Blog

Consumer Tips and FAQ about the Equifax Breach

By Mike Litt
Consumer Campaigns Director, U.S. PIRG

Last updated on September 21, 2018.

Hackers gained access to the personal data of over 147 million Americans in the Equifax breach. Here are some recommended actions consumers can take to protect themselves and answers to frequently asked questions.

TIPS:

  1. Request a free credit report - all three nationwide credit bureaus will give you one free report per year.

  2. Consider placing a credit freeze (also known as a security freeze) with all three credit bureaus. See our step-by-step guide for getting credit freezes.

  3. Place a free fraud alert if you choose not to get credit freezes. Any consumer can place a free renewable 90-day fraud alert by law by contacting any one of the three credit bureaus.

  4. Don't accept any deal from Equifax until you understand how Equifax has modified its terms of service, and read our summary of the limitations and potential risks of Equifax’s offering.

  5. If you’ve already been affected, take steps to recover from identity theft by visiting identitytheft.gov.

FREQUENTLY ASKED QUESTIONS:

What happened?

Am I affected?

What should I do?

What is a credit freeze?

Should I accept the package offered by Equifax?

What is Equifax offering? And why does it fall short?

How do I place a credit freeze?

What should the government be doing about this incident?

What do I do if I detect New Account Identity Theft?

What is our consumer team doing to solve the problems?

Q: What happened?
A: Equifax, one of the big three credit reporting agencies, announced on September 7th, 2017 that it had been hacked, potentially compromising the data of 143 million Americans. This number was later updated to 145.5 million and then to nearly 148 million.

The types of information taken from the massive credit bureau, particularly Social Security numbers and dates of birth, are the keys to new account identity theft. This means identity thieves could open fraudulent credit accounts and rack up tons of debt in your name.

Reports on September 14th suggest that Equifax failed to install Apache Struts security updates it was told about two months before its breach.

This is a big deal. To make matters worse, there’s a lot of confusion over what to do now.

Q: Am I affected?
A: Equifax has a website where you could use a tool to see whether your information has been hacked. We saw numerous press reports that it gave different results at different times.1 Presume instead that it is more likely than not that your information has been compromised.

Q: What should I do?

A: We recommend taking the following steps:

  • Request free credit reports at all three credit bureaus to spot any unauthorized activity. If you request a copy of your report every 3-4 months throughout the year, you are essentially doing your own free credit monitoring. The official website authorized by the government for requesting these free reports is annualcreditreport.com.

  • Consider placing credit freezes on your credit reports with all three credit bureaus. More info about credit freezes and how-to do this are answered below.

  • Place free, renewable fraud alerts on your credit report if you decide not to place credit freezes on your credit reports.

  • Additionally, identitytheft.gov is the government’s official website that will walk you through clear checklists of actions you can take to recover from identity theft.

Q: What is a credit freeze?

A:  A credit freeze is a commonsense tool that allows consumers to freeze access to their credit history and scores, denying thieves the ability to open any fake credit accounts in their names. Getting credit freezes at all three national credit bureaus is the best action consumers can take after the Equifax breach, whether they were affected by it or not.

A credit freeze blocks potential creditors such as a credit card company, a cell phone company, or a lender from viewing your credit report, which shows your credit history. Most creditors will not issue new credit to a customer if they cannot see that customer’s credit report or the credit score derived from it from at least one of the three big nationwide credit reporting agencies - Equifax, Experian, and TransUnion. (Credit reporting agencies are also known as credit bureaus.) By blocking creditors from accessing your credit report, you’re stopping identity thieves who apply for new accounts in your name with your stolen Social Security number.

Credit freezes do not affect your ability to use existing credit you already have, such as a credit card or loan. Nor do freezes affect your credit score. In fact, freezes help protect your score by preventing your credit from being negatively scored if someone racks up debt in your name.

You can easily unfreeze or “thaw” your credit report when you want to apply for new credit. Freezes can be temporarily or permanently removed when you want.

Because creditors run credit checks with any one or a combination of the three big credit bureaus, you need to block access to your reports with all three.

