Identity theft is a nightmare millions of Americans go through every year. It starts when a cybercriminal gets hold of your personal information (Social Security number, birth date, driver’s license number, etc.), and sells it to others who then pretend to be you.
Except it’s you on a spending spree. They might open bank and credit card accounts, or maybe file for a hefty income tax refund in your name. It can take months or even years to find out you’ve been victimized, and even longer to clean up the mess.
A year ago, Equifax, one of the big three credit reporting bureaus, disclosed that a data breach it discovered on July 29, 2017, may have exposed as many as 143 million U.S. consumers to the risk of identity theft. Seven months later, in March 2018, the company announced that another 2.4 million people had their data stolen in the same breach. That means close to half the U.S. population could feel some impact.
The fallout was substantial, including class action lawsuits, a Federal Trade Commission probe , and a move toward more regulation regarding corporate security defenses and timely disclosures. Still, anxious consumers continue to question how such a failure could happen and what’s next.
Here are answers to 10 common questions about the Equifax security breach and identity theft in general:
1. Should I ever Trust Equifax Again?
You don’t have much choice. Equifax is one of three major for-profit credit reporting agencies in the United States. The others are TransUnion and Experian. (There is no federal credit bureau.) Each agency collects and stores financial data submitted by creditors—large and small—you’ve dealt with over the years.
That information goes into the credit reports they sell to lenders, landlords, potential employers, and others. Those folks are their customers. You’re the commodity. That said, your personal stats should be more secure than they were a year ago.
Since the breach, Equifax has hired a new chief information security officer, Jamil Farschchi , who told Wired Magazine the company has invested $200 million in its data security infrastructure.
2. It took nearly six weeks for Equifax to disclose the 2017 security breach and months before we learned even more people were affected. Why so long?
All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches involving personally identifiable information.
Still, it can take weeks, months, or longer depending on protocols, to discover a data breach. A company is allowed to delay disclosure if law enforcement asks them to hold off. Of course, it’s also in a business’s best interests to try to get ahead of a hack before announcing it. A statement that reads, “We know what happened and we’ve fixed the problem” comes off a lot better than, “Sorry, folks. We have no clue what going on!”
3. If I didn’t do anything to protect myself when the Equifax security breach was announced, is it too late now?
Yes and no. A 2017 FTC study found that when leaked consumer data goes public, thieves will grab it and get to work trying to use it within minutes. So, the faster you take steps to put protections in place, the better off you’ll be.
If are still concerned about the Equifax breach, check to see if your data was affected . You also can get a free credit report annually from each of the big three credit bureaus, and it’s always smart to review those for errors.
Soon, thanks to new legislation, you’ll be able to freeze your credit for free, as well. New rules in the Economic Growth, Regulatory Relief, and Consumer Protection Act , signed by President Trump on May 24, 2018, should start in September. (Equifax, which planned to provide breach-related free freezes until June 30, told The New York Times they would extend the offer until the new law takes effect.)
4. I keep hearing the terms credit freeze and fraud alert. What’s the difference?
A credit freeze clamps down tight on your credit, while a fraud alert allows creditors to get a copy of your credit report as long as they take steps to verify your identity. According to the FTC, a fraud alert may stop someone from opening new credit accounts in your name but won’t necessarily prevent the misuse of your existing accounts.
You’ll still need to monitor all bank, credit card, and insurance statements for fraudulent transactions. The credit bureaus also now offer something called a “credit lock,” which is more convenient than a full-on freeze. But Consumer Reports says a lock doesn’t offer the same protections , so check it out before signing up.
5. Will a credit freeze hurt my credit rating?
No, freezing your credit won’t affect your credit score, and you’ll still be able to get free credit reports annually.
6. How do I contact the three major credit bureaus if I want to do a credit freeze or fraud alert?
For Equifax, call 800-349-9960 or go to their website ; for Experian, call 888-397-3742 or go to their website ; for TransUnion, call 888-909-8872 or go to their website .
7. When I’ve thought about cybercrime, I guess I’ve mostly been worried about somebody racking up charges on my credit card. What else can be compromised if my data is stolen?
Your identity is valuable to different people for different reasons. The big focus is on financial crimes, but the bad guys can use your Social Security number, passwords, and PIN numbers to get medical benefits, file false tax returns, or get certain government benefits.
They can create a fraudulent job history or steal your work if you’re a researcher or writer. They can open utility and other accounts in your name. The possibilities are pretty much endless.
8. If I think I’ve been the victim of identity theft, what should I do?
Report identity theft to the FTC at www.identitytheft.gov or call 877-438-4338. The FTC will use the information you provide to help create a personal recovery plan. Their website also offers a useful guide for how to proceed from there.
9. What can I do on a daily basis, to protect my data?
Practice good personal cyber hygiene.
• Only give out your Social Security number when absolutely necessary. (Just because there’s a space for it on a form doesn’t mean you have to supply it.)
• Don’t respond to unsolicited requests for personal information.
• Pay attention to your billing cycles. If bills or financial statements are late, contact the sender. And review your credit card and bank accounts regularly—at least every month.
• Enable and update the security features on all devices and be cautious when using public WiFi.
• Create complex passwords and change them occasionally.
• Don’t share passwords and PINs.
10. How can I be sure the companies I deal with are looking out for my security?
That’s a tough one. As a consumer, you can take steps to protect yourself, but once you engage with the outside world—by choice or not, as with Equifax—you can only hope companies handling sensitive information have a sound security plan .
When it comes to financial transactions or online services, more and more companies are embracing two-factor authentication (sometimes shortened to 2FA). This means going beyond a simple password and using a second verification tool: fingerprint or facial recognition, for example, or a numerical code.
And when you’re online, look at a website’s URL. If it begins with “https” instead of “http,” it means the site is secured using an SSL certificate (the “s” in https stands for secure). SSL certificates secure all your data as it moves from your browser to the website’s server. To get an SSL Certificate, the company must go through a validation process.
If you’ve been burned by a data breach (maybe even going so far as to get a credit freeze). it can be difficult to build back to the same level of confidence you had before—particularly with businesses that handle money electronically. That’s why it’s so important to do your research. You should always be confident in the type of encryption and the protections put in place by the those handling your finances.
With SoFi Invest®, investors have access to human advisors, but the diversified investment portfolios they create are influenced by sophisticated computer algorithms—or robo-advisors. Robo-advisors actually have built-in protections.
SSL encryption keeps your information safe, and SoFi account holders can enable two-factor authentication (using a verification code), as well as facial identification or Touch ID on iOS. And you can start small—investing with as little as $100.
SoFi can’t guarantee future financial performance.
This information isn’t financial advice. Investment decisions should be based on specific financial needs, goals and risk appetite.
Advisory services offered through SoFi Wealth, LLC, a registered investment advisor.
SoFi doesn’t provide tax or legal advice. Individual circumstances are unique. Consult with a qualified tax advisor or attorney.
The information and analysis provided through hyperlinks to third party websites, while believed to be accurate, cannot be guaranteed by SoFi. Links are provided for informational purposes and should not be viewed as an endorsement.
Advisory services offered through SoFi Wealth, LLC, a registered investment advisor.