Equifax cyber breach: How to safeguard your information

AP logo
Friday, September 8, 2017
Equifax Inc. is seen, Saturday, July 21, 2012, in Atlanta. Equifax Inc. is a consumer credit reporting agency in the United States.

ATLANTA -- There's no way around it: The news from credit reporting company Equifax that 143 million Americans had their information exposed is very serious.

The crucial pieces of personal information that criminals may need to commit identity theft - Social Security numbers, birthdates, address histories, legal names - were all obtained. And once your personal data is out there, it's basically out there forever.

If your information was exposed, Equifax is offering free identity theft protection and credit file monitoring services. But the offer comes with some conditions that may make you think twice.

You can't get help right away. When people enter their last name and part of their Social Security number on the site to see whether they were affected, some are being told: "Based on the information provided, we believe that your personal information may have been impacted by this incident."

But even in that case, Equifax is not offering the credit monitoring service until next week at the earliest. Monday is the first day you can sign up.

Equifax released a statement on Friday afternoon clarifying that its terms of use do not apply to this incident:

"NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT. In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

At first, Equifax said anyone who gets the credit monitoring service, TrustedID, must agree to submit any complaints about it to arbitration. Those people wouldn't be allowed to sue, join a class-action suit, or benefit from any class-action settlement. To view the Equifax terms of use, click here.

After public pressure, Equifax added an opt-out provision on Friday. Customers can get out of the arbitration requirement by notifying Equifax in writing within 30 days of accepting the monitoring service. Letters should be sent to:

Equifax Consumer Services LLC

Attn.: Arbitration Opt-Out

P.O. Box 105496

Atlanta, GA 30348

Equifax clarified that customers would not be waiving their right to arbitration on Friday afternoon.

And Alex Southwell, a privacy lawyer at Gibson Dunn and a former federal prosecutor in New York, said the original rules still left room for people to sue Equifax over the original hack, even if they can't sue over the credit monitoring.

The federal Consumer Financial Protection Bureau recently published rules against these kinds of arbitration requirements by banks and credit card issuers. The rules will apply to credit rating services such as Equifax. But they don't take effect until next year, and Republicans in Congress want to roll them back.

Equifax isn't promising help fixing your credit: Equifax will agree only to monitor your credit, not help you fix any problems arising from the hack. "We do not offer, provide, or furnish any products, or any advice, counseling, or assistance, for the express or implied purpose of improving your credit record, credit history, or credit rating," the company in its 7,200-word terms and conditions. "By this we mean that we do not claim we can 'clean up' or 'improve' your credit record, credit history, or credit rating."

Equifax did not immediately respond to a request for comment Friday.

If you would still like to check if your personal information has been impacted, visit www.equifaxsecurity2017.com.

Two residents from Oregon filed a class-action lawsuit against Equifax in federal court in Portland Thursday, accusing the company of being negligent in protecting their credit and personal information. The lawsuit said the company, "failed to maintain adequate technological safeguards" and should have spent more money to protect against cyber attacks.


Unlike previous breaches at Yahoo, Target and Home Depot, Equifax's role in the financial industry makes this breach far more alarming. The company is basically a storehouse of Americans' most personal credit information, knowing everything about people from when they opened their first credit card, to how much money they owe on their houses, to whether they have any court judgments against them.

Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are even sometimes done by employers when deciding whom to hire for a job.

Atlanta-based Equifax, one of three major U.S. credit bureaus, said Thursday that "criminals" exploited a U.S. website application to access files between mid-May and July of this year. Equifax discovered the hack July 29, but waited until Thursday to warn consumers.

For consumers, it may be time to take even more extreme measures to lock down their information, outside of the routine advice like checking your credit reports regularly and seeing if there are any abnormal transactions on your bank accounts and credit cards.

The strongest possible option a person can take immediately is placing what's known as a credit freeze on their credit files with the major credit bureaus - Equifax, TransUnion and Experian. A credit freeze locks down a person's information, making it impossible to open new accounts and bank cards in their name. But locking your credit also locks you out from opening new accounts as well.

"The credit freeze is the nuclear option of credit protection. But in the wake of a breach this big, it's worth considering," said Matt Schulz, an analyst with CreditCards.com.

Consumers will need to be even more diligent about checking their credit reports. U.S. law gives every American the right to pull their credit reports for free once a year from the major credit bureaus. It's best to spread those requests out over the year - do one every four months, experts say.

There are a lot of websites that market access to your credit reports, but the official one is annualcreditreport.com

Expect to check this information not just in the immediate future, but for the long term - potentially years. Once your personal data is out there, it can be used at any time.

"Bad guys can be very patient with data. This should be a wake-up call to be even more diligent with your information," Schulz said.

An even more extreme step? People can request to change their Social Security number with the Social Security Administration if they have repeatedly been a victim of identity fraud under their original number.

This isn't the biggest data breach in history. That indignity still belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than 1 billion of its users' accounts throughout the world.

But no Social Security numbers or drivers' license information were disclosed in the Yahoo break-in.

Equifax's security lapse could be the largest theft involving Social Security numbers, one of the most common methods used to confirm a person's identity in the U.S. It eclipses a 2015 hack at health insurer Anthem Inc. that involved the Social Security numbers of about 80 million people.

Any data breach threatens to tarnish a company's reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.

In addition to the personal information stolen in its breach, Equifax said the credit card numbers for about 209,000 U.S. consumers were also taken, as were "certain dispute documents" containing personal information for approximately 182,000 U.S. individuals.

The company warned that hackers also may have some "limited personal information" about British and Canadian residents. The company doesn't believe that consumers from any other countries were affected.

Three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered it had been hacked, according to documents filed with securities regulators. Equifax said the three executives "had no knowledge that an intrusion had occurred at the time they sold their shares."

Equifax shares fell about 13 percent to $123.75 in heavy trading. The decline equates to about $2.28 billion in lost market value.


Equifax may have accidentally made its PR crisis even worse.

On Friday morning, as millions of Americans were still reeling from the news of Equifax's massive data breach, the company's official customer service account posted an unfortunate message on Twitter.

"Happy Friday!," the @AskEquifax account posted. "You've got Stevie ready and willing to help with your customer service needs today!"

Stevie's tone didn't sit well with Twitter users.

"Glad you are chipper and ready to help but probably should have helped to prevent the data breach from happening," one person posted in a reply to the tweet.

Another user replied: "Stevie, can you help repair my life your company just ruined?"

The Ask Equifax tweet was quickly deleted. It's possible that the tweet, published at 8:00 a.m. on the dot, was automatically scheduled to post.

It's one of several verified Twitter accounts from Equifax.

Reps for Equifax did not immediately respond to a request for comment.

CNN contributed to this report.

WLS-TV contributed to this report.