Q: Do I need to freeze my report with other credit reporting agencies?

A: As the Consumer Financial Protection Bureau lists, there are many other credit reporting companies besides the three big nationwide providers of consumer reports. Some websites have recommended getting freezes with Innovis and ChexSystems, but as far as we know, their reports are not used by creditors for credit approvals.  

However, some news outlets have reported fraudulent accounts being opened by cell phone companies using credit reports provided by the National Consumer Telecommunications & Utilities Exchange (NCTUE). We therefore also recommend freezing your credit report at NCTUE, in addition to the big three credit bureaus.

Q: How Much Do Credit Freezes Cost?

A new federal law eliminated fees for getting and removing credit freezes across the country at all big three credit bureaus on September 21st, 2018. 

Q: I have heard that by agreeing to Equifax's offer I am signing away my right to sue? Should I accept what Equifax is offering?

A: Equifax initially offered a package called TrustedID Premier to anyone, whether their info was lost or not, made up of five different products and services. The deadline for signing up for this package was January 31st, 2018, when this offer was replaced by a new offer called Lock & Alert.

Both the original package and the newer offer fall short of protecting consumers. If you take any of these services, be aware of the limitations, also follow our tips above, and consider the following:

To take advantage of Equifax’s TrustedID Premier package, you had to agree to be bound by an online agreement. Equifax’s original package agreement included an arbitration clause, which Equifax could have tried to use to bar victims of the data breach from joining class action lawsuits. After public outcry, Equifax removed the arbitration clause from its agreement.

However, Equifax has a separate Terms of Use agreement on its website which includes an arbitration clause. There remained some concern that Equifax could try to use this clause to bind victims who agree to be bound by the package agreement. Due to continued public outcry, Equifax added language that says this separate agreement does not apply to its free package.

There is still the possibility that Equifax might change these agreements in the future. We advise consumers to generally be on alert for arbitration clauses in agreements with financial companies.

After reviewing the Lock & Alert agreement and terms of use, it does not appear consumers are giving up their rights to a day in court, as they are with the separate terms of use on Equifax’s website. But your rights as a consumer are on firmer ground with a freeze under law.

If you choose to take any of the services Equifax is offering, be aware of the limitations of these services and also follow our tips.

Q: What is Equifax offering? And why does it fall short?
A: Equifax initially offered a package called TrustedID Premier to anyone, whether their info was lost or not, made up of five different products or services. The deadline for signing up for this package was January 31st, 2018, when this offer was replaced by a new offer called Lock & Alert. Both the original package and the newer offer fall short of protecting consumers.

TrustedID Premier: It doesn’t hurt to use these services if you signed up for them. However, you should know they are limited and, at best, only alert you to identity theft after it has occurred.Therefore, we also recommend you freeze your credit reports with all three national credit bureaus and

Here are the five services and products included with TrustedID Premier and what the limitations of each are:

  1. Copies of your Equifax credit report

Looking at your credit report is a good idea because you can spot unauthorized activity in your name. It's a good idea to check your credit report at all three bureaus, not just Equifax. You can request free copies of your credit report at all three bureaus at annualcreditreport.com, the official website authorized by the government for requesting these free reports.

  1. Credit monitoring for one year at all three national credit bureaus

Credit monitoring alerts you to changes to your credit reports, which can help you spot unauthorized activity in your name. The types of stolen information, particularly social security numbers and dates of birth, can be used to commit new account identity theft against everyone whose info was breached. This means bad guys could open fraudulent credit accounts and rack up tons of debt in your name. Due to huge marketing pushes by credit monitoring services that only alert consumers to fraud after the fact, most Americans are not aware that they can actually prevent id thieves from opening new credit accounts in their names in the first place by placing freezes on their credit accounts at all three national credit bureaus. Credit freezes help prevent new account identity theft because they keep potential creditors from seeing consumer credit history, without which new accounts are typically not opened. Equifax’s package includes credit monitoring at all three bureaus for only one year. Equifax should make it clear that monitoring only alerts people to fraudulent activity after it has occurred, and they should offer it indefinitely, not just one year. The stolen information does not have a shelf life.

