Unless you’ve been hiding under a rock for the past couple weeks you’ve heard that the credit reporting company Equifax was hacked.
If this is new news to you, sorry to be the bearer of bad news.
You can find details as well as recommended solutions from the FTC.
In this post I’m going to detail what we did in response to this nightmare.
Equifax Is Evil
Before we get to that, let me spend a few minutes ranting about how bad Equifax is.
Let’s begin with some dates:
- The hack happened (according to Equifax) “from mid-May through July 2017.”
- As they also admit, they discovered they were hacked on July 29.
- The public was informed of this on September 7.
With these pieces of information I’d like to state the following:
- They are incompetent. I think that goes without saying. They were hacked and it lasted 2.5 months before they found out about it. So they were bozos because 1) the hack occurred in the first place and 2) it went on for so long without them knowing. Unbelievable.
- Once they found out about the hack, it took SIX WEEKS before they told the public. This seems criminal to me. Yes, the data had already been exposed for a long time, but did waiting six weeks help or hurt? Answer: It helped Equifax (prepare for the looming business disaster) and hurt consumers (who unknowingly had their data floating around out there for an extra six weeks). Again, unbelievable.
Clearly this company cares about one thing: itself.
Yes, hacks happen, so I can give them a partial pass on that (even though it’s their primary business to PROTECT DATA). There’s nothing that’s ultimately unhackable.
But to sit on it for six weeks shows how self-serving the company is. I am done with them and hope they crash and burn in a financial disaster.
Here’s the reason they gave for why it took so long for them to tell us:
As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.
Uh huh. That’s a well-crafted PR piece if I’ve ever seen one (and I was in marketing for almost three decades, so I know what one looks like). It’s called “spin.”
What Really Happened
I had a long career in business and I’m pretty sure I know exactly what happened.
I am almost certain it went something like this:
Person 1: “We just found out we were hacked and 143 million people had all their private information exposed.”
Person 2: “Holy ^$@#*&! If this gets out we’re dead in the water!!!!!”
Person 1: “Exactly. We need to make sure we have a well-thought out PR plan in place if we have any hope of survival!”
Then they spent the next six weeks crafting their message while we were oblivious to our data issues.
Have I mentioned how unbelievable this all is?
What I Did
So I think you know how I feel about them. 🙂
Now let’s get to what I did about it.
Here are the steps I took:
1. I went to the Equifax website to see if we were impacted.
I put in information for both me and my wife and got a message that said we “may” be impacted. Not that we were. Not that we weren’t. But we MAY be impacted. Wow, that was really helpful. Did I mention bozos above? BTW, I took it to mean that we were impacted and I needed to take action.
2. I went to AnnualCreditReport.com.
I got credit reports from all three credit reporting agencies for me and for TransUnion and Experian for my wife (Equifax was overwhelmed and hers wouldn’t go through. We tried a couple days later and it wouldn’t give it to us based on the answers we provided — WTH????).
I printed out the reports and saved them electronically as well.
As of today, we still haven’t been able to get the report from Equifax.
3. I spent an hour or so going through every credit report in detail. (At least this helped me get one item off my New Year’s Resolution list).
It was interesting to see them all together — they are quite different. The Equifax one was the worst as it didn’t have credit card account numbers on it (not sure if they used to have them and removed them after the breach or what.) Anyway, trying to identify whether a card was legit or not was a hassle without all the info. It would simply say something like “Chase card” and then give details on when I opened it, the balance, etc. Uh, do they know how many Chase cards I have? Why not put something like “Chase card ending in 1234” so I could easily identify it?
That said, at least Equifax tried to make the report look nice. They are apparently the only ones who let someone who knew something about design work on it a bit (not a lot, but it was MUCH more readable than the other two). Experian’s and TransUnion’s reports looked like something an accountant would spit out. However, their information was more detailed and I guess that’s the main point.
Everything looked ok on all the reports, thank goodness.
