Navigating the Equifax data breach fiasco
I've taken the recommended steps to protect my personal information that may have been hacked in the Equifax credit bureau data breach, for all the good it may do. It wasn't easy.
For those who have been offline for the past week or so, Equifax announced Thursday that hackers had gained access to the personal information of up to 143 million Americans, including Social Security numbers and driver's license numbers. With that data, the hackers could steal those identities and secure credit in other people's names or file fraudulent tax returns seeking refunds.
So what should I and the other 142,999,999 affected people do now?
Simple, Equifax said. Go to our website, enter your name and the last six digits of your Social Security number and we'll tell you whether your data is likely to have been compromised. Amazingly enough, it told me my data may have been compromised. Other journalists tried entering random names and numbers, and lo and behold, those fictitious people may have been hacked as well. You could probably skip that step.
The next step is to go to a different web address and freeze your credit information. This, they said, will prevent anyone but you from accessing your information. If you need to apply for credit in the future, you can unlock the file temporarily by using a secret PIN issued only to you. Oh, and we'll give you a year's free subscription to our credit monitoring service, which will alert you if anyone tries to use your information.
On Sunday, I decided to take these steps, and it seemed to work but it didn't go smoothly. I filled in the information to freeze my credit report, and up popped a document with the promised PIN, which I was told to print for safekeeping. When I tried to do that, I got an error screen saying my request couldn't be processed and to please try again later. When I followed the same procedure with my wife's information, it wouldn't complete the process at all.
On Monday, when I tried again, my information didn't give me the "create a freeze" option, so apparently the first attempt had worked. I hope. I still couldn't freeze my wife's data. I did sign us both up for the free year of credit monitoring. Experts say the freeze may or may not work, and we'll likely be vulnerable for a lot longer than a year.
On Tuesday, I was able to complete the freeze process for my wife. Now we wait for a promised email to finish signing up for the monitoring service.
Some alarming glitches in all of this apparently have been fixed by Equifax after people complained: Signing up for the monitoring service no longer waives your right to join the class-action suit against Equifax, as the fine print initially suggested. The PIN generated with your credit freeze is now randomly generated. Initially, the PINs were the time and date you completed the freeze — 0911171030, for instance. Really secure. I have one of those PINs; my wife has a random one, but it's still just numbers, no letters or special characters. Finally, Equifax is not charging the small fee it usually charges for the freeze. Big of them.
Meanwhile, Congress is asking hard questions, including why three top executives sold nearly $2 million in stock after the breach was discovered but before it was announced, which naturally caused the stock to tank.
What's most infuriating about all this is the idea that a credit bureau, which collects information about you without your consent and then makes money by selling that information to people who want to issue you credit, can't be bothered to keep your information safe from hackers who want to steal it. Then, when a huge breach occurs, they do only the bare minimum to make things right.
— Reach Editorial Page Editor Gary E. Nelson at firstname.lastname@example.org.