The Equifax Hack
As you’ve all seen in the news lately, Equifax has let the credit history of over 140,000,000 people get released into the wild. The data exposed includes Social Security Numbers, past and current addresses, all previously held accounts, all inquired accounts, birthdays, etc. I’m writing this out as a simple guide that everyone should consider following as a precaution to protect your information.
Please read this entire post before starting the process of securing your accounts. At the end I have included my personal experience regarding these steps to give you an idea of how the process goes.
How do I know if I was affected?
Are you an American adult that has ever had or inquired about a credit card, personal loan, student loan, car, bank account, cell phone plan, electric service, water service, internet service, security clearance, most jobs, most schools, most apartment complexes, or renting a house? Congratulations! You’re affected! Sure, technically there's about a 60% chance your data was actually included (~240 million adults in the US vs 140 million accounts leaked), but do you really want to bet on being the lucky 40%?
How is this different than other breaches?
The breaches in the past like the US Office of Personnel Management, Target, Yahoo!, PlayStation, etc are inconsequential compared to what we are experiencing today. This is because Target, Yahoo!, and PlayStation do not store your SSN, they do not track every bill you’ve paid, they do not track everything you’ve ever thought about buying through financing or via credit cards. The most damage Target and the others did was compromise your debit or credit card. Big deal; all you had to do was cancel your card and get a new one.
With Equifax, we can’t do that. The most you could do is request a new SSN but that presents a whole new list of problems down the road. The closest comparison to this event is the OPM hack, but that only affected government employees and was likely stolen by a foreign government agency. Luckily, that data will only be used to spy on us rather than ruin our lives.
So, what happens now that all my information as stolen?
Now every American gets to play the worst lottery ever. You now have approximately a 1-in-140,000,000 chance of your identity being stolen in the worst way possible. Winning this lottery means you get to spend the next 3-4 years fighting to prove to every financial institution on earth that you are real and not the identity thief. You won’t be eligible for any line of credit – no cars, no house, no loans, maybe even no utilities, phone, or rentals.
This is ridiculous and I am justifiably angry about this. Who can I complain to?
Craft a clear, polite, yet strongly worded letter expressing your opinion about this situation. Then go here and enter your address. Send your letter to everyone on the list that shows up. Send it through the post office, not email.
This is terrible! What can I do to prevent my identity from being stolen?
- Do NOT sign up for Equifax’s free identity protection service from TrustedID.
Equifax owns TrustedID, and the main takeaway from this breach is to not trust Equifax or the services they provide anymore.
2. Get your credit report today.
Note that this does not include your actual credit score. Regardless of what steps you do after this, you want to get your current credit report to keep on file so you can identify anything new that should be flagged in the future. The federal government requires all three major credit agencies give you a free copy of your report every year, and the only authorized website to get them from is annualcreditreport.com. Yes, it is a real site and can be verified by usa.gov, TransUnion, Experian, Equifax, and the FTC. Get all three reports if you can, save them, print them, and keep them safe for your records. Once you get your reports, you should now…
3. Freeze your credit immediately.
Freezing your credit means that nobody, including yourself, can inquire into your credit for any reason until this freeze is lifted. This does not affect any of your existing accounts. Your credit will continue to mature as usual, and your credit cards will still work. It simply means that no one can open or inquire about any new lines of credit in your name until your account is unfrozen. For CT residents, it will cost $10.64 (includes taxes) to freeze each credit report and last indefinitely, but $32 is nothing compared to the cost of having your identity stolen; you are investing in protecting your future. There are designated automated phone systems for each credit bureau, and the process takes about 3 minutes for each call. The numbers to call are:
You must freeze all three. You can do this process online, but all three credit company's sites have been crashing constantly due to the sheer volume of people accessing their pages, making the online process inconsistent.
A unique PIN will be associated with your account freeze for each bureau. TransUnion allows you to make your own PIN, Experian will send yours in the mail, and Equifax will generate one for you and give it to you over the phone. Be sure to write down the Equifax PIN before hanging up. Without these unique PINs, you will not be able to unfreeze your accounts.
