Last updated March 27, 2018.
There have been a lot of major database hacks over the years, but the Equifax scandal has been all over the news not only because it affects about half the adults in America — 143 million people — but also because it involves extremely sensitive identity and financial information. It’s more than likely that your private information has been exposed.
Hackers were able to access driver’s licenses, Social Security numbers, birth dates, addresses, credit histories, and more. Thieves can steal your identity and open new accounts in your name with a lot less, and we don’t know the extent of the repercussions yet. Some hypothesize it’s being sold on the dark web.
Here’s what you need to know about the major Equifax hack, and how to protect yourself and your credit.
How did the Equifax hack happen?
Hackers exploited a bug in server software, Apache Struts, which is an open-source software that is frequently used by financial institutions. Apache Struts released a patch for the bug on the very day of the version release, March 7, 2017, but Equifax, which holds some of the most sensitive data in the country, allegedly failed to install the security patch, resulting in the data grab that started a full two months later.
On top of this, hackers stole credit card numbers of about 209,000 people and personal identifying information of about 182,000 people involved in credit report disputes. People in Canada and the United Kingdom were also exposed, but as of this writing, Equifax has not yet revealed how many.
Equifax, along with the other two big credit reporting firms, TransUnion and Experian, gather this information without your consent and sell it to financial institutions, lenders, retailers, and others who use it to verify who you are and decide whether or not to give you a loan or credit.
Equifax Hid the Breach
The hack began in May 2017 and was not discovered until July 29. Equifax did not reveal the breach until over a month later, on September 7.
Not only has Equifax been less than transparent in revealing to people that their confidential information could be floating around the underworld, but to add insult to injury, three Equifax executives sold a total of about $1.8 million in shares on August 1 and 2, just days after the discovery, but almost a month before Equifax announced the breach.
It is yet to be determined if this is a violation of securities law, but the visuals are disturbing. Bloomberg reports, “‘I don’t know how the board will allow these executives to continue in their positions,’ said Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP, who advises boards on matters including corporate compliance and enforcement challenges.”
Attorneys in Las Vegas are suing Equifax, however, for the one of the largest data breaches in history.
Protect Yourself and Your Credit, Because Equifax Won’t
You need to protect yourself — Equifax is not going out of its way to protect you after its security negligence. They will send direct mail notices to the 209,000 people whose credit cards were exposed and the 182,000 whose dispute records were hacked. But for the other 142 million people, you need to do some work to find out if thieves have your financial information. Equifax is not planning to contact you as of the time of this writing.
Equifax set up a website where you can find out if you are one of the victims, but it has not been working well, and for days people were instructed to return later. Equifax also offered a free, year-long credit monitoring service, but hid a little surprise in the fine print: If you signed up for the free year, you waived your right to join a class action lawsuit and were forced into arbitration if you wanted to take any kind of action.
The public and its representatives have not reacted well. New York Attorney General Eric Schneiderman has demanded that Equifax remove the arbitration language, calling it “unacceptable and unenforceable.” And Sen. Sherrod Brown of Ohio, ranking Democrat on the Senate Banking Committee, made the following statement:
It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place.
Faced with public indignation, Equifax now says you can opt out of that provision but you must do so within 30 days and in writing.
And let’s face it, monitoring is after the fact. It only catches something a thief has done, such as open a line of credit in your name; it doesn’t stop them from doing it. Then you need to go through the sometimes impossible task of having your credit reports corrected. Not very convenient if you find this out about the time you are trying to buy a house. And what happens once a year passes? Much of the information in the hands of the thieves does not expire, such as Social Security numbers.
The Safest Course: Freeze Your Credit Files
The safest thing to do in the face of a breach like this is to freeze your credit files with all three of the big credit reporting firms. When you freeze your credit files, the agencies may not release your credit report to any company where you are not already a customer. But Equifax, who never asked if they could use your information and then were sloppy about guarding it, was still charging people to freeze their credit for days after the breach.
Equifax’s handling of the matter outraged the public to the extent that finally on September 12, Equifax offered to waive fees for freezing credit files until November 21. Do they charge to unfreeze your files? It’s unclear. If you want a company to be able to get a credit report, perhaps so you can buy a house or a car, you would need to unfreeze your credit files. Of course, freezing only your Equifax files will not do much unless you also freeze your credit files at TransUnion and Experian, and they are not going to freeze your files for free.
Steps You Can Take to Fight the Equifax Hack
In a nutshell, you can take these steps to protect yourself from the Equifax hack:
- Check if you were a victim at the Equifax site. Some people have reported they have not been able to find out anything, but were sent immediately over to the credit monitoring service page.
- Sign up for a credit monitoring service for all three credit-reporting bureaus. You have until November 21, 2017 to enroll for a year of free monitoring from Equifax; be sure to opt out of the arbitration clause in writing within 30 days.
- If you don’t want to pay for a credit monitoring service, keep checks on your credit yourself at annualcreditreport.com. You can get a free report from one of the three credit-tracking agencies every four months.
- Ask all three reporting agencies for a free fraud alert. A fraud alert warns creditors to verify the identity of anyone seeking credit.
- Ask all three reporting agencies to freeze your credit files. Contact Equifax before November 21 for them to freeze your credit free for a year. Freezing credit at the other two agencies, and freezing credit at Equifax for longer than a year, will cost you.
- File your taxes early before a scammer uses your identity information to steal your tax refund.
If you need help managing your debt and improving your credit score, contact the experienced attorneys of Borowitz & Clark today for a free case evaluation. We have helped thousands of Los Angeles residents get out of debt, stop creditor harassment, and enjoy financial freedom.
Have you found any other information about Equifax that would be helpful to readers? Feel free to share in the comments below, and good luck!
- High Rent? Here’s How to Use Those Payments to Improve Your Credit Score
- Yes, You Can Get a Mortgage After Bankruptcy
- Can I Retire Early in LA?
M. Erik Clark is the Managing Partner of Borowitz & Clark, LLP, a leading consumer bankruptcy law firm with offices located throughout Southern California. Mr. Clark is Board Certified in Consumer Bankruptcy by the American Board of Certification and a member of the State Bar in California, New York, and Connecticut. View his full profile here.