In the Wake of Equifax
Nobody can know for sure who has been affected, so how do you stay safe?
The recent cybersecurity attack that hit the credit reporting agency Equifax, one of the nation’s three main credit-reporting agencies, over the spring is considered to be the worst data breach of modern times by some industry experts. The company announced on Sept. 7 that it was a victim of a massive data breach that resulted in compromising the personal information of 143 million consumers, including names, addresses, Social Security numbers and birth dates.
According to Equifax, hackers exploited a security vulnerability in a United States-based application to gain access to consumers’ personal files. If an individual has a credit report, chances are pretty good that they are among the millions of consumers whose personal information was stolen.
What To Do If Your Information Has Been Stolen
Advice from Anthony Rutledge, CPA, senior manager at Laporte CPAs
1. Place a fraud alert on your account with all three major bureaus. This is free and lasts for 90 days.
2. Get a copy of your full credit report now so you can monitor for changes. Annualcreditreport.com is the only authorized place to do this for all bureaus free on an annual basis, as required by the federal government.
3. Freeze your credit with all three bureaus. No one, not even yourself, will be able to open a credit account unless unfrozen. There is a cost to freezing and unfreezing your credit, which varies by state, but it is nominal. Equifax is currently waiving fees. Upon freezing, a PIN is provided that will be needed to unfreeze your credit. Don’t lose it.
“It is my understanding that there is a third-party software which is used by Equifax on its website which had a flaw in their program which made their website vulnerable to attacks,” said Matthew Person, managing member of Person Huff CPA Group. “Equifax did not install a security update earlier this year when it became available from this third-party company and therefore allowed Equifax’s system to be susceptible to an attack. The system was hacked and the personal data of these consumers was compromised.”
And while Equifax reports that 143 million consumers were impacted, no one really has any idea how many people actually had their information stolen. With a breach of this size and magnitude, it’s hard to say for sure exactly how many people were affected. Whether you know for sure your information was exposed or not, it is important that you take the necessary steps to protect yourself.
“It’s not clear what happened to all the personal data of the millions of consumers that were hacked on the Equifax website,” Person said. “Consumers have lost more of their sense of security now that their personal data has been compromised by one of the three major data gathering companies. And it is not like you can tell Equifax to not track your information unless you stop using credit cards and all other forms of credit, and start dealing only in cash.”
So, what can consumers do to protect themselves?
“If affected, your data is already stolen, but there are measures to defend against your data from being used,” said Anthony Rutledge, CPA, senior manager at Laporte CPAs. “First, place a fraud alert on your account with all three major bureaus. This is free and lasts for 90 days. Second, get a copy of your full credit report now so you can monitor for changes. Annualcreditreport.com is the only authorized place to do this for all bureaus free on an annual basis, as required by the federal government. Third, freeze your credit with all three bureaus. No one, not even yourself, will be able to open a credit account unless unfrozen. There is a cost to freezing and unfreezing your credit, which varies by state, but it is nominal. Equifax is currently waiving fees. Upon freezing, a PIN is provided that will be needed to unfreeze your credit. Don’t lose it.”
"Consumers have lost more of their sense of security now that their personal data has been compromised by one of the three major data gathering companies."
Matthew Person, managing member of Person Huff CPA Group
“The key to going forward is proactive advocacy over your personal finances,” he said. “There are risks other than credit fraud, such as a false tax return where someone uses your Social Security number to complete a fake tax return and claim a refund that is not theirs.”
Michael Richmond, director of tech services for Postlethwaite & Netterville, suggests filing taxes as early as possible to avoid anyone stealing your personal information and using it to file a fraudulent claim that could lead to losing your tax refund to a thief.
“We are seeing more and more financially driven thefts and this is being done through people’s tax returns,” he said. “Knowledge is power. Protect yourself. In addition to filing taxes early, start looking at your credit reports closely. Consider a credit freeze; it won’t affect your credit score, can be easily reversed, and could be well worth the extra step.”
Northwestern Mutual Investment Services has stated that in the wake of the Equifax breach, and the fact that it affected nearly half of the entire United States population, chances are pretty good that most people’s information has been compromised — even if they have never dealt with Equifax. They advise consumers to take a deep breath, assume their information is at risk and take measures to protect themselves, sign up for fraud alerts, or freeze their credit. If you don’t want to take these steps, it is a good idea to sign up for a credit-monitoring service which will notify you anytime there is activity involving your information.
The company also advises that individuals sign up for online accounts with their financial institutions, noting that someone with your information might do so and you might not know until you see your next statement. Open online accounts with your financial institutions so that they have a record of your online account and password.
When you sign up, it’s a good idea to opt into two-factor authentication whenever possible; this makes it harder for thieves to get into your accounts. And use strong passwords — make them random with special characters and numbers, or use long phrases only you would remember.
Lastly, monitor your financial accounts weekly, if not daily, to ensure all listed transactions are legitimate. Notify your financial institution immediately of any unauthorized transactions or concerns.
“In the case of Equifax, since it is a reporting company it’s important to remember that the people affected weren’t their clients — it was the data that was stolen and probably sold,” Richmond said. “Our personal information, whether we like it or not, was under their control because of credit and services used. It came to them and was repackaged and compromised. People were part of the process without even knowing it.”
“In the long-term it will be interesting to see how things are going to play out for Equifax,” he said. “For consumers, they have learned that they need to monitor their credit and assets closely.”
What responsibility does Equifax bear for this breach?
“It would be best to consult an attorney on legal rights and Equifax’s responsibility in this situation, but there is not much to be done legally until or if your data is illegally used,” Rutledge said. “Of course, class action suits are in the works.”
Take Steps Now to Protect Yourself
- Sign up for fraud alerts.
- Sign up for a credit-monitoring service.
- If you don’t plan on buying a car or a home for a while, consider freezing your credit. You can unfreeze it at any time.
- File your taxes early to avoid someone else filing in your name first.
- Use two-factor authentication whenever possible.
- Use strong passwords — a mix of numbers, letters, symbols and capitals.
- Monitor your accounts daily, or at least weekly.
- Be wary of unexpected emails containing links or attachments: If you receive an unexpected email claiming to be from your bank or other company that has your personal information, don’t click on any of the links or attachments. It could be a scam. Instead, log in to your account separately to check for any new notices.
- Call the company directly: If you aren’t sure whether an email notice is legit, call the company directly about the information sent via email to find out if it is real and/or if there is any urgent information you should know about.
- If you do end up on a website that asks for your personal information, make sure it is a secure website, which will have “https” at the beginning (“s” indicates secure).
- Look out for grammar and spelling errors: Scam emails often contain typos and other errors — a big red flag that it probably didn’t come from a legitimate source.
- Never respond to a text message from a number you don’t recognize as this could also make any information stored in your phone vulnerable to hackers. Do some research to find out who and where the text came from.
- Don’t call back unknown numbers.
(Source: Consumer Reports and local industry professionals)