SAN FRANCISCO – Most US adults are affected by the hack. Here’s a step-by-step on what to do. One of the largest data breaches in history has left 143 million people wondering if their highly personal data has been exposed to hackers. For now, Equifax doesn’t explicitly tell you if you were a victim, and in 99.99 percent of cases (yes, literally), it won’t notify you by direct mail. But, if you’re concerned you’re vulnerable to identity theft because of the breach, this guide is for you.
But first: A quick recap
Equifax, one of the three major credit bureaus, lost control of customer data that included Social Security numbers, home addresses, credit card numbers, drivers license numbers and birth dates. The company estimates that the data of 143 million people were exposed, which equals roughly half the US population. That means that the chances you are affected are pretty high.
Even though Equifax set up a program to help people protect their potentially exposed data, it might not give everyone complete confidence in keeping their identities secure. Here’s why:
The breach could have started as early as mid-May 2017. That means that the data of 143 million people were exposed for more than three months. It’s unclear what the hackers did with the data during those months.
Those who are concerned with Equifax’s ongoing site vulnerabilities will have to take matters into their own hands. (Which is what this guide is for.)
You don’t have to wait to enroll in Equifax’s program to start protecting yourself against the hack. Here’s what you can do.
Step 1: Enroll in Equifax’s program (or just move on to step 2)
Equifax’s identity protection program, Trusted ID, is being offered to anyone who wants to enroll. The program is designed to help prevent identity theft and tampering with your credit. If you’re willing to give Equifax another chance, you can sign up for the program here. But, be aware: the checker that lets you know if you were hacked might be broken and enrolling in the program prevents you from participating in a class-action lawsuit against Trusted ID, but doesn’t prevent you from participating in lawsuits related to the cyber attack.
Because of these circumstances, we recommend that, for now, anyone with a credit history should assume they were affected by the hack.
Step 2: Check your credit reports
More than three months passed between the time the breach may have started and now. We’re not sure if the data of those affected was used maliciously during that period, so consider looking through your credit reports for any suspicious activity. The US government guarantees everyone a free annual credit report from the three major bureaus — yes, including Experian. You can get those reports here. (UK citizens can find links to credit agencies here.)
When looking through your reports, keep an eye out for new accounts you didn’t open, late payments on debts you don’t recognize and any other activity that looks unfamiliar.
If you suspect someone used your identity to open credit cards, take on loans, or reopen closed accounts, contact the credit card company’s fraud department immediately. You are not responsible for charges made on a fraudulent card, but you have to report the issue in a timely manner. Once you’ve reported the fraudulent credit, follow this guide to recovering from identity theft.
Step 3: Freeze your credit
It’s still early days, so even if your credit report comes back clean, remain vigilant about protecting your credit. One of the most reliable ways to prevent someone from opening credit cards in your name is to place what’s called a “credit freeze.”
When you freeze your credit, you (or anyone masquerading as you) will be required to unfreeze your account by providing the PIN you got when you froze your credit.
To freeze your credit, contact each of the credit bureaus using these phone numbers:
The process is usually automated and can be completed within a few minutes. Just be sure to write down your PINs in a secure place.
Step 4: Set a fraud alert
A fraud alert is another way to make it hard for identity thieves to open accounts in your name. When a fraud alert is set, credit card companies will be required to verify your identity before opening an account. That, combined with the credit freeze, is a great way to keep your credit secure.
To set a fraud alert, contact just one of the credit card bureaus and ask for an initial fraud alert. Once the alert is set, it will last 90 days. After that, you’ll have to renew it. Here are the appropriate phone numbers for the bureaus (remember, just call one):
Step 5: Repeat the process for your loved ones
Because Equifax is not notifying those affected through direct mail or email, some people will be left without the resources or tech savvy to protect their identities or find out if they were compromised. With that in mind, consider helping your loved ones — especially the elderly without computer access — with the above steps.
Watch out for tax season
It’s still too early to know if and how the data exposed in Equifax’s breach will be misused, but one major concern comes around during tax season. Identity thieves can use stolen Social Security numbers to file fraudulent tax returns and receive refunds.
This column was published in CNET