If there is another breach like this in the future, unfreeze your accounts, then place a new freeze on them again to get a new PIN. You will need to do this because if your personal data is stolen again, that data will include your existing freeze PIN. Yes, it costs money. It costs less than having your identity stolen.
4. Submit an Initial Fraud Alert.
If you don’t freeze your accounts, at least do this. You are now the victim of identity theft, and having a Fraud Alert on your file will make it more difficult for an identity thief to open accounts in your name. When you have an alert on your report, a business must verify your identity before it issues credit, so it may try to contact you. The initial alert stays on your report for at least 90 days, and you can renew it after 90 days. Placing a fraud alert on your account is free. The steps to place an Initial Fraud Alert on your account are below, provided by the FTC.
1. Contact one credit reporting company of your choice. Again, I recommend by phone since some websites are down due to high traffic volume.
TransUnion – 800-680-7289
Experian – 888-397-3742
Equifax – 800-525-6285
2. Report that you are an identity theft victim and ask to put a fraud alert on your credit file.
3. Confirm that the company will contact the other two reporting companies regarding the alert. Whichever company you contact must contact the other two to notify them that a fraud alert is tied to your account.
5. Opt-out of prescreened offers of credit
This will stop any mail regarding firm credit offers (pre-approved credit cards, etc) from being sent to you. Not only does it cut down on junk mail, it prevents someone submitting your name with a new address from getting valid credit offers sent to them. This will remain for five years, but if you return a signed Permanent Opt-Out Election Form to each credit bureau, the hold will be permanent.
To enable the 5-year opt-out, you can dial 888-567-8688 or go to go to https://www.optoutprescreen.com/
To extend this opt-out period permanently, fill out their form linked above and send a copy to each of the following addresses:
Name Removal Option
P.O. Box 505
Woodlyn, PA 19094
P.O. Box 740123
Atlanta, GA 30374-0123
P.O. Box 919
Allen, TX 75013
Innovis Consumer Assistance
P.O. Box 495
Pittsburgh, PA 15230-0495
6. Optional: Submit an Extended Fraud Alert
An Extended Fraud Alert lasts for 7 years, compared to an Initial Fraud Alert’s 90 days. However, because it is more severe, it requires more work on your part to complete. This requires you to:
1. Submit an Identity Theft Report to the FTC at https://www.identitytheft.gov and download a copy of the report.
2. Go to each of the three credit reporting companies and fill out their Extended Fraud Alert Request Forms.
3. Mail in the forms to each company and attach the paperwork that each company specifies, i.e. a copy of your driver’s license, recent bank statement, social security card, etc. Equifax and Experian require a police report to be included with their form. See If your identity is used for fraud below for details about this process.
Note: Depending on your local laws, the police may not allow you to file an identity theft report until your information was used fraudulently. For most of you, renewing the Initial Fraud Report every 90 days will be your only precautionary measure. Be sure to set a reminder in your calendar.
Last Steps and the IRS
It's important to remember that we'll never truly be "done" with the aftermath of this breach. Whoever stole this data knows the public is on high alert. The thieves will likely be inactive until the news has sufficiently died down about the hack. If they are smart (and they were smart enough to break into Equifax) your personal information will be sold months or even years down the road, making it that much harder for investigators to find the original culprits.
You will have to renew the Initial Fraud Alert on your account every 90 days, because chances are it will have expired before your data is actually used. If you live in a state where your credit freeze expires you will have to be sure to renew that, too.
File your tax return as soon as possible from here on out. With your credit frozen and a fraud alert in place, your biggest risk of direct impact is going to come from a fraudulent tax return. Unfortunately, the IRS doesn’t bother to confirm identity on tax filings except for a SSN. If somebody files with your SSN, you will not be able to file. You will have to dispute it, and it is a very long and arduous process to go through. If your identity is stolen and used this way, TurboTax keeps a webpage to make fighting this battle a little easier. The IRS will never contact you by phone or email to verify your identity. If the IRS needs to verify your identity, they will notify you via mail with a 5071C letter. You will need that letter and call 800-830-5084 to provide verification that you are who you say you are.
The only preemptive measure you can take with the IRS is to submit Form 14039 while filing your tax returns. This form basically tells the IRS that you're a victim of identity theft (which literally every adult in the US now is) and to pay special attention to your account. Otherwise, the stance from the IRS is to file your taxes before someone else does. It's a terrible unofficial-official rule, but the IRS only cares that they get paid, not who they pay back.
