The massive data hack at Equifax may be the nudge you need to finally sign up for permanent freezes on your credit files.
It’s time for all of us to play defense, because Equifax clearly did not.
In the wake of the epic breach of as many as 143 million of our Social Security numbers, names and addresses from the company’s credit files, the company put up a website that attempted to make sense of things for consumers.
The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed.
On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax webpage. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.
By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.
So my default assumption quickly switched to this: Equifax has no earthly idea who is affected. I tried calling a phone representative for clarification, too, but she gave me incorrect information about the nature of the company’s offer to consumers and then told me to just use the website when I went about correcting her. Equifax did not respond to an email and a phone message seeking comment.
Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so.
That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete.
And why just a year? Who knows? Isn’t this an invitation to the thieves to sit on the data for a while and then use it when all of us have moved on?
Meanwhile, people can’t easily change their Social Security numbers to thwart the thieves. So if any bad actors have your personal data, those numbers will be useful for years, maybe decades, depending on how the credit system changes over time.
Equifax should have made the monitoring last forever. Since it didn’t, it will now be able to solicit everyone who signs up for its year of free service. And what do you want to bet that the company will offer an extension bright and early on day 366 for, say, $16.95 per month?
So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.
In the meantime, here’s hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files. I’ve used them for years, and here’s how they work. You sign up (and pay some fees, because you knew it wasn’t going to be free to protect data that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s and TransUnion’s websites. Christina Bater, managing director at Barrett Asset Management in New York, suggests freezing your file at the little-known company Innovis, too. Hey, why not?
Once you do (and it may take a little time to complete the process), the bureaus are not supposed to release your credit report to any company except the ones that already have you as a customer. Why is this important? When a thief shows up with your Social Security number and address to apply for credit in your name, the lender will go to fetch your credit report before anything else happens. If it can’t retrieve the report because of the freeze, then no new account for the thief.
You can thaw your freeze every time you want to apply for new credit by using a personal identification number that the companies give you, which you absolutely should not lose. This costs a few more dollars. (Would it kill Equifax to waive these fees for a while, given the circumstances? Or how about forever?) The process is annoying, but it takes only about 15 minutes to do this at all three of the big agencies. Those precious minutes, by the way, are also why the credit bureaus hate freezes. They gum up the works and make it harder for them to peddle your files to credit card companies and such, thus making ever more money off your data.
A credit freeze is different from a fraud alert, though you should also request one of those in the wake of the Equifax breach, for the longest possible time on offer, from Equifax, Experian and TransUnion as well. Once that free alert is in place, potential creditors should contact you for confirmation anytime you (or a thief) tries to open up a new account.
Some people also use credit monitoring services that ping you every time there’s a change in your credit report, but I’ve always found them to be anxiety-producing. Instead, I check one of my credit reports for free every four months at annualcreditreport.com. That plus the permanent security freezes are enough to keep me sleeping well at night.
Or at least it used to be. I have always worried that a giant breach would someday come to one of the big credit reporting agencies, and now here we are. The data is out there, and thieves may use it in ways that freezes cannot thwart. They may try to gain access to other people’s health insurance, file tax reports in their names on Jan. 2 to claim a big refund and do other things that we haven’t even thought of yet.
And then there’s this: A security freeze doesn’t protect you if the thieves break into the vault of the company that maintains the freeze. That’s what happened here, and we will now spend years seeing what happens next.