  1. Equifax Credit Report Lock

Equifax’s package also includes something similar to a credit freeze, something they call a “credit report lock,” but only for Equifax reports. Bad guys could still try to open credit accounts with companies that use the other two credit bureaus for credit checks. So a freeze or "lock" with only one bureau is incomplete protection. Equifax should make clear the benefits of the credit freeze.You're better off getting actual credit freezes with all three bureaus, not the one "lock" with Equifax. You can find out how to get all three credit freezes here.

  1. Social Security Number Monitoring

Equifax advertises this services as searching "suspicious websites for your Social Security number." This service by itself  wouldn't' hurt, but again, the only fraud that can actually be prevented once someone has your Social Security number is new account identity fraud. And the only way to prevent that is through credit freezes. You're best off getting credit freezes with all three bureaus.

  1. $1M Identity Theft Insurance

This is a feature that reimburses you for costs incurred from identity theft. It’s worth noting that you might already have some sort of insurance or equivalent protection from fraud resulting from ID theft that is extended to you voluntarily by your employer, your insurance company (as a rider on your existing homeowner’s or renter’s insurance), or your credit card issuer (as a perk), etc. It’s also important to point out that ID theft insurance, whether offered free or as part of a service that you’re paying for always has limitations, exclusions, and requirements and usually only covers incidental expenses to clear ID theft problems up such as postage and notary fees. It doesn’t usually reimburse you for money that’s been stolen from you, and if it claims to cover attorney’s fees, remember that such coverage is usually extremely limited.2

Lock & Alert: January 31st was the launch date for Lock & Alert, a service that lets consumers lock and unlock their Equifax credit reports indefinitely for free. This service only blocks access to Equifax credit reports, not credit reports at the other two national bureaus.

Locks appear to block access to credit reports the same way freezes do. Freezes and locks both deny thieves the ability to open any fake accounts in your name. However, freezes are a right mandated by law and not conditional on terms set by companies.

Q: How do I place a credit freeze?
A:

  • You can place freezes online, over the phone, or in writing (info provided below)

  • You will receive a PIN number for your credit freeze with each bureau. You will use this PIN number when you want to unfreeze your credit report to apply for new credit.

  • If you want to temporarily lift a freeze because you are applying for credit or a job, try to find out which credit bureau the business uses to check credit reports. You can save some money and time by only lifting your freeze for that credit bureau.

  • You can temporarily lift a freeze for a particular creditor or for a specific period of time, from one day to one year.

  • Make sure to account for the time it can take to thaw your report. In most cases if you request a thaw online or over the phone, your report can be unfrozen within 15 minutes. However, it can take longer if you don’t have your PIN number that was assigned to you when you froze your report, so make sure to keep your PIN number in a safe, memorable place where you can quickly retrieve it when needed. It can also take up to three days of receipt of your request if you make it via postal mail.

Equifax

Online: https://www.equifax.com/personal/credit-report-services/
Phone: 1-800-349-9960 (automated), 1-888-298-0045 (live operator)
Mail: Equifax Security Freeze, P.O. Box 105788, Atlanta, Georgia 30348

Experian
Online: https://www.experian.com/freeze/center.html
Phone: 1‑888‑397‑3742
Mail: Experian Security Freeze, P.O. Box 9554, Allen, Texas 75013

Experian includes a potentially confusing three paragraph “Security Freeze Warning.” They are just explaining that you will need to unfreeze your credit report before applying for credit if you ever wish to do so in the future.

TransUnion
Online: https://www.transunion.com/credit-freeze/place-credit-freeze
Phone: 888-909-8872
Mail: TransUnion LLC, P.O. Box 2000, Chester, PA 19016

National Consumer Telecommunications & Utilities Exchange

Online: https://www.exchangeservicecenter.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
Phone: 1-866-349-5355
Mail: NCTUE Security Freeze P.O. Box 105561 Atlanta, GA 30348

Other Identity Theft and Privacy Tips

Our other resources, including descriptions of different types of ID theft; checklists  for preventing, detecting, and resolving ID theft; a checklist for protecting your online privacy; and links to additional resources are available here.

