Equifax, one of the three major consumer credit bureaus in the United States, announced on Thursday that hackers may have accessed the personal information of more than 143 million people.
The company said it learned in July that hackers accessed data including the names, Social Security numbers (SSNs), birthdays, addresses, and in some instances, driver's license numbers, of 143 million people -- precisely the information someone could use to open accounts in your name.
What it means and what you can do
The company said that it "has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases." That means information about how much you owe the bank on your mortgage, or late payments on a dental bill five years ago, wasn't accessed in the hack, at least as far as we know now.
The bad news is that if you have a credit file at Equifax because you have a car loan, credit card, student loan, a mortgage, or some other financial account, the number of people affected suggests that is highly likely your personal information (name, address, SSN, and/or birthday) is in someone else's hands. But don't panic. In a perverse way, the fact this data breach affects so many people somewhat mitigates the risk that your information is used to open new accounts in your name.
For its part, Equifax launched EquifaxSecurity2017.com where you can see if your personal information was accessed, and enroll in Equifax's TrustedID Premier product to monitor activity on all three of your credit reports for free.
The downside is that the website requires you submit your last name and last 6 digits of your social security number. If exposing your name and the most important digits of your Social Security number to a company that just reported a major data breach doesn't sound like a good idea... well, I can't argue with the logic. Luckily, there is another way to keep tabs on your credit reports.
Go straight to the source
The Fair Credit Reporting Act (FCRA) requires credit bureaus to provide you with access to your credit reports once per year, completely free. You can access your reports by visiting AnnualCreditReport.com, a website that was set up for the express purpose of providing consumers with free access to their reports as required by law.
Of course, as with anything that is free, it has a key limitation: You can only pull each report once per year. Thus, to maximize this free benefit, consider pulling one report now, and then log-in again a few months later to pull another report from a different bureau. Because financial companies often report accounts to more than one credit bureau, if not all three, it's likely that any fraudulent accounts will be reported to multiple credit bureaus, making it possible to catch them by pulling just one report at a time.
If you find any accounts you don't recognize, you can work with the credit bureau, through the AnnualCreditReport.com website, to have this information removed from your report. You can also reach out to the financial company to report suspicious activity. It's really pretty simple to use, and surprisingly intuitive for a quasi-government website.
Other smart steps to take now
It's my personal view that this data breach will likely be a multiyear mess that will take a lot of time to sort out. If someone does actually have names, birthdays, and SSNs of 143 million people, banks and other financial institutions will have to find a new way to verify that people are actually who they say they are.
There is only so much you can do now, but as an additional precaution against fraud, consider changing passwords and security questions on bank accounts, credit cards, and other important financial accounts, as well as any email accounts that are associated with them.
Given the data breach includes information like addresses and birthdays -- data commonly used for security questions to authenticate your identity -- you may want to change your security settings for your accounts as well.
Here's a tip: It's OK to tell your bank your mother's maiden name is "Pg#2!QEs," or something similar. Security questions are a secondary password, not part of a lie detector test. Just make sure you write down your mom's made-up maiden name somewhere you can find it later, lest you get locked out of an account that is actually yours.