Unless you’ve been living in a cave, you’re probably aware that there was a major security breach at Equifax, a credit reporting agency which stores extremely personal data about nearly half of the population of the United States. I’m not going to rehash the basics of the breach (go Google “Equifax breach” or read this), but I do have some thoughts to share that rise at least slightly above the level of everybody-else-is-already-saying-it.
Make no mistake, this breach is a big deal. The information stolen by hackers in this breach is sufficient, by itself, to engage in successful identity theft against everyone about whom Equifax has data. If you’ve ever had an auto loan, home loan, mortgage, credit card, or bank account, that includes you.
This may seem counter-intuitive, but I suspect that ultimately this breach will turn out to be a good thing. The handling of people’s personal data and finances is handled in the United States has been a security and privacy disaster for many years. This breach is so large and egregious that it’s nearly inevitable that it will be the impetus for improvement. It is literally true that as a result of this breach, no one is safe anymore. That is not sustainable.
There’s a joke that goes like this:
Joe and Bob are out on the trail when they see an angry bear charging toward them. Joe immediately drops his pack and starts running down the trail away from the bear. Bob calls out to him, “Are you crazy!? You can’t outrun a bear!”
As Joe disappears down the trail, he calls back over his shoulder, “I don’t have to outrun the bear. I just have to outrun you.”
This is why you should freeze your credit report at all the credit reporting agencies. Identity thieves will be going through the stolen data and targeting people one by one. If they run into any problems with a victim, they’ll just move on to the next one. If you freeze your report, you’ll probably be one of the people they skip. This great article tells you how to freeze your report everywhere.*, **
Before you freeze your credit reports, you should go sign up at CreditKarma.com (if you wait until after you freeze, you’ll have to “thaw” your report before you can sign up there). It seems to be the best of the available, free options for getting notified if something potentially suspicious happens with your credit report. If you’re an AAA member, you might also want to sign up for the free basic ProtectMyID service offered to members (log into the AAA web site, open the “Membership” menu and click on “ID Theft Monitoring” under “Other Products”). Again, do this before you freeze your credit reports.
Everyone in your family who might have been compromised by the breach needs to take the precautions described above. Even if, e.g., all of your loans, bank accounts, credit cards, etc., are held jointly in your and your spouse’s names, both of you have to separately protect yourselves. Ditto for adult children who have credit or a bank account in their own names.
You may have to pay some small fees to freeze your reports with some of the agencies. I think one of the likely outcomes of this breach is that those fees are going to go away, i.e., my expectation is that it will soon be free for anyone in any state to freeze their reports with any of the reporting agencies. Nevertheless, don’t wait for that to happen. Freeze your reports now.
Set up online access for any of your financial accounts which allow it, if you haven’t already. If you don’t “claim” online access for your financial accounts, a hacker with access to your data could do it. This is another do-it-right-away thing. Don’t wait. Also, set up two-factor authentication for all of the sites which support it.
Password security is important now more than ever. Hackers now know everywhere you have financial accounts, so they can do targeted password-cracking attacks against specific individuals at specific sites, increasing their likelihood of success. Make sure you’re using strong passwords everywhere and not sharing passwords between sites. The best way to do that is to use a password manager. I personally use and recommend LastPass. Make sure you have two-factor authentication set up for your password manager.
It’s likely that the number of people impacted by identity theft moving forward is going to go up dramatically. Most people have been able to stick their heads in the sand and not worry about identity theft unless it actually happened to them. This is no longer a wise or effective strategy. You should assume that you will be targeted. That means that you need to be vigilant from now on, perhaps more so than in the past. Notice suspicious emails, phone calls, and texts. Don’t respond to text or click on links reflexively. Check your bank and credit card statements every month for suspicious charges. Basically, pay attention.
Finally, when you’re done taking the steps above to protect yourself, contact your elected officials at the state and federal level and tell them it’s long past time for better laws protecting the privacy and security of consumer financial data.
In summary, take the time now to protect yourself, or you may end up spending a lot more time later dealing with your identity being stolen. Be quick. Don’t be this guy:
*You’ve probably seen references to the “three major credit reporting agencies,” i.e., TransUnion, Equifax, and Experian. The referenced article mentions a fourth, Innovis. I’m not sure where they stand compared to the other three, but they don’t charge for a freeze and it’s easy to request one from them, so you might as well.
**As far as I can tell, for TransUnion, signing up for their free TrueIdentity service and locking your credit report on the TrueIdentity web site is functionally equivalent to putting a freeze on your report, so that’s what I did.