Q: What should the government be doing about this incident?

A: Investigations by the Federal Trade Commission, the Consumer Financial Protection Bureau, and state attorneys general, have begun and are important steps in holding Equifax accountable to consumers who had no choice to be in a relationship with them to begin with. Potential criminal wrongdoing should also be investigated.

The best way to protect consumers would be to freeze everyone’s credit reports by default. But making them free to all who take the step to opt-in to get them is a policy we have long advocated for.  

A new federal law finally eliminated fees for getting and removing credit freezes across the country on September 21st, 2018. (While the new law saves consumers money on credit freezes, overall it has negative implications because its primary provisions weaken oversight of banks the same size as firms that contributed to the ‘08 economic crash and will increase the likelihood of bad mortgages, racial discrimination in the marketplace, and risky banking practices.)

In addition to freezes, there is much work the government should do to ensure breaches like Equifax’s don’t happen again. An agreement between eight states and Equifax which requires the company to fix its data security flaws is a good first step but unfortunately did not include penalties. Equifax had security measures before its massive data breach. But it failed to detect and fix a security flaw it was told about and then bungled its response after the breach. Clearly, Equifax needs more oversight and the specter of punitive action if it fails to protect our data or handle future security problems responsibly.

Earlier this year, Sens. Elizabeth Warren (MA) and Mark Warner (VA) introduced the Data Breach Prevention and Compensation Act, legislation that would implement annual cybersecurity inspections at Equifax and the other national credit bureaus and levy fines against them if they have future breaches. If this policy had been in place during the Equifax incident last year, Equifax would have paid at least a $1.5 billion penalty, half of which would be returned to consumers affected by the breach.

Even with everything the Equifax breach has brought to light, many in Congress are trying to dismantle the Consumer Financial Protection Bureau (CFPB) and get rid of protections, including our right to a day in court with companies like Equifax. In fact,Congress repealed this new protection last November before it could even go into effect. Protecting consumers is not a left-right issue, it’s a little guy-big guy issue.

Q: What do I do if I detect New Account Identity Theft?

A: Take the following steps.

Step 1: Notify your financial institutions. If you discover that your wallet, checkbook, credit card or other sensitive information has been lost or stolen, immediately notify the issuing bank, credit card issuer or relevant institution to close all existing accounts.
Step 2: Get copies of your credit reports and place fraud alerts.Contact the three major credit reporting companies and place a fraud alert on your accounts. If you haven’t already, it’s time to place credit freezes.
Step 3: File an Identity Theft Report. If you suspect identity theft, report it to the Federal Trade Commission using the online complaint form or by calling 1-877-ID-THEFT. .
Step 4: You might decide to file a police report.

More detailed steps can be found at the FTC’s IdentityTheft.gov website.

Q: What is our consumer team doing to solve the problems?
A: Plenty. First, we were there from day 1, spreading the word through the media and on social media about how consumers can protect themselves. We have also been there every step of the way as Equifax continues to fumble its response, calling for the best policies to protect consumers and make sure another breach like Equifax’s doesn’t happen again.

We testified before Congress urging it to address these issues and more, and reject legislation that would actually weaken protections at the credit reporting companies. We also worked with several state policymakers to make credit freezes free this year. And we'll continue to hold the companies accountable through our research, reports, consumer tips and media outreach.

1. Brian Krebs, “Equifax Breach Response Turns Dumpster Fire,” Krebs on Security, September 8, 2017

2. Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation, personal communication, 17 September 2015

3. Because credit freezes are the only way to prevent new account ID theft, the best public policy is for everyone’s credit reports to be automatically frozen until consumers give consent to lift the freezes on their reports for credit checks.

Support us

Your tax-deductible donation supports ConnPIRG Education Fund’s work to educate consumers on the issues that matter, and the powerful interests that are blocking progress.

Learn More

You can also support ConnPIRG Education Fund’s work through bequests, contributions from life insurance or retirement plans, securities contributions and vehicle donations.