You’ve probably already heard about the massive data breach at Equifax, one of the three major US credit bureaus. The company says that up to 143 million people may be affected, which is almost half of the entire population of the United States. The stolen data may include names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In other words, just about everything you might need to commit identity theft. Equifax has a “potential impact” web site (update: the site has changed, this appears to be the new one) that will supposedly tell you if you were affected, but there have been mixed results in practice. If you were affected, it will send you to enroll in their TrustID credit monitoring service. And then tell you to come back in a few days to do it. They are frankly not handling this well, and the law suits are already coming.
Step One: Mitigating Identity Theft
So what should you do? I would go ahead and take the free monitoring service, when it becomes available. It can’t hurt (and shouldn’t prevent you from participating in a class action suit). But there are two other things you should consider strongly: either a credit freeze or a fraud alert.
A credit freeze will prevent any new requests for your credit history, which should stop anyone (including yourself) from getting a new credit card or opening a loan in your name. You will have to do this by contacting each of the three major bureaus (Equifax, Experian and TransUnion). Thanks to recent legislation, this process is now free. Note that credit histories are used for many other purposes. So it might also interfere with applying for a new job, signing up for new service (e.g., phone, cable, utilities), or even the above-mentioned credit monitoring. You can always ‘thaw’ your credit temporarily and re-freeze it. For this, you will need your PIN – which will be mailed to you when you freeze your credit.
The simpler option is a fraud alert, which is less effective but easier to do. A fraud alert will simply require credit institutions to do a little more verification before allowing credit to be opened in your name (usually this means trying to contact you). Unlike the credit freeze, you only need to contact one of the three agencies and they are required to tell the other two. Unlike freezes, fraud alerts only last one year, though you can renew it as many times as you like. (If you can prove you have actually been a victim of identity theft, you can get a 7-year fraud alert.) I would do this immediately, and then after signing up for Equifax’s free monitoring service, you can consider implementing a full credit freeze.
Step Two: Basic Security Hygiene
Your next steps should be to beef up your general security – things you should already be doing, but things that become much more important in the wake of this horrific data breach.
- Use strong, unique passwords for your important accounts (financial, email and social media). Do not repeat passwords! To help with this, use a password manager like 1Password, LastPass, KeePass, etc.
- Set up and use two-factor authentication for these same accounts. This means you’ll have to enter a password and a one-time PIN code. (This is usually only for the first time you log in from an unknown location.) You can search for your service here and get quick links to help.
- Get your free annual credit reports from each credit bureau. I would recommend spreading them out – do one every four months, rotating through each of the three services. Set a repeating annual calendar reminder for each one, maybe Experian in January, Equifax in May and TransUnion in September.
- Keep a close eye on your credit card, bank and other financial statements for suspicious activity.
Stay tuned… I’m sure there will be more on this soon. My radio show and podcast will delve into this a bit further later this week.
UPDATE: This is another excellent article on credit freezes and fraud alerts.
UPDATE 2: Great article on the broader issues for democracy and privacy. The above is about you; this article is about everyone. The market is not able to fix these problems, it’s going to require legislation – and that means you need to be informed and lobby your representatives.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!
