After the big Equifax data breach, many consumers are thinking about a credit freeze, which experts say is a good idea. But if you’re under 65 and aren’t sure if you’re a victim of identity theft, you’ll have to pay to have the three credit agencies block access.

Share story

It’s been a week since news broke of what could be the largest hack of credit data ever, and many Americans still aren’t sure whether their financial information is vulnerable.

Along with many other authorities, Washington Attorney General Bob Ferguson this week encouraged all Washingtonians to consider a credit freeze even if Equifax says on its security site that your personal data wasn’t breached.

A credit freeze, the attorney general’s website says, makes it harder for a hacker to open an account or credit card in your name — but consumers must place a freeze with all three credit-reporting agencies, and you cannot open new lines of credit until the freeze is temporarily lifted or removed.

Although Equifax is waiving its fee for credit freezes until Nov. 21, it usually costs to place a freeze, unless you are already a victim of identity theft. Here’s how much they cost in Washington:

Component post 10516426 could not be found.

­Equifax: Freezes are free, for the next few weeks. Removing or temporarily lifting the fee costs $10, according to Equifax’s website, unless you’re 65 or older. If you’re removing a security freeze for a protected consumer — which Washington state law defines as someone under 16, is incapacitated or has a guardian or conservator — the removal fee is $3.

TransUnion: In Washington, it costs $10 to have TransUnion freeze your credit if you’re not a victim of identity theft and under 65. It’s free for seniors. It is free for all consumers to remove the freeze, according to TransUnion’s website. Trans­Union’s website doesn’t mention a waiver for protected consumers.

Experian:$10.95 (which includes tax) to freeze, and $10.95 to remove. If you are over the age of 65, or a protected consumer under Washington law, the fee is waived, according to Experian’s website.

Ferguson’s office encouraged Washingtonians to get the free annual credit reports provided by the three major credit-reporting agencies, spacing the reports out every four months to stay up to date.

Washingtonians who have had their information stolen should report it to the Federal Trade Commission at www.identitytheft.gov and file a police report.

Meanwhile, the facts of what went wrong at Equifax have begun to come out.

Late Wednesday it traced the theft of sensitive information to a software flaw that could have been fixed well before the burglary occurred.

Equifax identified a weakness in an open-source software package called Apache Struts as the technological crack that allowed hackers to heist Social Security numbers, birthdates, addresses and full legal names from a massive database maintained primarily for lenders.

The disclosure cast the company’s damaging security lapse in an even harsher light. The software problem was detected in March and a recommended software patch was released shortly afterward. Equifax said the database intrusion began in May and continued until July.

Security experts said Equifax had more than enough opportunity to block intruders by sealing the security hole.

“There is no excuse for not following basic cybersecurity hygiene,” said Nate Fick, CEO of the security firm Endgame. “Some heads should definitely roll for this; it’s only a question of how many.”

Equifax was already under fire for not disclosing the break-in until Sept. 7 — nearly six weeks after the company discovered it— as well as for its handling of consumer inquiries about their exposure, whether their personal information had been compromised and how they could protect their identities.

On Thursday, Sen. Charles Schumer, D-New York, called for the resignations of CEO Richard Smith and Equifax’s entire board of directors unless the company offers consumers more comprehensive identity-theft protection for the next decade.

“What has transpired over the past several months is one of the most egregious examples of corporate malfeasance since Enron,” Schumer said, invoking the name of a notorious company that manipulated energy markets and eventually went bankrupt.