Equifax Hack: Quick Update
Equifax has not been handling the fallout from their hack particularly well. I have a little bit of new information that I thought I would share as a followup to my original blog post Did the Equifax hack expose you? What you should you do now
Were you affected?
Equifax has a special website set up that supposedly lets you know if you were affected: http://www.equifaxsecurity2017.com/. The website asks for your name and the last 6 digits of your Social Security Number. I tried it and it told me that my information might have been compromised. A New York Times reporter tried to enter random information and it came back each time and said that the information was compromised. So the truth is that they have no idea, or their website is broken. Equifax has data on EVERY American with credit, so just assume your information was compromised and the hackers have it.
Giving up your right to sue
To enter your information at the above website, Equifax was having you agree to standard terms and conditions which limited your right to sue. They have clarified that they are not intending to limit your right to sue for this breach and signing up for their credit monitoring service will not limit that right. They have been updating the above website with information on that. So don’t worry, you can still be party to any class-action lawsuits which get filed.
PIN numbers for credit freeze
If you decide to implement a credit freeze on your information, Equifax assigns you a PIN number which you are supposed to use to lift the credit freeze. It turns out Equifax was using an easily guessable algorithm for assigning these PIN numbers and they were not random. And you wonder how this company allowed the hack in the first place? They claim to have fixed this problem and now the PIN numbers are totally random. If you implement a credit freeze, you will have to do it at all the credit monitoring services: Equifax, TransUnion, and Experian. See my original blog post for information on this: Did the Equifax hack expose you? What you should you do now. I had only heard about the PIN problem at Equifax. As far as I know TransUnion and Experian both provide random PINs.
RECOMMENDATIONS
My recommendations have not really changed. I suggest an immediate initial fraud alert. I think a credit freeze at all three credit reporting services is a good idea, but if the fraud alert in place, you could still wait a week or two for the fallout and then implement a credit freeze. I think Equifax should offer the credit freeze for free and maybe with some government attention they will. If they do, I would expect they will refund everyone who has already paid for it.
In addition, you should be extra vigilant everywhere, particularly if you get phone calls or emails from your bank or other service provider. Unless you know the party at the far end, simply assume the call or email is fraudulent. Do not give them any information unless you initiated the contact. For phone calls, hang up and call the bank or financial institution yourself at the bank’s 800 number. For emails, always type the bank’s web address or use a search engine. Never use a link in an email.