Ventura County Computers masthead

What To Do After Equifax

Toby at CIPCUG

In the wake of the Equifax hack, there has been a whole lot of advice, some excellent, some decent and a lot pretty silly. Equifax has a website where you can find out if they think your data was exposed. Unfortunately, the first time I checked on my wife and myself, it reported that we both had probably been exposed. A few days later, I checked again. Glory be, we probably weren't exposed. The third time I checked, my wife was potentially exposed and I wasn't. I'm not the only one reporting conflicting reports from day to day. Basically, I am assuming Equifax is clueless and my wife and I were probably exposed.

We have become used to security breaches, so there is a tendency to say, "This is just another breach." It isn't. Most breaches involve the theft of an email, password and credit card number. That's bad. Equifax involved all that, plus past and present addresses, social security number, driver's license number, all bank account numbers and average balance, all credit cards -- in short, it is a complete exposure of all your financial identities. Armed with this information, it is much easier for a hacker to steal your identity. This breach exposes you to much worse problems than any previous breach.

Freeze Your Credit

Nearly every expert is advising you to freeze your credit. That isn't a bad idea, but it isn't going to help much. In a normal breach, the hacker doesn't know what credit cards you have. With this one, they do. Freezing your credit, prevents unknown financial institutions from accessing your credit. However, those companies that have extended you credit are still allowed to get reports so they can be aware of changes in your credit. So a hacker can apply for a new credit card in your name and as long as he applies at a company you already have a credit card with, he can be approved. He can now get this information from the Equifax hack. Don't get me wrong. Freezing your credit is still a good idea. It's just a lot less protection than it was prior to the Equifax breach.

If you wish to freeze your credit, you need to contact each credit reporting companies. In some states, there is a fee (usually $5 - $10) for each freeze and for unfreezing if you need new credit. Some states are free and some are free for over 65 year olds, as is my state, California. Equifax is has now agreed to waive the fee for everyone until some time in October.

Fraud Alert

You may also issue a free fraud alert on your account. It won't freeze your account, but it does require anyone accessing your credit to contact you to verify that you are giving them permission. Interestingly, you only need to issue a fraud alert to one reporting company. They are required to inform the others.

There are three kinds of fraud alerts:

  1. Initial Fraud Alert: Valid for 90 days, this is designed to be used by people who have their wallets stolen or otherwise fear someone may try to access their accounts.
  2. Extended Fraud Alert: For victims of identity theft, this will protect them for a period of 7 years.
  3. Active Duty Military Alert: For those in the military, this protects them when they are deployed abroad or on a ship and might not be able to adequately monitor their credit. It's valid for a year.

Credit Monitoring

Most experts are suggesting subscribing to a credit monitoring company. That's a good idea. However, I have a problem with most of the reviews and comparisons. The reviews give points for how good the mobile app is, how many credit bureaus are monitored, how long the wait is for customer support and a bunch of other non-essential items. It's because they can test all this out and have an opinion on it. What they can't test and don't report on, or don't report on well is how well do the companies do restoring your credit if your ID is stolen. That's really all that counts given the severity of the data stolen.

IDShield is the only one of the credit monitoring service I have found that in the event of identity theft provides you with a personal licensed investigator to walk you through the options and come up with a plan of action. They, if you wish (and believe me, you wish), will have you sign a limited power of attorney and process all the forms themselves. Cleaning up a stolen identity requires continuous monitoring and processing of disputes in a timely manner. Letting negative information fester does not speed up the restoration process. IDShield will spend up to $5 million to get your identity back. LifeLock will spend $1 million, which is the next highest number. LifeLock will advise you on what you need to do, but you have to file the papers yourself.

Nearly everyone is suggesting that you not take Equifax up on their offer for free credit reporting for a year. Their credit monitoring, Equifax ID Patrol, had low scores before the hack. There is wording in the agreement that you might be waiving our rights to sue Equifax for damages from the breach. Their attorneys say that doesn't apply in this case, but most are suggesting to be careful and get support elsewhere.

Don't Wait for an Income Tax Refund

Lower your withholding from your payroll. Many Americans overpay their income tax and then use the refund as if it were a savings account. Unfortunately, hackers have been filing fraudulent tax returns and getting their victim's refund. While the number of affected taxpayers has declined from almost 700,000 in 2015 to 377,000 in 2016, armed with the Equifax data, expect to see more this year. If you do expect to get a refund, be sure to file immediately. Don't be late.

Watch Out for Spear Phishing

Be hyper-aware of phishing email attacks. We have all received email from banks we don't do business with saying there is a problem with our account. Now, the hackers know what banks we are doing business with, so they will be able to fine-tune their attacks with your name, account number, last 4 numbers of Social Security Number, etc. Remember, never, never, never click on a link to a financial institution in an email. If there's a supposed problem with the account, go to your bank in the normal way -- cell phone app, browser window on your computer or even an ATM -- and check your account. If there's a real problem, you'll see it there. In virtually all cases, there will be no problem at all.

Actually, it is good advice never to click on links or open attachments in almost all email. If in doubt, pick up the phone and call whomever sent you the message and ask them if it was real.

Enroll In My SSA

The Social Security Administration allows nearly everyone to enroll in their system to allow them to plan for retirement. You don't have to be on Social Security to join. But pretty much regardless of your age, you should immediately enroll. If you don't, anyone with the Equifax information could pretend to be you and schedule early retirement to their address, etc. without your permission. Even worse, trying to reclaim your account will be exceedingly difficult. Preempt them. Sign up now. Save your security questions/answers, password etc. very carefully. Enable two-factor authentication so you'll know if someone tries to become you.


Find out from Experian if you are at risk (supposedly):

FTC advice on what to do about Equifax' breach:

FTC Information of freezing your account:

The Social Security Administration's MySSA signup page:

BankRate's advice:

I signed up for IDShield with a representative in Goleta. Emily Atkins has been a wonderful contact for me with the company. If you go to her page, there's a purple menu in the middle of the page. Select "Learn more about IDShield" or Get "IDShield." You can sign up directly, but having a representative is better.

Updated MSeptember 26, 2017