4. I put a credit freeze on our accounts at TransUnion and Experian.
I did mine online and my wife did one online and one on the phone (for some reason we couldn’t do it for her online with one of them). Neither of us could get through to Equifax because the “system was unavailable” and I’m assuming they were slammed. We kept trying and still haven’t been able to freeze our credit with Equifax. Ugh.
I’m not too worried about Equifax as the hold-out freeze company since 1) no company looking to approve a card or account is likely using Equifax at this moment anyway and 2) the other two were locked down tighter than a drum.
But I will freeze Equifax ASAP. I may have to write them to do so!
5. I contacted the main institutions where we keep our money and asked them about security.
I wanted to be assured that my money was safe.
Of course they gave me the standard “we have very high security standards” line. Uh yeah. Equifax had very high security standards too — until they were hacked.
I expanded the alerts on my bank accounts. Now if so much as a bee breathes in the direction of my accounts, I get a notice via email and text. It panicked me the first couple of days but now I know that they are just keeping me in the loop — even for simple things.
I also changed my passwords on all accounts from something like “Word3word” to something like “%8WoRd#9wOrD$”. Not those exactly, of course, but you see what I mean. I added multiple numbers, symbols, and upper and lower case letters to make my passwords as strong as possible.
6. I changed passwords on my email accounts.
As you might imagine, I have multiple email accounts since I run websites. You’re probably also aware that many security issues can arise from having your email hacked. I already have two factor authentication set up on my email accounts, but I also wanted to upgrade the passwords — just in case.
7. We signed up for AAA’s free credit monitoring service.
I was going to sign up for Equifax’s one-year free credit monitoring service.
As an aside, one year monitoring is laughable as we all now have a lifetime commitment (I’m sure Lifelock and related services are seeing record sign-ups) which is just another reason to hate Equifax.
Initially it looked like signing up for the Equifax service might make you ineligible for a lawsuit against Equifax for the breach. But it was later clarified that this was not the case. So why not?
Then I started to think about it…
- Do I really want a company that just got hacked to monitor my data?
- Do I want to give them my credit card info so they can charge me for the service (if I forget to cancel) on day #366?
- Do I ever want to do any kind of business with Equifax at all?
The answers to these are “no” of course, but what were my options? Pay $10-$20 a month for credit monitoring?
By the way, IMO credit monitoring is “ok” but probably isn’t going to save you. But it can’t hurt though so why not add it if it’s inexpensive?
Then we got an email from AAA that read as follows:
Equifax Inc. recently disclosed that it experienced a cybersecurity incident potentially impacting the personal information of approximately 143 million U.S. consumers.
AAA does not use Equifax, nor has it experienced a data breach. However, the magnitude of this highly publicized incident demonstrates how important it is for everyone to have a personal identity theft monitoring solution in place.
Your AAA membership includes an Identity Theft Monitoring solution backed by Experian® called ProtectMyID® Essential at no extra charge – but you need to enroll to take advantage of the protection.
AAA’s ProtectMyID® Essential provides daily credit monitoring, email alerts and fraud resolution support.
We have had AAA for years. Our car, house, and umbrella insurance is with them (we bid it out every couple of years and they’ve been the lowest). They also save us with travel discounts (especially hotels) now and then.
Oh, and did they say “no extra charge”? LOVE that! So we signed up!
8. I’ve upped the frequency I check my main accounts.
I used to check them every few days to once a month. Now I’m checking them all every third day or so. There are about five I consider to be very important.
I’m thinking these eight steps will make my accounts safer than 99% of those out there. Criminals are notorious for going after the easy prey. Hopefully I’ve made myself harder to mess with than most and they’ll leave me alone.
Other Thoughts
Here are a few other random thoughts/next steps:
- What are we going to do about our kids? I’ll likely go through the same process for them (credit report review and freezes) but I wanted to get us set first since we have a lot more to lose than they do. 🙂
- Credit freezes and thaws cost money for some depending on what state you live in. Here in Colorado the freezes are free but it costs $10 to lift the freeze. My guess is that states will change the laws to make freezes, thaws, and anything else like this associated with credit reports free — at least for once per calendar year.
- Equifax should have provided free credit monitoring for five years or more. If they really wanted to try and make things right, they would have. But they are more worried about their bottom line than anything else. I bet they make a windfall on people who forget to turn their service off after a year and begin shelling out $20 (or whatever the cost is) per month.
- Credit freezes put kind of a damper on travel hacking (which I started to do a bit of — will write about it once I let it play through). Yes, you can still thaw your reports when you apply for credit but it’s another step and not that convenient.
- I still laugh at people who claim they track their finances with this company or have all their passwords stored with that company because they are “completely secure.” Newsflash: NO SITE/BUSINESS is completely secure.
- Just for the record, none of us ever gave Equifax permission to keep our data. They accumulated it on their own and then were careless with it. Then they worked to spin their incompetency into the best story possible while we waited. That’s despicable.
So, that’s how I dealt with the hack. What did you do?
Coopersmith says
Thanx ESI. This gives me some more steps to secure my credit history as I know for a FACT that someone has my info. It was September 1 when I received notification that my address has changed from my credit monitoring. It had not. I accessed my credit report that day and found a new address in Alabama. I immediately filed a fraud alert which will be reported to all agencies. Not sure what to do I signed up with the credit company for their credit monitoring where I can put a freeze on my credit report. A couple days later I tried to access my Paypal CC and it was locked. I proceeded to call Paypal CC and they tried to contact me as there was suspicious activity and sure enough Paypal was the one that filed the change of address and new phone number. I told them this was a fraudulent address and they restored my account and will issue me a new card. Then a couple of days after that I Received notification that a CC was applied for by American Express which I did not do. So I called Am EX and stated I filed a fraud report and I did not apply for a CC with them. After a few other verifications they declined the CC application.
Of course Equifax reported there data breach AFTER all this happened which all happened within a week. Once again thanx as this will help me make things more secure but nothing more than a big hassle from here to eternity.
Matt Hyatt says
I can certainly understand being upset about the Equifax hack and their behavior since. I’m frustrated, too.
You mentioned that the primary business of Equifax is to protect your data. I don’t think so. Their primary business is to track and store as much financial, medical, and personal data about you, me, and anyone else that they can find, then to turn around and sell that data to anyone willing to pay for it. With their “credit monitoring” service, they’ll even sell our own data back to us, then ask us to help them improve the quality of their data through their dispute system. The same goes for Experian and TransUnion.
The Equifax data breach is the equivalent of a plane crash for an airline. Lots of unwanted attention, bad press, and major damage to their business. Will they recover? Only time will tell.
ESI says
Yes, those are the things they do. Don’t you think protecting the data would be vital to doing them?
Kevin says
I’d argue that it is much more than the equivalent of a crash of an airplane for an airline. It is the equivalent of all an airlines planes crashing at the same time which should result in no one wanting to ever again fly with the airline and they go out of business. I believe that is exactly what should happen in the case of Equifax.
Other nations have figured out the importance of privacy with regards to personal data and we still haven’t because of the laissez faire attitude towards capitalism and the lack of critical thought of our electorate. Please don’t misunderstand me, I’m all for capitalism but but not unchecked. And when it comes to your social security number, your driver licence, the primary means of identifying who you are and the means used to figure out your credit worthiness…all of this should have been regulated prior to now. I’m not saying that this prevents hacks (I’m in IT) but it does force over sight and protects consumers. It is unfortunately too late now.
I managed this morning to freeze all 3 and maybe the following pointers will help.
Don’t select your own pin with Experian. Let them provide the pain. All attempts to select my own pin resulted in failure and notification to send in the info by mail. They will ask you a set of questions appropriate to your history to also answer. They were the only one to do this.
Transunion will try to sell you a lock instead of a freeze. Transunion requires you to set up an account with them and then you can do what they call a “state freeze”. The lock appeared to me to be an upsell although I didn’t spend too much time investigating it. Maybe one of your other readers can contribute more on that.
Equifax have changed their process for getting a freeze and I did it easily this morning where multiple attempts over the last week and a half resulted only in the dreaded mail notification.
