The Equifax Data Breach

Some notes regarding the Equifax data breach  – updated on 9/29/2017 to include links for freezing your credit, getting free credit reports, getting your medical records, getting your Social Security records, plus some additional security items to consider:

vault-154023_1280There’s been a lot of reporting, and Equifax’s response has changed a bit since the first reports of the data breach, so we’re trying to keep this updated as we can.

(ie. At first, their free credit monitoring enrollment deal for folks who’d potentially been compromised required people to agree not to join a class action lawsuit or some such nonsense, but after an outcry, that language was removed from their agreement and they’ve stated publicly several times now that there is no such restriction).

password-2781614_1920The main thing – as always – is that everyone needs to regularly be monitoring their credit records and make sure that no accounts are open in their names that they don’t expect to be there.

Several credit card companies now provide unlimited free access to your credit reports and scores (Capital One, Chase, etc).

Also, I’m pretty impressed with the free service CreditKarma (supported by ads on their site – i.e. lots of recommendations to apply for credit cards through their affiliate links).  Once you’re on there, there’s an “Accounts” tab and it immediately takes you to a list of all open credit accounts as reported by TransUnion and by Equifax.  Takes about 10 seconds to check.  https://www.creditkarma.com

In addition, of course, you are entitled on one free credit report from each of the reporting agencies once per year. With three agencies, you could get a credit report every four months. Always start from this link to get to your annual free credit reports (there are a lot of fake sites which claim to give them to you but try to sell you other credit monitoring services): https://www.annualcreditreport.com/index.action

The first line of defense is always to keep an eye on the credit records.

This is Equifax’s current Q&A on the situation and the TrustedID Premier that they’re offering folks:  https://www.equifaxsecurity2017.com

To see if you personally were amongst those who’s information may have gotten out, go here: https://www.equifaxsecurity2017.com/potential-impact/

However, one reporter (at the NYT) used Equifax’s “did I get hacked” page to see if he was and he was told “your personal information may have been impacted”.  But skeptic that he was, he then started putting in random names and random 6-digit numbers where they ask for the last 6 of your SSN — and in every case got the same message.  So he speculates that Equifax doesn’t actually know whose data got out there or not and they’re just telling everyone that they may have been affected, which is pretty noncommittal.

Other than monitoring your credit records (as noted above):

Check your Social Security earnings records. Regardless of the Equifax incident, this is something you should be doing regularly — at least once per year — anyway to make sure that the Social Security administration has your correct earnings history.  This is essential as your earnings history is used to determine the benefits you’ll eventually be entitled to.  In fact, we ask all clients to bring in a copy of their earnings records to help in retirement planning.  The SSA used to send paper statements regularly, and still does on a much less frequent basis.  So we encourage you to, as soon as possible, establish your account on the mySocialSecurity system and always have access to the full, up-to-date data.

If you’re having trouble establishing or logging into your mySocialSecurity account online, it may be possible that you’ll have to go down, in person, to your nearest Social Security Administration office to get set up.

You may access mySocialSecurity (and set up your account) here: https://www.ssa.gov/myaccount/

Monitor your IRS Taxpayer Account information.  The IRS has a tool — nowhere near as well-known as the Social Security account tools — which allows individual taxpayers to view the status of their IRS taxpayer information.  By establishing an account on the system you can find out your payoff amount (if you owe taxes), the balance for any years for which you owe, up to 18 months of payment history, and key information from your current tax year return as originally filed.

You may establish an account and then log in and check it here:  https://www.irs.gov/payments/view-your-tax-account

Consider freezing your creditIf you’re really worried, you can actually freeze your credit information on the three reporting bureaus sites, but it’s not free.  Short of actually freezing your credit information (which would make it much harder for someone to open a credit account in your name), most of the rest of the options out there are just variations on monitoring.

The Points Guy – a site which monitors credit card offers and travel deals (and we do recommend keeping an eye – sometimes there are particularly good deals) has written a great article with some more detail about freezing your credit.  A few important things to know: (a) it does not stop “informational” pulls at your credit records – you can still use your credit monitoring tools, and you may even still get offers of credit; (b) it has no impact on you checking your Social Security records or getting your Social Security; (c) the freeze may be lifted at your request, with a PIN – temporarily as you need if/when you do actually want to apply for a new extension of credit (i.e., a new credit card, mortgage or other loan); (d) the costs vary by state, usually around $10 per credit agency, per person to freeze, and another $10/agency each time you temporarily lift the freeze (and you don’t always have to lift all three – if you’re applying for credit, you can ask which agency they are going to pull your records from).

One important note: if you haven’t already created your mySocialSecurity account online — do so before you perform a credit freeze.  Once you’ve got the mySocialSecurity account set up, which allows you to check your Social Security records any time — a freeze will not affect your ability to log on and check again any time.  This caveat also applies if you are planning on establishing a userID and account on the IRS Taxpayer Account system, too.  See above.

