By Mike DuBose and Blake DuBose
Almost every week, a new report comes out: another computer system’s security has been compromised, and sensitive information about millions—or even billions—of people and businesses has been leaked, stolen, or hacked. Whether private companies (like eBay, where 148 million customers’ names, passwords, and addresses were exposed in 2014) or governments (like the U.S. Office of Personnel Management, which saw nearly 22 million government employee and job applicants’ Social Security numbers fall into hackers’ hands in 2015), no organization or person is truly immune. Headlines sharing news of breaches feature many household names: Target, Home Depot, Yahoo...and the list goes on.
The Most Recent Target: Equifax
Now, Equifax, one of the four largest credit reporting agencies in the United States, has disclosed that private information about 143 million individuals (possibly, even more) was stolen between May and July 2017. The data is used to calculate credit scores, which banks and other lending institutions check to decide if loan applicants are worthy of credit. The detailed histories that Equifax stored for this purpose dated back a decade or more. They included individuals’ full legal names, Social Security numbers, birthdays, credit card numbers, W-2s, salary information, previous addresses, loan information, family members’ names, email addresses, court judgments, and answers to security questions used to access or reset forgotten passwords. All of this information is extremely valuable to identity thieves!
More than 55% of U.S. citizens aged 18 or older were affected by the Equifax breach. With so much of their personally identifying information floating around, that means more than half of American adults are at risk for identity theft. (Fortunately, because most children aged 17 or under do not have credit cards, they are in less danger—although parents should still check to make sure their children do not have credit reports and freeze them if they do, according to a Wall Street Journal article by Daisy Maxey). Criminals who obtain confidential information like that leaked in the Equifax fiasco may use it to apply for loans and credit cards, change bank or other account mailing addresses, and/or withdraw money from the rightful owners’ checking, retirement, and saving accounts…or they might sell it to other robbers on the black market!
Even those who were not impacted by the security failure in terms of personal records may still have had sensitive employment information exposed. According to Stacy Cowley and Tara Siegel Bernard of the New York Times, “In a big data collection coup, Equifax persuaded over 7000 employers to hand over salary details for an income verification system that now encompasses nearly half of American workers.” Despite Equifax’s assurances that the information would remain safe, it’s now likely out there in cyberspace—and potentially in criminals’ possession.
The Situation Worsens
Especially troubling in this situation are the many instances in which Equifax failed consumers leading up to, during, and after the big hack occurred. For example, Equifax likely knew about the flaws in its system as far back as March 2017, when it was alerted by outside security organizations like Cisco, but only told the public on September 7, 2017. Questions also exist regarding just how long unapproved individuals were able to access Equifax’s system before being noticed. According to a Wall Street Journal article by AnnaMaria Andriotis and Robert McMillan, “Hackers roamed undetected in Equifax, Inc.’s computer system for more than four months before a security team uncovered the massive data breach, the security firm FireEye Inc. said this week in a confidential note Equifax sent to some of its customers.”
Also, according to several reports, three senior Equifax executives sold stock worth almost $1.8 million in the first days of August, although the company claims that the officers were not aware of the breach at that time. (Equifax stock is down 30% since the attack became public.) Understandably, all these revelations have consumers and Congress livid! USA Today’s Kevin McCoy recently reported that more than 20 class action lawsuits relating to the security breach have already been filed. Others are likely to come.
In response to intense scrutiny and criticism regarding how the leak was handled, Equifax has offered to provide impacted individuals with free credit monitoring service for one year (which, unfortunately, won’t stop thieves from using the purloined information years down the road). There is a button on Equifax’s website where you may enter your personal information to determine if you were potentially a victim; if that is the case, you will be forwarded to a TrustedID page to sign up for free credit monitoring. However, this site has been plagued with problems, including mixed messages and service outages. When Mike visited the Equifax page shortly after the breach was revealed in mid-September 2017, the website reported that his information had been compromised. Days later, when he submitted his information again, he received an Equifax message stating that his file had not been impacted. A few days later, he tested the system again for a third time, and Equifax reported that his data was part of the theft! In another test we conducted—entering a made-up name and Social Security number on the initial page—the site didn’t recognize that it was a fake profile, and instead told us we had not been impacted! These contradictory messages are concerning because they suggest that even Equifax doesn’t know what information has been stolen.
Many individuals have also experienced difficulties freezing their credit reports, a recommended action if you won’t be applying for a major loan in the near future (and even then, the reports can be “unfrozen” later). One member of the DuBose family successfully froze all his credit bureau accounts, but then received a written notice in the mail one week later stating from Experian that the freeze was not successful because he did not pay $10.64. However, there were no instructions to make this payment when he submitted the freeze request online, and he is on a list of people living in South Carolina who shouldn’t be charged.
What You Should Do to Protect Yourself
Whether you were affected by the Equifax breach or not, it is only a matter of time before your confidential information is hacked by a thief. We have chosen to act now to protect our accounts from fraud as much as possible. Based on current recommendations from experts in the industry, here are some suggestions for safeguarding your information as well:
Contact all four major credit bureaus immediately to implement a “fraud alert” or (preferably) a “security credit freeze” on your accounts. Their contact information is as follows:
We recommend trying to contact them online first, calling on the telephone only if you have problems. Although all four credit agencies have added thousands of new workers to deal with the Equifax breach, when we called one, we were placed on hold for an hour, with identical irritating messages about the credit bureau’s services repeated every 30 seconds. Upon actually reaching an operator, she seemed inexperienced and couldn’t locate all of our files. She suggested transferring our call to different department, and after an extended hold, we were disconnected! Needless to say, be prepared for some frustration when attempting to freeze your accounts as well.