Just happy at this point that I was successful. Now I need to do the same thing for my fiance this weekend.
Vaneita says
…and when the executives sold over 2Mil in stocks in early August, they were not aware of the hack. It makes you wonder. Do I hear jail time?
Ten Factorial Rocks says
Timely post, ESI. I put a credit freeze long back, and that’s about the only thing you need to do to protect yourself in case you information was part of the hack. Without access to your good credit, there is no use for a person who steals it. All your bank and brokerage accounts are anyway protected by linked accounts so no transfer to third parties are possible. Every time you add a new bank, a verification is sent to your email. They can use your info to claim “lost username and password” and get new login credentials, but then, that’s why you should regularly login to your own accounts so you can detect that you have been logged out and can raise a flag with the bank. Even if they were able to login somehow, fund transfer to a strange account is not possible.
Janice says
I have been doing the free 90 day credit lock for years through Transunion due to the Anthem hack. My understanding is you only have to do it via one credit reporting bureau and they will notify the other two. I mark my calendar to renew it every three months.
I have thought anout Lifelock and others, but then can I trust them to also not be hacked? Nothing is safe. I agree the year of protection from Equifax is a joke, it should be lifetime as criminals could sit On your info for a decade before using it.
Michael says
One thing that shouldn’t surprise anyone is the length of time it took to discover the intrusion. The average time in which companies detect a network intrusion is over 200 days. In addition, once it is detected, the company will bring in forensic experts, generally the USSS and other law enforcement analysts who will conduct an investigation. Generally during this time law enforcement will request that companies work with them closely. This may include isolating the breach, putting additional controls in place and not making a public announcement while the investigation is taking place within a reasonable amount of time. Yes the PR team is going into crisis mode to inform the public, minimize brand erosion and communicate appropriately from their perspective. Even the best run companies who invest millions of dollars in building a fortified system (Target comes to mind….and they have always been proactive within the Retail and Law Enforcement fraud prevention communities) can be breached. These are well funded criminal cartels generally from Eastern European countries who are run like a business enterprise. I took may of the steps listed by ESI and one cracked me up, Equifax wanting all my personal information including my SS which just made me question their credibility. Here are some other tips I share with people concerned about their identity being hacked: never use your debit card at an unattended credit card terminal, including gas stations, grocery stores, etc. like many of us who have multiple credit cards, use one card for all online purchases. With retail businesses migrating to chip technology, the criminals are attacking “Card not Present” transactions (online transactions) so if you isolate your card use it will be easier to determine if your card was hacked by an online intrusion vs. a brick and mortar hack. Skimmed transactions is another whole topic in itself. Crime cartels have escalated this activity over the past five years. Phone hacking is on the rise as is telefraud which is generally geared toward trusting senior citizens. I got off on a tangent but none of what happened surprised me……only proving if Equifax was hacked so can many businesses regardless of PCI industry guidelines and certifications designed to protect consumers. I would suggest credit monitoring at a bare minimum.
JC says
Just an FYI, a freeze for Equifax is free right now for everyone. I’m in Kansas and I only had to pay for Transunion.
JC says
And don’t forget about CBCinnovis. You need to call them to place a freeze.
Bernz JP says
Thanks for this reminder. I checked my Experian account again just a few minutes ago and my AMEX card and everything looks fine. This was actually the third time I checked on them after the Equifax incident. Wife and I only use AMEX (shared account)which makes it easier to check. I remember about two years ago when there were multiple charges from a couple of vendors (unknown) that showed up on my account and AMEX took care of them in no time. I do like the way AMEX is protecting their customers. I remember that every time I am out of the country and make charges they always send me an email to confirm if it was my transaction. Nothing is safe nowadays that’s for sure.
Richard Ryan says
I definitely agree re Amex. I have had both an Amex card and a Chase Preferred card for years and the Amex card has never been hacked. On the other hand, the Chase card hack seems like an annual tradition (and one I could do without).
Bernz JP says
Yes. I’ve had my two AMEX cards since 2005 and zero hack to date. The only drawback is they’re no longer accepted at Costco which we frequent LOL. We are now using a VISA debit card for our Costco purchases which is actually a good thing.
Brett says
One practice I’ve followed for the past several years is to stagger when I obtain the free annual credit reports from each agency. e.g., every January – Equifax; every May – TransUnion; every September – Experian. That way I can verify the information being reported and check if there are any changes/additions, which would presumably be reflected in all of them, on a more frequent basis.
Vicki@MakeSmarterDecisions says
We had our files frozen BEFORE the hack but we were also in the “maybe” pool. I’m hoping the freeze helps prevent too many problems. But I check accounts more frequently now too. Nothing is safe – it takes vigilance like never before to make sure others aren’t stealing your money. Now they get to steal your time…
FullTimeFinance says
Ultimately not much. It prodded me to add two factor to a few more accounts where I’ve been admittedly lazy. I also will likely increase my report checks. Honestly my wife’s wallet was stolen earlier this year, so I was already on my guard. I also assume my info is already out there.
Dads Dollars Debts says
I did a credit freeze for my wife and I. I checked my sons “breach” data and it said he was likely NOT affected….talk about bad wording. Just say, yes you were hit or no you were not. Take the likely out of it.
This gives me more reason to think social security numbers should not be used for credit. They should come up with something new. Plus, why are we paying these companies to monitor our credit. Screw them…lets all just become financially independent and not need their credit in the first place.
Ray says
> I added multiple numbers, symbols, and upper and lower case letters to make my passwords as strong as possible.
Just FYI, the most important factor in password security is length. As long as the authenticator allows numbers, symbols, etc. a cracker needs to check for them. A 13-character password will take longer to crack that a 12-character password, regardless of whether either password has numbers, etc.
Probably the second most important factor is not re-using passwords across different sites. That way a breach in one company has no effect on other accounts.
I see you are using 2-factor authentication (2FA) as well, that is very effective. Just make sure it actually is 2-factor authentication – sending a text or an email to you is not real 2FA. Using Google Authenticator or an RSA token is real 2FA.
Finally, not that you can do much about it, but typically the weak link at a website is the password reset process. If you have reason to believe you might be specifically targeted, it might be worth your while to review these and ensure they are as tight as you can make them. E.g. you don’t have to use your mother’s actual maiden name.
Kevin says
Good man Ray..all great points. I don’t think the regular Joe or Jill understands how easy it is for a hacker to hack cases where the SMS system (texts) are being used in place of real two factor authentication. If you absolutely can not get in the habit of using a tool like Google authenticator, then do not use SMS to verify. Have the code sent to you via email. If you follow the advice from Ray and what follows below in addition to this, you’ll be a lot more secure.
A good well spent couple of hours is to ensure that every single password you use for every website or application you access is completely unique and generated to be greater than 12 characters with Upper/Lower/numbers and special characters if allowed by the site.
Following this convention means that if one of those sites get hacked, the only information out there is the information used to access the one site hacked.
This means that if use a password manager system like lastpass (one of many) which can do both for you, you can generate the passwords, store the site and access info and it makes it easy for you access the info through a tool bar add on in the browser when you need it. It will also warn you when you duplicate login information across sites. One of the additional things lastpass will do is to give you the option to remove any information you have stored in your browser which is hackable.
Bottom line, always keep your passwords unique across access points, use real two factor authentication (do not use SMS) ,generate your passwords. Do not use real personal information to identify yourself that someone else could also know as the answers to secret questions. I’m Irish..I’m not going to answer Dublin to the city where I was born. That would be silly of me. This sounds like a lot but trust me, if you find a good password manager, its not difficult except for the set up part.
ESI says
I thought about using a password system like Lastpass, but then aren’t all your passwords in one place? What happens when they get hacked?
JZed says
IT security guy here, LastPass works very well. LastPass just stores an encrypted blob of data, they don’t have the key to decrypt your password data even if they wanted to. If LastPass servers were hacked, the hackers could not get your passwords unless they were able to guess/brute force your own master password (that only you know).
https://www.lastpass.com/how-it-works
As the previous comments indicated, longer is better than a random mix of symbols.