Here’s the article from The Points Guy about this:  https://thepointsguy.com/2017/09/what-to-know-about-credit-freeze/

Here are some links to the pages for freezing your credit report at each of the three agencies Equifax | Experian | TransUnion

Watch your taxes: Anyone who hasn’t already filed their taxes (the 2016 deadline is still another month away) could be in danger of someone filing with their information in order to fraudulently claim a rebate.  And, of course, we’ll start a whole new round of worries about this after the new year.

Keep an eye on your insurance (ie. look for EOBs) I’ve seen a note or two about the rise of *medical* identity theft – using someone’s ID info to get medical care and claim insurance benefits in other people’s names — but this seems to be very much less common, at least at this point. (We strongly recommend scrutinizing all EOBs anyway. Medical billing errors happen all the time and are often easily overlooked, particularly when it’s the insurance company which actually pays.)

Get a copy of your Medical Information Bureau (MIB) file. The Medical Information Bureau is a specialty consumer reporting agency (somewhat like the credit agencies) except that it tracks your medical information (particularly used when applying for some kinds of underwritten insurance like life or health insurance).  Your MIP Consumer file may include: any medical and personal information the MIB has about you at the time of your request — and information about any MIB member company that requested or received a copy of your medical and personal information during the preceding 2 or 3 years; plus, if you’ve previously applied for disability income insurance through an MIB member company, you’ll get information about any disability benefits you’d applied for which are on their records.

If someone is using your identity to apply for disability insurance or other insurance — and makings claims on it — the MIB is one way to find out about that.

For more information about your MIB records, or to request a copy of your file, go here: https://www.mib.com/request_your_record.html

Additional Security Measures You Should Consider (regardless of Equifax):

  • Activate two-factor authentication wherever you can.  Two-factor authentication means that when you log into a secure site or app, not only do you need your userID and password, but the system will require you to confirm that you are you in a second manner — sometimes by having them send you a code by text message, or by looking up a code in a separate app, or having them send you an e-mail or even have a robe-call dial you up to tell you the code to use.
  • Use a secure password system and different passwords on everything important.  There are a variety of such apps, such as 1Password (by AgileBits) or LastPass.
  • Secure your devices (phone, tablet, computers, etc) with solid passwords and make sure the drives are encrypted, too.
  • Back up your data.  Some of the malware out there can go and encrypt your data and hold it hostage unless or until you send them payment.  If your data is backed up – preferably a copy on an offsite drive – you can get it back without having to pay.  (You should be backing up your data anyway – too many people have lost precious photos and other things because their hard drive crashed!)21752128_10213882626369261_8306189566977801669_n
  • Never click on suspicious links in unsolicited e-mail. Depending on your e-mail client,
    you may be able to “hover” your mouse over a link and see where it’ll take you before you click on it.  If it doesn’t clearly and obviously go where you expect it to — don’t click it.  Almost anything important you should be able to get to by going to the website in question manually – i.e., type the address yourself directly into your browser’s address line, log in that way, and navigate to whatever you need.  Be aware that folks sending out fake e-mail to try to get your credentials and private information are getting better and better at making those fake e-mails look very much like the real e-mails from service providers (copying text, graphics, etc. directly from them) and even building fake log-in pages which look just like the real ones.  You can avoid them by never logging in except from a page you navigated to yourself.  Be suspicious.  This is what that kind of thing looks like — note the very real looking Bank of America logo, etc — and where that link would have taken you had you clicked on it.

Bottom line — at this point — nobody really knows what the full impact of the Equifax incident will end up being.  Additional security measures are being added in all kinds of places, and some folks are even considering trying to replace the entire system of using Social Security numbers for so much of this.  In the meantime, the main key is to be wary, use all the additional security measures you’re comfortable with (yes, they always add some inconvenience), and especially, continue monitoring all your records.  Most of these are things we really should have been doing anyway and regardless of Equifax.

If you find you have had some account fraudulently opened in your name, immediately report it, document everything, and of course, if you haven’t already done so, implement the credit freezes (which may be at no cost if you’ve already been a victim).

I hope you found this helpful.  Please let me know if you have any questions – or if you have anything to add to this.  We’re all just figuring out what to do.

Disclaimer! We are not specifically endorsing any of the products or companies mentioned in this article.  We get no compensation in any way from any of the companies mentioned. This article is provided for educational purposes only. We encourage you follow up and do your own due diligence.  If you have any questions, please consider contacting a professional.

Note, too, that the image with the fake log-in which pretends to be from Bank of America is purely there as an example and we are not suggesting any security breach has taken place at Bank of America — only that someone had used images from them to try to get information from BofA customers.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: