As you may already know, up to 143 million people had their Social Security numbers and other data stolen in the recent Equifax data breach. Whether or not you were impacted, here are some things to keep in mind when it comes to actively protecting yourself in situations such as this.
Atlanta-based Equifax, Inc. indicated a breach of their data occurred sometime between mid-May and July of this year. They finally discovered the breach on July 29th, and subsequently notified consumers six weeks later, on September 7th; which means they reportedly knew the financial equivalent of your front door was wide open, and failed to notify you about it within a responsible amount of time. Adding insult to injury, the website they created to provide you to 12 months of free credit monitoring conveniently requires one to waive their right to file suit against Equifax. Equifax later backtracked on this, allowing people to file against them, but only if they send Equifax written notice within 30 days. Equifax has not removed the opt-out language from its general terms of service, but later has assured customers that it won’t be applied to use of the credit-monitoring service. In the days following the breach, Bloomberg reported three senior Equifax officers sold nearly $2,000,000 in company stock in the days after they realized the breach, but before the company notified the public. Lastly, instead of notifying consumers directly that they were affected, Equifax chose instead to set up a website for people to have to go to. If there is better way for a US corporation to simultaneously broadcast they are unqualified for the great responsibility required of a credit reporting agency, and show their leadership qualifications include the ability to produce the worst possible response to a crisis by any company in the second decade of the new millennium, I am currently unaware of it. Needless to say, their stock price has lost nearly 40% of its value at the time of this post.
What it means for you
This is the biggest indication to you that the days of taking a passive approach to protecting your credit and financial identity are over. There was a time when the most the average person had to do to monitor their credit was to check their report a few times a year, for free, at www.annualcreditreport.com and determine if anything suspicious had taken place. Those days are long gone. For example, when Yahoo, Inc. famously lost billions of emails in various data breaches, it wasn’t that big of a deal. The difference between the Yahoo and Equifax breaches is that your Yahoo email account is largely valueless. Sure, a persistent hacker might email your grandmother requesting bail money claiming one poor decision during an otherwise innocuous night out with friends from church has landed you in jail… in The Congo. But for the most part – if you change your Yahoo password regularly – you’re fine. The difference with this event is what was stolen. When the data Equifax owns is taken, potential thieves not only have your Social Security number, but also your date of birth, your current and former addresses, and possibly your driver’s license number, among other information. This is the type of information is known as “out-of-wallet authentication” and the type of information one needs to successfully and easily apply for any type of new credit, including an auto loan or mortgage in your name, or even create login credentials for your financial websites.
What to do
You could go to the Equifax website to check if you were one of the 143 million people that had their data stolen. To do this, go to their website: www.equifaxsecurity2017.com. (This link takes you away from my site. Equifaxsecurity2017.com is not controlled by TLF.) Instead of doing that, I recommend you assume and act like your data was stolen and consider the following precautions.
- Check your credit reports and consider a monitoring service
As I mentioned earlier, you can check your reports once a year for free from each of the three credit reporting agencies at www.annualcreditreport.com. Some people request their reports every four months to provide a limited type of monitoring throughout the year, while others will check all three at once. Either strategy has its merits, albeit weak ones. As far as continued monitoring goes – Equifax has notified consumers they will offer their credit monitoring service free of charge for a period of 12 months. I don’t know about you, but given the way Equifax managed themselves after the breach, the last thing I’d do is trust them going forward. Reality is, if you need some type of monitoring service, the need will not diminish at the end of the next 12 months, so you might want to create a relationship with another monitoring agency that is still credible. Lastly, credit monitoring is reactive, and not proactive. Meaning, these companies will notify you either by text or email when new accounts have been opened in your name, new credit inquiries, late payments, etc. It will NOT stop someone from successfully applying for credit in your name. If you don’t want to hire one of the credit monitoring agencies to monitor your credit, consider a company like AllClearID.
- Consider a freeze on your credit
Also known as a security freeze, this tool lets you restrict access to your credit report, which in turn makes it more difficult for identify thieves to open new accounts in your name. This is because most creditors need to see your credit report before they approve a new account. If they can’t see your file, they may not extend the credit. An important caveat: if you want to freeze your credit, you must apply for a freeze at each of the three credit reporting agencies (yes, even Equifax….sigh). Here are the links to freeze your credit at each of the three companies: TransUnion Equifax Experian A few things about a credit freeze: It will not affect your credit score. You will receive a PIN when you freeze your credit. Keep this number in a safe place, and please don’t have your pin be the last or first six digits of your Social Security number or date of birth. If you do need to apply for credit after you have requested a freeze, ask your lending institution which credit monitoring agency they use and then contact that agency, PIN in hand, and temporarily unfreeze your credit. Disclaimer: there may be a fee to unfreeze your credit, however this fee is usually around $5.
Lastly: I have had retirees – who do not perceive a need for any type of credit for the rest of their lives – ask if they need to freeze their credit. The simple answer is yes, especially you. There is always the chance someone will take out a loan in your name, go spend their ill-gotten funds, and leave you to pick up the pieces as creditors try to retrieve those funds from you. Unfortunately, your credit is not something you can ignore.
- Highly Recommended: Add two-factor authentication to all of your financial accounts
Two Factor Authentication, also known as 2FA or two step verification, is an extra layer of security that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately to hand – such as a physical token. A good example from everyday life is the withdrawing of money from an ATM; only the correct combination of a bank card (“what you have”) and a PIN (“what you know”) allows the transaction to be carried out. Some people have also experienced two-factor authentication when they login to a website, and that website requires a PIN to be sent to their phone via text message and then be typed into the web site along with their usual credentials.
- Highly Recommended: File your taxes early
As soon as you receive all of tax information, file your taxes before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund. Meaning, if you wait too long to file your taxes, it opens up more of an opportunity for someone to file under your name, claim a refund, run off with the funds, leaving you to pick up the pieces and prove it wasn’t you that claimed the refund. As a general rule of thumb, do pay attention to any letters in the mail that look like they may be from the IRS, do not pay attention to an email from the IRS. The IRS does not email you to let you know you owe them money.
- Consider placing a fraud alert on your files.
A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you. The link above will instruct you on how to go about this.
- Highly Recommended: Actively review your financial accounts
At the very least, you should monitor your credit card, banking, and investment account statement monthly as soon as you receive it. Most major credit cards will allow you to set up other warning alerts for suspicious activity. You can also view your activity daily on your credit card’s website to identify unknown charges as quickly as possible.
Lastly, if you have minor children or an aging parent in your home, consider taking the above steps for those individuals as well. The bottom line is that a tremendous amount of data is now floating somewhere out there, and it is now your responsibility to proactively protect financial identity.