Note, regarding SMS, that is really only a serious security issue if you are are worried about nation states getting your information. SMS is not a great method as a second factor, but it is ok if that is the best you can get. Google Authenticator (or similar tools) are far better… but be warned that it is a MAJOR pain to move your authenticator information to a new device (e.g. new cell phone), but worth it.
Security Conscious says
Summary of this comment: go make as many accounts for all gov’t related services as possible. You may need a temporary thaw to do this. If you had a freeze with Equifax before the breach, you may wish to get a new PIN because the old one may be compromised.
Comment: Freezing credit is insufficient. Equifax is the *sole* CR agency that the U.S. government uses for all personal identification check questions. That’s right, the IRS, USPS, SSA, etc. will ask you questions provided and checked by Equifax to verify you are who you say you are. If you don’t already have accounts with as many government agencies as possible (AFAIK, it isn’t possible to create an online account with some, like the IRS) then you’re leaving yourself open to the possibility that a malicious actor will do it for you… with themselves the recipient of any possible benefit.
The questions aren’t supposed to come up if the file has been frozen with Equifax, but sometimes it does. I had this happen when I went on annualcreditreport.com to request all three reports *after* having had freezes in place:
1. Equifax asked questions and confirmed I got them right, but didn’t show me a report.
2. Experian would not ask me the questions.
3. TransUnion asked and verified the questions, and they showed the report, but they included a note on it that it was frozen.
Also, if you had a freeze on file with Equifax before the breach, it’s reasonable to assume that the attackers now have the PIN required to thaw your record at Equifax. It is even possible for a malicious actor to do a thaw for 24 hours, make as many fraudulent gov’t accounts as possible in that time frame, and then let the freeze go back in place; you probably wouldn’t get any notification of this if it were to happen.
Kris says
oh yeah, and did you know that…
Finally on July 29, a whopping TEN WEEKS after the attacks started, Equifax realized that something was wrong.
Senior executive responded to the data breach by… selling their stock.
Yes, in the days following their discovery of the hack, three of the company’s executives sold nearly $2 million worth of stock.
Remember, these “insider sales” have to be reported to the Securities and Exchange Commission, so there is a public record every time a company executive sells stock.
Richard Ryan says
Thank you. Pretty much the best article I have read on this incident. I forwarded it to my kids with the following note:
“Good article on the Equifax data breach. Keep in mind that despite the fact that most of the media has yawned and moved on to the next story, the Equifax breach is much different — and much more serious — than other high-profile data breaches, like the one at Target a few years ago.
In the case of Target, they are a retail store and hackers got access to your Target account info. But when hackers got into Equifax, they got access to pretty much your entire life — because that’s Equifax’s core business: collecting all kinds of personal data about you in order to generate credit scores. Your name, social security number, addresses (present and former), education, employers (present and former), vehicles (present and former), and every kind of financial account you have every had (checking, savings, credit card, mortgage, student loans, etc., etc.).
Consequently, I am putting a “credit freeze” on both mine and Mom’s credit files. A credit freeze is the most secure way of blocking identity theft (even though it’s not foolproof). A freeze is currently free from Equifax, but $10 for Experian and TransUnion (so $40 total). But, I think it’s worth it because I do not want to be one of the folks who will be put through the ringer when they learn that someone created a new identity, got a bunch of credit cards in their name, and then left them with a tanked credit rating and mess that will take months to clean up.”
CM says
Hi,
I used EQUAFAX perhaps a decade or more ago to check my credit score. However, ever since they and any others who have requested my personal SIN number (here in Canada) to be entered online, I REFUSE to join up whether it’s for paid “security” or a free report.
With everything being so connected now, the less you have online the better you are in my mind.
I’ve been online since 1994.
KEEP UP THE GREAT ARTICLES.
fs4138 says
Here are links to pages where you can freeze your credit with the 3 credit reporting agencies:
Equifax
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
No charge currently to lock/unlock credit reports. However I believe they will resume fees for freezing/unfreezing in the future.
