The Equifax Data Breach - what do I need to know:

What do I need to know?

There was a large security breach at Equifax, one of the 3 major US credit bureaus. The Social Security numbers, dates of birth, and addresses of up to 143 million people were been breached between May and July 2017.

For perspective, that would be roughly 44% of the US population.

A smaller number of people also had their credit card numbers, driver’s license numbers, and/or dispute records (from correcting mistakes on the credit report) accessed as well.

Was I affected?
You may not have been but it seems like the safest course at this point is to assume that you were. And if you later find out that you weren’t then that will just be a pleasant surprise.

You can go to https://www.equifaxsecurity2017.com/ and check using your last name and the last 6 digits of your SSN.

BUT be aware of 3 things:

1. It will say nothing stronger than that you “may” have been affected, so it’s whether or not you were affected will remain somewhat unclear. Also, I assume that the site will tell some people clearly that they were not affected, but I haven’t actually found any direct confirmation of that yet.

2. Equifax will try to get you to accept their free credit monitoring service for 1 year when you try to see whether or not you were affected. You might not want to do that just yet because...

3. There are conflicting reports suggesting that the terms and conditions of that service forces you to agree to arbitration and could possibly prevent you from participating in and ultimately being compensated by the inevitably soon-to-be-forthcoming class action lawsuit. It’s not clear either way at this time and I believe that we will have more clarity in a few days.

Should I avoid taking the free year of Experian credit monitoring?

It’s up to you, but I would wait at least for a few days till we know more.

I will try to update this as we learn more.

What can I do about this?

Here are some of the options that could be helpful:

Option 1. Review your credit report now:

You can pull your free credit reports from http://www.annualcreditreport.com/ and review them for any unauthorized accounts. You can pull 1 free credit report from each of the major credit bureaus each year.

The 3 major bureaus tend to mostly overlap, but sometimes one report will contain accounts that the others don’t.

You could stagger them throughout the year (every 4 months) knowing that you might miss something for a few months or pull all of them at once for a complete picture right now but then have no more free access for a year.

Option 2. Put a total freeze on your credit reports. This will cost you a small fee (typically $5 in MN, though it varies by state) each time you freeze or unfreeze at each of the bureaus. This prevents lender access to your credit report so you will need to unfreeze it each time you apply for anything where they may pull credit.

IMPORTANT NOTE: You will need to keep the PIN # they give you or will not be able to “un-freeze” your credit info later on.

You can do at each credit bureau using the links below:

Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
(888) 397-3742
www.experian.com/freeze

Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
(800) 685-1111
www.freeze.equifax.com        

TransUnion Security Freeze
P.O. Box 2000
Chester, PA 19016
(800) 680-7289
www.transunion.com/securityfreeze

Option 3. Put a fraud alert on your credit reports. This is less drastic than a freeze but it will only last 3 months.

It will not prevent your credit reports from being accessed, it will just caution lenders to be careful about verifying your identity. This will be for only 3 months (Initial Fraud Alert). A 7 year (Extended Fraud Alert) exists but it is only available if you are already a victim of fraud/identity theft.

https://www.experian.com/fraud/center.html
https://www.transunion.com/fraud-victim-resource/place-fraud-alert
https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp

Here's a link for more info about credit freezes and alerts: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#difference

Option 4. Review your bank and credit card statements for unusual activity.

Option 5. You could sign up for a credit monitoring service. These monitor your accounts and send you an email when they notice new accounts or other changes. They really don’t prevent anything but they may help you find out about it sooner.

There are free ones (they will email you offers for credit cards, etc. though) and paid ones. Most of the free ones only follow 1 credit bureau. Monitoring all 3 would be better but will can also cost form $180/year to more than $300.

Experian is offering their 3-bureau monitoring service free for a year but you may start being billed automatically once your year is up and, as mentioned above, there is a mandatory arbitration agreement in the terms and conditions that you may want to wait for further clarity regarding.

I have mixed feelings about these services and I don't have a favorite monitoring service to recommend, but here is a list comparing some of the major ones: https://wallethub.com/best-credit-monitoring-service/
Please be aware that Wallethub is probably neither fully independent from their advertisers nor completely unbiased so take any reviews on that site with a grain of salt. In any event, this list could be a place to start if you want to look into some of the (many) options out there. 

What do you recommend for an average person?

I’m torn between what is ideal in an abstract sense and what people will actually get done in the real world amongst other demands and priorities.

If you have the time and energy, doing option 2, followed by options 1 and 4 would be ideal.

If you don’t have that time and/or energy, I think doing option 3 is a good (free) start and/or option 5 is perhaps one of the easier things you can do, if potentially expensive.

Please note that this is essentially an evolving news story and we don't have all of the facts yet. Also I wrote this pretty quickly and I am admittedly a terrible typist. Please let me know privately via email (timothy@thoughtfulfp.com) if you happen to spot any typos or inaccuracies. Thanks! Timothy