It will likely take an hour to reach all four credit bureaus online, but it’s a great start toward securing your private information. You also have the option of physically mailing each reporting agency a certified letter, as we did with Experian. If you freeze by mail, the bureaus require that you include several pieces of information, which may include: a letter requesting the security freeze with your full legal name; complete addresses for places you have lived in the past two years; your date of birth; your Social Security number; a copy of a government-issued ID like your driver’s license; and a bill of some sort (bank statement, utility bill, or insurance statement with your name on it, etc.) to verify your identity. Ensure that you send them all of the information they need at once via certified or overnight delivery that requires a signature upon receipt. Even though the freeze should be free if you were a victim of the Equifax hack or if you live in one of the exempt states like South Carolina, we included a check for $10.54 for each family member just in case.
In terms of freezes, there are two main options for protecting yourself to consider. If you are planning to seek credit or loans soon, setting up a “fraud alert” may be your ideal, temporary choice. This requires that any business or organization inquiring about your account to set up new credit must prove that you are the person applying for the credit. There are three different types of fraud alerts, and all of them are free. Initial Fraud Alert sets your account on high alert for 90 days (don’t forget to renew in three months). Extended Fraud Alert is for victims of identity theft and is good for up to seven years. Active Duty Military Fraud Alert works for one year, but is only applicable to members of the armed forces.
If you do not plan to apply for any loans or credit cards in the near future, the best option is a “security freeze” or “credit freeze.” In this scenario, your current creditors (such as credit card companies, banks, insurance businesses, etc.) can check your credit bureau account, but others, like thieves, are blocked from inquiries. Freezing your account will not affect your FICO score or credit and won’t prevent you from receiving credit card offers. You will also still be able to access your annual free credit report by going to www.annualcreditreport.com, which is authorized by the Federal Trade Commission (beware of other “look-alike” websites offering free reports!). You will be asked multiple questions about your past to prove that you are really the person making the inquiry, so take your time answering them. You will also have to enter the letters and numbers from a captcha image that robots cannot decipher; do this carefully as well, or you may be locked out of the site.
Note that you should freeze all four credit reports, not just Equifax. Information is often shared by the four credit bureaus, and when a business pulls a credit report, they often retrieve all of them at the same time. If you live in South Carolina, there should be no cost to apply for a credit freeze, but if you reside outside the state, there may be a small fee (usually, about $10) to freeze your credit with each bureau.
Once you have set the freeze, you will be provided with a PIN number in the event you wish to temporarily lift the freeze or allow a certain company to access your data (note that it may take several days to “unfreeze” an account). Print this information and guard this PIN number, since it will be your access to your account. If you do need to temporarily unfreeze an account for a certain company, it can be helpful to ask which credit bureau they plan to contact, then unfreezing only that single credit bureau account.
Monitor your credit card and other accounts closely. Keep in mind that if thieves have your information, they still can make changes to your other accounts like banking, credit cards, etc., even when your credit bureau accounts have been blocked and frozen. Online robbers will often test to see if you notice theft by buying small items first, then moving on to bigger purchases. If they have your credit bureau file, they have all of the information needed to reset your passwords. We suggest that you check your banking and credit card statements on a weekly basis for irregularities and contact your providers immediately if you notice anything unusual.
Update your passwords. Now is a good time to change all of your passwords. Make them at least 14 characters long and include upper- and lowercase letters, numbers, and symbols to make them nearly impossible to guess. (For a more detailed article about password protection and other online security tips, visit this blog.)
Activate two-factor authentication. Many providers (e-mail hosts, banks, credit card companies, etc.) will allow you to set up two-factor authentication on your account. Essentially, when anyone enters your username and password to log in, the provider will send a message with a code in it to your cellphone. If it’s truly your account, you can just reach for your phone, enter the code, and move forward. However, if you’re a thief trying to break into the account, you won’t have the code and will be locked out. It only takes a few minutes to set up, and it’s a great extra layer of security!
The bottom line: Whether it’s the current breach in the news or a future one, it’s only a matter of time before your confidential information falls into the hands of someone who shouldn’t have it. In the worst-case scenario, it can be used by thieves to steal your money and wreak havoc in your life. To help protect yourself, apply some basic but important security measures now...before your identity is stolen!
About the Authors: Our corporate and personal purpose is to “create opportunities to improve lives” by sharing our knowledge, research, experiences, successes, and mistakes. You can e-mail us at [email protected]
Mike DuBose received his graduate degree from the University of South Carolina and is the author of The Art of Building a Great Business. He has been in business since 1981 and is the owner of Research Associates, The Evaluation Group, Columbia Conference Center, and DuBose Fitness Center. Visit his nonprofit website www.mikedubose.com for a free copy of his book and additional business, travel, and personal articles, as well as health articles written with Dr. Surb Guram, MD.
Blake DuBose graduated from Newberry College’s Schools of Business and Psychology and is president of DuBose Web Group (www.duboseweb.com).
Katie Beck serves as Director of Communications for the DuBose Family of Companies. She graduated from the USC School of Journalism and Honors College.
© Copyright 2017 by Mike DuBose—All Rights Reserved. You have permission and we encourage you to forward the full article to friends or colleagues and/or distribute it as part of personal or professional use, providing that the authors are credited. However, no part of this article may be altered or published in any other manner without the written consent of the authors. If you would like written approval to post this information on an appropriate website or to publish this information, please contact Katie Beck at [email protected] and briefly explain how the article will be used; we will respond promptly. Thank you for honoring our hard work!