that they are just keeping me in the loop — even for simple things.
I also changed my passwords on all accounts from something like “Word3word” to something like “%8WoRd#9wOrD$”. Not those exactly, of course, but you see what I mean. I added multiple numbers, symbols, and upper and lower case letters to make my passwords as strong as possible.
6. I changed passwords on my email accounts.
As you might imagine, I have multiple email accounts since I run websites. You’re probably also aware that many security issues can arise from having your email hacked. I already have two factor authentication set up on my email accounts, but I also wanted to upgrade the passwords — just in case.
7. We signed up for AAA’s free credit monitoring service.
I was going to sign up for Equifax’s one-year free credit monitoring service.
As an aside, one year monitoring is laughable as we all now have a lifetime commitment (I’m sure Lifelock and related services are seeing record sign-ups) which is just another reason to hate Equifax.
Initially it looked like signing up for the Equifax service might make you ineligible for a lawsuit against Equifax for the breach. But it was later clarified that this was not the case. So why not?
Then I started to think about it…
- Do I really want a company that just got hacked to monitor my data?
- Do I want to give them my credit card info so they can charge me for the service (if I forget to cancel) on day #366?
- Do I ever want to do any kind of business with Equifax at all?
The answers to these are “no” of course, but what were my options? Pay $10-$20 a month for credit monitoring?
By the way, IMO credit monitoring is “ok” but probably isn’t going to save you. But it can’t hurt though so why not add it if it’s inexpensive?
Then we got an email from AAA that read as follows:
Equifax Inc. recently disclosed that it experienced a cybersecurity incident potentially impacting the personal information of approximately 143 million U.S. consumers.
AAA does not use Equifax, nor has it experienced a data breach. However, the magnitude of this highly publicized incident demonstrates how important it is for everyone to have a personal identity theft monitoring solution in place.
Your AAA membership includes an Identity Theft Monitoring solution backed by Experian® called ProtectMyID® Essential at no extra charge – but you need to enroll to take advantage of the protection.
AAA’s ProtectMyID® Essential provides daily credit monitoring, email alerts and fraud resolution support.
We have had AAA for years. Our car, house, and umbrella insurance is with them (we bid it out every couple of years and they’ve been the lowest). They also save us with travel discounts (especially hotels) now and then.
Oh, and did they say “no extra charge”? LOVE that! So we signed up!
8. I’ve upped the frequency I check my main accounts.
I used to check them every few days to once a month. Now I’m checking them all every third day or so. There are about five I consider to be very important.
I’m thinking these eight steps will make my accounts safer than 99% of those out there. Criminals are notorious for going after the easy prey. Hopefully I’ve made myself harder to mess with than most and they’ll leave me alone.
Here are a few other random thoughts/next steps:
- What are we going to do about our kids? I’ll likely go through the same process for them (credit report review and freezes) but I wanted to get us set first since we have a lot more to lose than they do. 🙂
- Credit freezes and thaws cost money for some depending on what state you live in. Here in Colorado the freezes are free but it costs $10 to lift the freeze. My guess is that states will change the laws to make freezes, thaws, and anything else like this associated with credit reports free — at least for once per calendar year.
- Equifax should have provided free credit monitoring for five years or more. If they really wanted to try and make things right, they would have. But they are more worried about their bottom line than anything else. I bet they make a windfall on people who forget to turn their service off after a year and begin shelling out $20 (or whatever the cost is) per month.
- Credit freezes put kind of a damper on travel hacking (which I started to do a bit of — will write about it once I let it play through). Yes, you can still thaw your reports when you apply for credit but it’s another step and not that convenient.
- I still laugh at people who claim they track their finances with this company or have all their passwords stored with that company because they are “completely secure.” Newsflash: NO SITE/BUSINESS is completely secure.
- Just for the record, none of us ever gave Equifax permission to keep our data. They accumulated it on their own and then were careless with it. Then they worked to spin their incompetency into the best story possible while we waited. That’s despicable.
So, that’s how I dealt with the hack. What did you do?