The Equifax Breach: What to do Now

Posted on by David Ott

As soon as Equifax announced that they had been hacked and that 143 million consumers were affected, I assumed that I was one of them – and not just because nearly one out of every two Americans was impacted.

I use www.mint.com to track my monthly income and expenses and one of the features that they offer is information about your credit score once per month.

It’s a great feature because I like to see my credit score, how it changes and some of the supporting information like my payment history, credit utilization, number and age of accounts and inquiries.  The problem is that mint.com uses Equifax to provide all of that information.

Worse, since mint.com is free, I assume that they are giving all of my spending information to Equifax.  I haven’t read the user agreement, all 500,000 words, so I don’t know that for sure, but when you get a nice service for ‘free,’ you’re the product being sold to someone else.

That’s a bargain that I can live with, in part because I assume that all of my data is out there already.  Two years ago, The New York Times created a website that tabulated how many times you’ve been hacked without providing them any personal information.

They’ve updated the page, which you can find here, to include the Equifax breach. Because I have a credit report, had accounts with LinkedIn, eBay, a Home Depot credit card and Anthem is my health insurer, I know that the following information has been exposed:

  • My address, three times,
  • My birthday, three times,
  • My debit/credit card number, two times,
  • My driver’s license number, one time,
  • My email, four times,
  • My employment history, one time,
  • My health history, one time,
  • My password, two times,
  • My Social Security number, two times.

Of course, I know that I’ve been hacked more times than this, so these numbers are too low.  Plus, the New York Times only included the ‘big’ ones; I am sure there have been many others.

Unfortunately, this is just part of the problem of living in the modern world.  Still, the question is, what should I do to protect myself?  It’s impossible to fully protect yourself, but there are some useful steps that you can take.  This isn’t an exhaustive list, it just happens to be what I do for myself at this point.

First, I try to use decent passwords.  More than a decade ago, someone told me to create an algorithm that included a few random letters, a few random numbers and the first three letters of a website.

It worked well for a while, but then all the sites had different password rules that made it difficult.  I was annoyed by those rules even though they were designed to protect me, but I’ve given up on creating my own passwords.  I now use www.lastpass.com to generate passwords for me.  I’ve been meaning to sign up for years and the Equifax breach put me over the edge.

I’m a new user, but basically it stores your user names and passwords in the cloud much like many of the browsers do already.  I like this a little better because it works across browsers (I use Chrome at work and Safari on my mobile devices and at home).  Lastpass randomly generates crazy number/letter/symbol combinations that no human, not even Rain Man, could remember.  Of course, Lastpass could be hacked, which would be a real downer.

Second, I’ve been a LifeLock client for probably a decade.  LifeLock is an identity theft protection company that attempts to detect and prevent identity theft.  If your identity is stolen, then they help you resolve it with the credit bureaus, which, to me, is the valuable part.

I use the cheap option for both me and my wife, which monitors for credit cards being opened in my name along with other kinds of accounts like cell phones, TV service and other utilities.

I should note that while I like LifeLock and feel comfortable having it, they have been in some trouble over the years for false or misleading advertising.  We’re trusting these organizations and it’s bad when your trust is broken in any way.

A third option for you to consider is to have your credit ‘frozen,’ which is exactly what it sounds like: your credit report is restricted from use by anyone.  The good news is that freezing your credit makes it harder for identity thieves to get a hold of it, but the bad news is that legitimate users like banks can’t either.

I probably won’t do this one because I think it will be a hassle since I apply for credit from time to time.  However, most of you readers probably don’t need any credit at this point in your lives and, from what I’ve read getting your credit unfrozen doesn’t take more than a day or two and sometimes happens in a few hours.  Here is a great resource that includes the steps for freezing your credit.

Lastly, here’s something that I won’t do: sign up for the Equifax free credit monitoring. At this point, I don’t trust the company at all and I’ve heard different reports about whether accepting the ‘free’ monitoring denies you a settlement from a class action lawsuit.  Since I don’t trust them, and their service is clearly tarnished, I’m not going to bother for now.

That said, Mint tells me that I can see an update in 21 days and you can be sure that I am going to do that.