TransUnion
https://www.transunion.com/product/trueidentity-free-identity-protection
This link is to a free option offered by TransUnion to lock/unlock credit report. It requires you to create an account with TransUnion (Free). Can lock/unlock your own account for free when you choose.They also offer a traditional option where you pay a fee to have them do it for you.
Experian
https://www.experian.com/ncaconline/freeze
$5 per time to lock/unlock credit report.
fs4138 says
Good reference on what a credit freeze is, as well as pros and cons: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
Dave says
Another indication of their incompetence is that the hackers exploited a well known vulnerability in open source software which Equifax failed to patch.
John @ PVF says
Once you realize that you’re the product and not the customer, it goes a long way towards understanding all of the credit agencies’ motivations and actions to date.
Why do they make you jump through hoops to freeze your credit/take ownership of your info? Because then they can’t sell it.
hglaber says
I haven’t been able to pull an Equifax annual report online for years. No idea why. However, I did sign up for Credit Karma a while back. I really don’t care about the score (which I knew was fine), but it gives you access to two agency reports, one being Equifax. Although Equifax won’t give my report directly to me online, Credit Karma has no trouble pulling the info. More importantly, you can check it any time, not just once a year, and Credit Karma will notify you of changes as soon as they appear on the reports.
I haven’t had many changes (my reports have been frozen for years), but on the few occasions I signed up for new credit, I was notified.
govt guru says
In the case of Target, they are a retail store and hackers got access to your Target account info. But when hackers got into Equifax, they got access to pretty much your entire life — because that’s Equifax’s core business: collecting all kinds of personal data about you in order to generate credit scores. Your name, social security number, addresses (present and former), education, employers (present and former), vehicles (present and former), and every kind of financial account you have every had (checking, savings, credit card, mortgage, student loans, etc., etc.).
Richard Ryan says
My thoughts … exactly. 😉
J says
As someone has mentioned, more than just credit information was breached.
A great article about how to protect against other forms of identity theft (ie medical or driver’s license) is: “A Credit Freeze Won’t Help With All Equifax Breach Threats” by Jeff Blyskal (for Consumer Reports).
We were affected by Equifax, Target, the IRS, and Yahoo breaches, so I had already worked on changing passwords. I incorporate numbers, words, or symbols for the date in my passwords so I know exactly when I last changed them (spread these through a long password and change just this portion when updating for a few times before coming up with a whole new password).
Went to sign up for an SSA account (to turn on 2FA), and saw the option to Block Electronic Access. Figured that was a lot safer since we have no problem doing business with them offline.
We signed up for TrustedID (*gag*) through Equifax, figuring free for a year, why not. Did not have to provide a credit card or anything for payment.
Found out our Capital One card provides credit monitoring through TransUnion; signed up.
Wanted to sign up for the AAA monitoring, but the website just keeps advising us to “Please Wait”. Since Oct is when I’d planned to pull our Experian reports anyway, I plan to call the sign up number after I receive that.
Had not heard of the 4th credit bureau until the hack. I’d like to see what info they have on us.
Working on obtaining an IP PIN from the IRS, too. Do this before placing a fraud alert or freeze so they can verify your identity.
With all of our information already out there, it’s funny to me that the 2 times we actually were defrauded had nothing to do with a hack.
1. Our Fidelity card number was used to bill for a bus tour in Mexico. By the time I called the fraud dept, it turned out a whole host of cards had been affected, and they’d been spending the morning cancelling and reissuing new ones. No paperwork/headache for us.
2. A check sent from our Fidelity billpay was cashed by someone other than the payee.
That did cause some headaches, mostly in getting Fidelity’s front and back office, the detective, and the separate bank that actually holds the account all on the same page. The police report was fairly simple, Fidelity’s paperwork less so. But eventually we were reimbursed, and I now watch those checks like a hawk.
Funny how I check our credit card transactions weekly, but never thought to double check the endorsement line on bill pay checks.