Consumer Reports has no financial relationship with advertisers on this site.
Credit reporting agency Equifax Thursday disclosed one of the most significant data breaches in recent history, saying information including Social Security numbers of 143 million consumers was potentially compromised.
While the massive breach that Yahoo revealed last year involved more accounts, topping 1 billion, that intrusion exposed people's phone numbers and passwords. Equifax said its breach includes “names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.”
The company added that credit card numbers for approximately 209,000 U.S. consumers were accessed, along with some dispute documents that contained personal identifying information for approximately 182,000 U.S. consumers.
Equifax is offering a number of services for free to people, including credit monitoring. (You can find more information at a site Equifax set up, and see our expert advice below on protecting your data.)
Equifax originally said by signing up you opt into arbitration and waive your right to take part in a class-action lawsuit for the credit monitoring service. But this waiver didn't apply to the breach at large. It later dropped the restrictions for the free credit-monitoring service, saying customers who sign up because of the data breach are not subjected to the clause and would not be prevented from joining class-action suits.
The breach happened mid-May through July and was discovered July 29, Equifax said. It also said it has seen no evidence of unauthorized activity on its core consumer or commercial reporting databases.
“It’s one of the worst hacks imaginable," said Dan Guido, CEO of the cyber-security firm Trail of Bits. “People should be extraordinarily angry at companies like Equifax. We place a huge amount of trust in them about money matters but they’re so easily compromised by simplistic attacks like this one.”
Indeed, Guido wonders whether this major breach might mark the beginning of a "post-authentication era," in which this widely accepted personal information becomes essentially useless in establishing an individual’s identity.
“There’s no sense in treating this like confidential information anymore,” he said. “When you call up your cell phone company they typically ask for this information like your social security number or your driver's license number and it’s simply no longer possible to accurately identify people using these typical trust markers.”
Unlike a credit card company or retailer, consumers generally don't choose to do business with credit reporting firms. Instead, credit reporting companies gather information on consumers as part of their business.
"The credit bureaus collect highly sensitive consumer data, including Social Security numbers and detailed credit histories, and they have a legal and ethical obligation to protect it," said Jessica Rich, vice president of consumer policy and mobilization at Consumer Reports.
"While it’s fine that Equifax is offering consumers free credit card monitoring, that's just a Band-Aid," she added. "Companies need to take data security much more seriously so these breaches don't happen in the first place. That's why we need stronger data security laws with tougher penalties.”
Equifax Chairman and CEO Richard Smith said in a statement, "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes."
What You Should Do
There are some steps you can take to protect yourself and mitigate the potential damage done by this breach.
1. Find Out If Your Information Is Potentially at Risk
Equifax has set up a website that allows consumers to determine if their information was potentially compromised. Click on the tab labeled Potential Impact in the center of the web page. You’ll then need to enter your name and the last six digits of your Social Security number.
But even if the scan suggests that you weren’t compromised, don’t be lulled into a false sense of security.
“When breaches like these happen, consumers need to be diligent—and not just in the short term," Matt Schulz, senior industry analyst for CreditCards.com, said in a statement. “Just because nothing looks amiss on your bank statements or your credit report now, that doesn't mean you haven't been compromised."
2. Sign Up for Credit Monitoring
Equifax announced that it would provide free credit monitoring to all U.S. consumers, regardless of whether their information was potentially compromised. Since the service is free and it’s relatively easy to sign up, it’s a worthwhile safety precaution, even if it's a bit of a nuisance.
Equifax is offering five separate services under the program, all free, found on the company's website on a link marked TrustedIDPremier
The first is simply getting a copy of your Equifax credit report. The second consists of credit monitoring and automated alerts of key changes to your credit report on any of the three major credit reporting agencies: Equifax, Experian, and Trans Union.
Another scans suspicious websites for your Social Security number. The fourth benefit is up to $1 million worth of identity theft insurance to pay for out-of-pocket expenses if you’re a victim of identity theft. The fifth is the ability to actually put a freeze on your credit report.
3. Freeze Your Credit
Equifax allows consumers to take the next step and actually freeze their credit lines, and you should take advantage of this. It goes a step further than credit card monitoring in that it prevents anyone from taking out a loan or a credit card in your name.
Of course, that includes you. Which means that when you’re actually applying for credit—say, a mortgage, a home equity line or even a store credit card— you’ll have to go in and unfreeze your credit line before you do so.
“Consumers should deal with this inconvenience and freeze their credit,” said Guido. “It’s significantly safer than credit card monitoring.”
Equifax’s credit freeze form asks for straightforward information including name, address, and Social Security number, and you can use the same form to lift the freeze.
4. Check Your Accounts
Even if you follow all these steps, some experts suggest that the scope of this breach means that you’ll still have to continue to monitor your own accounts for fraudulent activity, indefinitely.
“Digital data is like a genie in a bottle,” said Casey Oppenheim, co-founder of the privacy-software firm, Disconnect. “Once it gets out of the bottle it’s extremely difficult, if not impossible, to get it back.”
The bright side of this incident, such as it is, may be that it encourages consumers to take a more proactive role as watchdogs of their own financial lives.
"Remember that no one cares as much about your money as you do, and you are ultimately your last line of defense against fraud,” Schultz said. “This is reason number 10,000 to check your online bank statements and credit card statements on a regular basis, ideally weekly."
One way of making that task a little easier is by setting up online alerts on your credit card and bank accounts, triggered by parameters like your balance or the size of the transaction.
Editor's Note: This story was updated to reflect changes in whether signing up for Equifax's credit monitoring service included an arbitration clause and class-action waiver.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2017, Consumer Reports, Inc.