Equifax - what now?

Warning: this is a long post.

Surely by now you already know about the worst data breach ever.

"Ugh, what should I do?!" you may be asking.

The first thing is to understand how this can impact you. Here's a list of the things that (we know) were stolen:

* social security numbers
* driver's license numbers
* home address
* credit card numbers
* "certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."

Because the investigation is "still on-going," it's better to assume that anything we've ever submitted on a credit application (or any application that gets sent to credit bureaus) has been stolen.

"Is there hope?"

Probably not.

"So, what now?"

I'm glad you asked.

I've boiled this down to 5 broad things that need to be done, and then we'll dive into the specifics of how to execute this plan.

==The order of these steps really does matter!==

* First, we need to be able to assess the damage **and** check for someone stealing your identity in the future.
* Second, we need to do what we can to prevent criminals from opening accounts in our name, or further damaging our credit.
* Third, we need to check our statements.
* Fourth, we need to make sure the right people know that this happened, and to be on the lookout for fraud.
* Finally, we need to have some sort of protection/assistance should a full identity theft event take place. This is not something you want to go at alone.

Seems simple, right? Good! It will take some time so please don't be discouraged.

Note that throughout this, you will notice I emphasize certain things. Please take note.

There is a lot of fraud, products and services that will try to take your money, and that's bad.

I've put my sources at the bottom of this article and you're free to check them out. What I put here is what I do personally for me and my family.

Assessing the damage

This step IS free!!

The way we attack this step is to make sure that we have a copy of our credit report, and that we check it annually. Thankfully, the government says we're entitled to a free copy annually. ==Do not pay for this!== ==Do not do a web search for 'free credit report'!==

The only place to get this from is: annualcreditreport.com

Next, we need some sort of "realtime" monitoring that can alert us to changes to our credit file. You do not have to pay for this. There are many services that you can pay for, but your money is better spent elsewhere (I'll show you soon). Go to Credit Karma and set this up for yourself and your spouse. By doing this first, you maintain your monitoring even after freezing your credit (coming soon, wait for it!).

Prevent further damage

This step is NOT free!! (it's also the longest)

If you think this is starting to sound like an incident response scenario - that's because it is!

Next we need to freeze our credit. This is not a silver bullet that solves all problems. This also can create some inconveniences. It is worth it.

Now, you will be presented with many terms that sound like freeze, but they are not the same. Credit bureaus do not like credit freezes for many reasons, and so they try to trick you into not doing them. Don't fall for it!

Each state has different laws on what the fees are for this step, per bureau. Find yours here - hint: you can search for your state name because this page is really long. As of this writing, some of these bureaus are waving fees or reducing them, your mileage may vary.


* Equifax set up a website to let you check to see if your information was impacted. Hint: it's a waste of time, just freeze your credit.
* don't bother with a fraud alert, it's pointless
* don't let them sell you anything
* don't pay for **anything** other than the fee to freeze your credit
* don't "lock" your credit - that's another service they offer that does nothing more than a freeze does

are you sensing a theme? yes, the company that was unable to protect your data wants you to pay them to protect it. let that sink in.


* these guys are tricky, and make you go through multiple steps to freeze. 
* I personally would not use their 'TrueIdentity' product, even though it's free.

* remember, locking is *not* freezing.


* they don't make it easy from their homepage
* from the link above, you should see this screen:

If not, click here and follow these 2 steps:

Innovis: www.innovis.com

* this is a smaller bureau that many have not heard of
* It's not clear which creditors report to, or pull data from this bureau, but freeze it.

Each bureau is going to give you a PIN. You must keep it FOREVER and never lose it. I use LastPass to keep all of my passwords, PINs and other personal data secure. I highly recommend it. The premium version is $24 per year, and syncs across all your devices. Well worth it!

Alternatively, you can print and put them in a safety deposit box, but you'll need them if you ever apply for credit.

deep breath. it's almost over.

Monitor for future damage

This step is free!!

