On Equifax, and what to do when passwords can’t protect you

Data breaches are, sadly, old hat these days. When Watchtower lets you know one of your passwords has been compromised, you sigh and mutter a few expletives, unlock 1Password, and start generating new ones. But what happens when the compromised information isn’t so easily changed, like your date of birth or social security number? That’s exactly what happened to me and 143 million of my fellow Americans just last week.

This is scary, in part because banks use this information to validate identities in the United States. Jeffrey Goldberg, our Chief Defender Against the Dark Arts, has written about this more in-depth, but in short, identifiers banks use for authentication (including SSNs) were not meant to be kept secret. This means the identifiers that were compromised are all criminals need to open accounts in our names, rack up bills, and leave us with the tab. There’s nothing to change this time around, but you can still protect yourself. Here are some steps you can take to do just that.

Keep it on ice

A security freeze is available to anyone — for a fee — and may be free for victims of identity theft. A credit freeze will prevent anyone from viewing your credit report and prevent any new accounts from being opened in your name until you lift the freeze (either permanently or temporarily). Here in Texas, fees are waived for victims of identity theft. Otherwise, it’s $10 to place the freeze on an account and $10 each time you lift it. These fees will vary by state, so be sure to check what fees apply in your state.

A fraud alert is less intrusive (and free), but it also provides less protection. With a fraud alert, businesses can still request and view your credit report, but must verify your identity before they issue new credit. This is usually done by contacting you directly, but some discretion is given to creditors to decide how they want to verify identities making a fraud alert less reliable than a security freeze. You can place a 90-day fraud alert for any reason and renew it when it expires. If you have already experienced identity theft and have filed a police report, you may be eligible for an extended fraud alert, which lasts seven years.

Constant vigilance

Whether or not you’ve been directly affected by this breach, monitoring your credit is important. Just like you monitor your online accounts for unauthorized access, you should always take advantage of resources available to you and keep an eye out for unrecognized activity on your credit report. All Americans are entitled to a free credit report from each credit reporting agency (CRA) every year. Many banks and credit card providers also offer free credit monitoring to their customers, which will alert you to any changes on your credit report. Although credit monitoring will not prevent identity theft or stop unauthorized accounts from being opened, these services will inform you of changes to your credit report allowing you to take appropriate action quickly.

Always be prepared

In essence, Experian, TransUnion and yes, Equifax, have control over our access to the standard-issue American Dream. Data held by these companies is used to determine if we qualify for a mortgage or a car loan. Employers and landlords may also perform credit checks to determine who to hire or rent to. CRAs are required to correct inaccurate information, but it’s up to us to monitor our credit reports for errors and take action to correct them. If you find an error on your credit report, Patrick McKenzie has some great advice in this Twitter thread:

He also published a blog post to help you set things right and, if you find yourself needing somewhere to store that paper trail Patrick helped you create, you can stash copies in 1Password for safe keeping. If everything looks fine now, don’t sit back. We know 1Password customers care deeply about data security and, though your credit report isn’t secret, it still contains important data and ensuring that data is accurate is how you protect it. Take the time to check it regularly and take action when needed, both in the wake of this breach and always.

If you’d like to learn more about protecting yourself from identity theft, both state and federal agencies offer free resources and services to American consumers:

Federal Trade Commission
State Attorney General’s Office
The Consumer Financial Protection Bureau

8 replies
  1. Charlie Brenner
    Charlie Brenner says:

    “That’s exactly what happened to me and 143 million of my fellow Americans just last week.”

    Not exactly. It happened to us in July, and Equifax hid the truth from us until last week, putting the victims of their incompetence at even greater risk. What were Equfax executives doing during that time? Some of them were busy selling millions of dollars worth of stock. The company says those guys didn’t know about the breach.

    The fact that Equifax and the other credit agencies are going to profit from this, selling freezes and monitoring services, is nauseating.