The Extra Mile
While the primary steps cover 90% of your life, the following three are for the extra-cautious. While they are considered optional, there’s no such thing as “too much security” when your identity is at risk.
You may have heard your banker talk to you about your Chex Systems report as you were opening a new account with your bank. This report shows checking/savings accounts closed with money owed, as well as payday loans and requests for payday loans. With the rise of online banking, if a thief has enough of your personal info (and after this breach with Equifax - they absolutely do) they can open a checking account in your name, have a loan deposited into that account, overdraw the account, and leave you with the bill. The same 90 day/7 year/freeze options are available to you for use on your Chex Systems report. It is important to note here that this report has no bearing on any of your existing accounts - talk to each of your bank and credit card companies to find out what additional security measures they offer.
This is the link for the National Consumer Telecom & Utilities Exchange (phone, cable, lights, etc.) Generally, accounts like these are only reported to your credit file if/when the account is sent to collections. This report will help show you if accounts of this type have been opened without your knowledge. The same security options listed above apply here. The website does a poor job in helping you get your report, but the automated phone system is a little better. You can dial it at 866-349-5185. Freezing your account can be done through the website here.
If someone has used your information to write bad checks, you'll find that information here. Disputing bad checks can be a headache, as you must dispute them with both banks (payer and receiver) AND Telecheck. Like the IRS, they do not have any existing proactive measures to protect you, which is why you need to ensure your Chex Systems report is locked down along with your existing accounts.
If your identity is used for fraud
- Go to your local police station to file a police report for identity theft. Bring your FTC-provided Identity Theft Report (yes they have the same name, sorry if it gets confusing) with you when you file. If they are unfamiliar with an identity theft report, provide them with this memo from the FTC to law enforcement to assist them. Be sure to get an expectation from the police as to when a copy of the report will be ready. Follow up with them if the report isn’t ready by the expected due date until you get it, because a police report is required to resolve instances of identity theft with fraudulently affected companies, waive any fees from credit bureaus (like for freezing your accounts), and is required by Equifax and Experian to place an Extended Fraud Alert on your account.
- Take your Identity Theft Report from the FTC (from the Optional Step 6) and have it notarized. These two documents combined will be an invaluable tool for you when you begin the process of disputing and repairing the damage caused by identity theft.
- Consult a lawyer. Do not exclusively follow the advice of this web page. Seek out a real, experienced, bar-certified lawyer to properly help you get your life back.
In the end, all of these steps take a lot of work and the process will certainly not go smoothly.
- TransUnion's credit report went fine, but I've heard their website crashes as often as the others.
- Equifax's website crashed and couldn't give me my credit report.
- Experian will only provide mine when I mail in proof of identity. I'm waiting for my credit report from them before I freeze it and place an Initial Fraud Alert on all three accounts.
- TransUnion only charged my card $10, compared to the state listed $10.64
- I froze my Equifax account without getting my credit report because their site crashed every time I tried for three days.
- Experian will only work with me on freezing my account through mail.
- NCTUE's automated phone system found my account, had a glitch, then couldn't find my account again. Mailing in a request for a report requires a current utility bill, which I don't have in my name, so I just froze the account, which was easy to do online.
- For the Initial Fraud Alert, TransUnion appears to be the least-terrible option to use, especially since Equifax is disqualified by default and Experian requires everything via mail.
- In all I have 8 letters to send out, most I am sending certified since the contents include my personal information.
- Your experience filing a police report will vary greatly depending on where you live, but it's absolutely worth the effort of at least trying to get one done. I was unable to file a police report because they require physical evidence that fraud was committed, like a bad account opened in my name.
To whomever reads through this whole page, good luck. If you've done all the steps listed above, you can rest easier knowing that you've done the best you can to protect yourself.
If you have any additions or revisions you'd like to recommend, you can reach me here.
Under no circumstance should the contents of this page be considered legal advice or a substitute for legal counsel. This page is for educational purposes only. Please seek out a lawyer if you require actual legal advice regarding any situation referenced here.