We need to keep an eye on our credit card and bank statements. Personally, I use my debit card for most things and I set up alerts so that every transaction or authorization that hits my credit card alerts my phone. That may be too much for you, but it's a great way to do early detection. Online banking is a thing, if you don't have an easy-to-use online banking system, please change banks. In 2 clicks I know all of my recent/pending transactions and my balance - there's zero reason to take any longer than that.

==So, go ahead and check your statements. I'll wait ;-)==

Alert the good guys

This step is free!!

This step taken from Brian Krebs:

"It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link."

This can be done over the phone, online and through the mail. The idea is that it helps add a layer of security to your identity.

Second, after alerting ChexSystems, make sure you opt out of prescreened offers. This not only keeps thieves from getting easy access to credit in your name, it also stops your mailbox from filling up with junk. #winning

Also from Brian Krebs:

ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.

To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit www.optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies.

To opt out permanently: You can begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.

Build up our defenses

This step is NOT free!!

There are lots of services that want to sell you "credit monitoring" and "identity theft protection" - all of which do absolutely nothing.

They simply passively monitor your credit and just say "Hey, someone opened an account in your name. Hope it was you!"

Well, if you've been doing these steps in order, you already have that in place with Credit Karma. Does it cover all networks and transactions? Nope. But neither do the other guys, and they want you to pay for theirs.

So what on earth can we do?

Zander Insurance ID Theft Protection

This is a product that provides you with some credit monitoring (bonus points), but the primary use here is for an agent to be assigned to work on your behalf if your identity is stolen. It's $145 a year for an entire family (defined as a household - not your parents, in-laws, siblings, etc). Here's a list of what this covers:

* Unlimited Recovery Services
* Personal Information Monitoring
* Change of Address Monitoring
* Social Security Number Monitoring
* $1 Million Stolen Funds Protection
* $1 Million in Reimbursement Protection
* Certified ID Theft Specialists 24/7/365
* Data Breach Notifications & Credit Report Reminders

It's worth it. It's the cost of one fancy coffee per week. Brew your coffee at home one day.

That's it! Now to the boring stuff.

Credit freeze notes

Credit freezes create some inconveniences. When you freeze your credit and need to apply for credit (mortgage, car loan, credit card, etc.), you have to thaw it. This process allows creditors to temporarily access your credit file for whatever you're applying for.

To thaw your file, simply go to each bureau and go to the appropriate section to lift a credit freeze or thaw your file. They will ask for your PIN (provided during the freeze), and then choose how long you want your credit to be open. I personally have done this several times, and the thaw generally takes an hour to "take effect." It's super simple and automatically closes at the date you specify.

It's also not complete. Unfortunately, not all creditors will even check your credit file when issuing credit (weird, isn't it?). This is why checking your credit file annually is so important. Did I mention it's FREE?!

What about the kids?

It's unlikely that minors have credit files. If they do, you should consider it. State rules differ, so make sure you look into the specifics for your state.

More info available here and here.


Well now, seems like there's a lot of information here, and you may not even believe a word I wrote. So, here are some links to specific articles I used to help write this, along with some folks that are way smarter than I am.

The Equifax Breach: What You Should Know (Brian Krebs - information security journalist, highly respected in the industry)

How I Learned to Stop Worrying and Embrace the Security Freeze (Brian Krebs)

Seriously, Equifax? This Is a Breach No One Should Get Away With (NYTimes)

Equifax data breach FAQs: Answers to your biggest questions (Clark Howard - financial expert, consumer advocate, penny pincher)

This story is just beginning - warning, this is really just for nerdy people: Ayuda! (Help!) Equifax Has My Data! (Brian Krebs - this is an update on the investigation - such abysmal handling of security)

The Equifax Data Breach: What to Do (FTC)

How to defend yourself against identity theft after the Equifax data breach (USA Today)

40 days after discovering data leak, Equifax warns that 143 million US consumers could be at risk (Graham Cluley - Security Journalist, helped write the first ever Windows AV program)