    Reply
    • Kate Sebald
      Kate Sebald says:

      A fair criticism, Charlie. I should say we learned it happened last week. I honestly made a conscious choice not to get into the details of the breach itself and everything that has come out since in this post. I’ve read everything you mentioned here and then some and have definitely gone on my fair share of rants about the whole thing, which has been somewhat therapeutic, but otherwise unhelpful. I’ve been trying to stay calm and focus on what I can actually do now, which is what I chose to focus on in this post. Feeling like I’m doing something to address the problem always makes me feel better, even if it doesn’t completely fix things, so I hope it helps others as well.

      Of course, I’m still angry and we all should be. I sincerely hope this incident can serve as a wake-up call for not only credit reporting agencies, but for all businesses that hold sensitive consumer information. What data is sensitive is always changing. Companies need to be constantly assessing whether the information they hold may warrant greater security measures and, if it does, they need to actually implement those security measures. And yes, when something does happen, they need to do a much better job of informing consumers and responding to these incidents. At many companies, data security isn’t the priority it should be in the modern age and I really hope this pushes corporate leaders to change that. Beyond protecting ourselves in the wake of this breach, we really need to put a greater focus on preventing the next one and maybe this really big, really serious breach is finally the one we needed to open our eyes as a country and actually do something about it.

  2. Ali Shah
    Ali Shah says:

    Great post! Very informative, glad you guys touched on this. It’s a very important topic.

    As always, the cute visuals you guys do (the frozen paper in the icicle or the watchtower itself) are so nice to see.

    Whoever designs that stuff is awesome!

    Reply
    • Kate Sebald
      Kate Sebald says:

      Thank you, Ali!❤️ Patrick McKenzie deserves credit as the inspiration behind this post. I haven’t had quite the in-depth experiences he has with credit issues, but I have had to deal with a few hiccups along the road and I would have been much better off with his amazing advice. I was delighted when Dave asked me to share Patrick’s amazing post, along with lessons I’ve learned from my own experiences, and hope this helps other avoid the frustrations Patrick and I have been through. This also gave me the opportunity to pick the brains of some of my awesome teammates for additional tips, so they deserve a lot of credit for helping me out as well.🙂

      I’ll also be sure to pass along your praise to our design team. I absolutely love our little cast of characters and I’m glad to hear Benji’s cute little buddies could bring some light to a somewhat grim post. I’m sure he and the whole team will be delighted to hear their work is appreciated.❤️

  3. Chris R
    Chris R says:

    That was a great resource from Patrick McKenzie you pointed to. Very US-focusd, but useful none the less. Apparently 40 million plus UK customers may also be in the breach, so I’d certainly like to find out what the equivalent UK rules are!

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Chris! It was a wonderful resource and one I definitely wish I had years ago when dealing with my own credit report inaccuracy. I think it could have saved me quite a few letters and phone calls. I’m glad I’ll have his blog post on hand should anything happen to me following this breach and that I could share it with all of you.

      I also did read that UK customers and some Canadian customers may also be affected, but the articles I read didn’t make it terribly clear whether the same sort of information had been leaked or if it’s something different entirely. And, of course, as an American I’d likely be of little help to y’all. I actually just hopped on reddit (don’t tell Dave) to check and see if the UK Personal Finance subreddit had any info for us, but not much luck. It looks like y’all may have even less clarity about what’s going on than we Americans do. 😞

      Either way, I’m glad to hear Patrick’s blog was helpful all the same and that you’re being proactive about learning what you can do to protect yourself in the UK. I wish you the absolute best and if you ever need to rant or commiserate, I’ll be right there with you.❤️

    • Kate Sebald
      Kate Sebald says:

      It’s no problem at all, Kamila!❤️ This isn’t my first rodeo with credit snafus, so I was super grateful both for Patrick’s blog and that Dave gave me the opportunity to share my own lessons and tips from my wonderful teammates with all of you. Credit reports are boring and the financial industry as a whole is rife with frustrating regulations and red tape, but this stuff is so important and I’m so glad we can serve as a resource for our customers.🙂

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *