I share a tweaked version from the SANS Institute. In my opinion, steps 3, 4, and 5 are the most useful. #3 costs $5-10 per bureau and requires you to unfreeze each as needed - so be advised. I add that annualcreditreport.com is the only legitimate (by that I mean truly direct to the bureaus AND free of charge) way to check your credit once per year at the three main bureaus. Due to the volume of activity at the bureaus now, calling the phone numbers below may be the most effective way to act.
In addition to the options below for this incident, remember to stay wary, skeptical, and safe; do not click stuff that you do not trust.
Equifax is one of four credit rating services, called Credit Bureaus; the other three are Experian, Trans Union and Innovis. These companies harvest and sell your financial data and credit ratings, plus that of effectively every United States citizen. Equifax announced that they were hacked between mid-May through July 2017 and discovered the incident on 29 July. Over 143 million records may be compromised, including names, Social Security Numbers, addresses and, in some instances, driver's license numbers. This is a big deal. If your credit card gets compromised, that can be changed. SSNs, birth dates and full names are MUCH harder to change. This is not your fault. Companies collect a huge amount of data about people, data that you have no control over nor is there much you can do to protect it. This situation is Equifax's fault. Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared. Here are some steps that you might consider.
- Equifax Website: Equifax has created a website where you can learn more about the incident. One of the options they offer is you can check to see if your data is believed to be compromised. While this is a nice feature, operate under the assumption that your data has been hacked as Equifax could be wrong and/or is still trying to figure out what happened.
- Credit Monitoring: You can sign up for free for Equifax's TrustedID credit monitoring service (Note: you may be asked to come back later to set it up, it appears that Equifax is scrambling to get the free registration service functional. In addition, if you sign-up for the free service, you may limit certain legal recourse which you might have otherwise had.). Credit monitoring does NOT protect you from credit card fraud, this is a common misconception. What a credit monitoring service does is notify you when someone is attempting to commit Identity Fraud in your name, such as registering for a new credit card or bank loan. Some services also help you recover from Identity Theft. Here is an excellent write-up by Brian Krebs on the limitations of Credit Monitoring.
- Security Freeze: This is the action that does the most to protect you. Unfortunately, few people know about it. A security freeze locks your credit scores so no one can access them. This means that while your credit score is frozen, no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you!) a loan or credit card. The challenge is that you have to manually setup and pay for a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. But then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding writeup of what a Security Freeze is and how to get one. Here are the details where you can submit for a credit freeze with each of the four credit bureaus.
- Monitor Financial Accounts: Watch your bank and credit card accounts carefully. Many of them have a service where they notify you (via text or email) if a bank withdrawal or credit card charge is over a certain limit, or they can send you daily reports of your activity. We highly recommend that you enable at least one of these.
- Social Engineering Attacks: Be warned, in the coming days and weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. This is why we have an active security awareness program, to help you understand and defend against attacks like these.
If you do get hit with Identity Fraud, the FTC has created a site to help you recover. The Equifax situation will be fluid, so expect frequent new updates and findings. However, the behaviors above apply regardless of how the situation changes, so we recommend that you focus on those.
FREEZING UPDATE, from a commenter named Mike on Krebs' blog
SPECIFIC PHONE MENU OPTIONS TO SELECT:
Equifax: 866-349-5191 choose option 3 for a "Security Freeze"
- Press 2 "To learn about fraud or ADD A SECURITY FREEZE"
- Press 2 "for security freeze options"
- Press 1 "to place a security freeze"
- Press 2 "…for all others"
- Enter your info when prompted
- Choose option 3, you'll be prompted to enter your zip code, SSN, and so on
- Press 1 for English
- Press 3 "to place or manage an active duty alert or a SECURITY FREEZE"
- Press 2 "to place or manage a SECURITY FREEZE"
- Enter your info when prompted
Each automated system will try to push you to the company's website, ignore that! Some even make it sound as if you must go to their website to set up a credit freeze. But be patient, and you will soon hear an option to set up a credit freeze.