According to Equifax, which released a statement today, the company’s database was breached through a vulnerability on its website, exposing the personal information of an estimated 143 million people, including some in the UK and Canada.
The company thinks the hack happened some time between mid-May and the end of July, but has only now announced the breach. That’s all we know.
When did Equifax find out about the hack?
Equifax learned about the hack on July 29, according to an FAQ. Sept. 7, however, was the first day the company publicly announced the hack.
What information was accessed?
By exploiting Equifax website’s vulnerability, the hackers were able to acquire names, social security numbers, birth dates, home addresses and some drivers’ license information.
In addition, credit card numbers for an estimated 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed, according to the company.
If you were one of the fewer people whose credit card numbers or dispute documents were exposed, you’ll receive postal mail letting you know you were affected. Otherwise, you’ll need to use Equifax’s website to find out if your data was exposed.
How can I find out if I was affected?
Equifax has set up its own program to help people find out if they were one of the millions affected in the hack. It includes a tool that lets you check to see if you were affected and a program, Trusted ID, that may help prevent identity theft. But, be aware:and — per the above note — enrolling in the program against the company.
Because of these circumstances, we recommend that, for now, anyone with a credit history should assume they were affected by the hack.
If you’re willing to give Equifax a chance, you can sign up for Trusted ID here. The program isn’t exactly straightforward, however — it requires a multi-step process that takes place over the course of at least one week. Here’s an overview of the process:
Step 1: Head to this enrollment page and click “Begin enrollment.” Enter your last name and last six digits of your social security number and head to the next page. Several reporters at CNET have attempted this process and received two different results:
- Equifax will let you know you may have been impacted.
- Equifax will let you know you were not impacted.
Step 2: If you received an enrollment date, write it down. Seriously, on paper (or, you know, Google Calendar). Equifax does not ask for your email address, so it won’t remind you of your enrollment date.
Step 3: On (or after) your enrollment date, head to this page to continue the enrollment process. You have to complete the enrollment process by Nov. 21.
What exactly am I enrolling in?
According to Equifax, those affected are enrolling in a free, one-year subscription TrustedID, which is an identity protection company owned and operated by Equifax. According to an Equifax representative we spoke to on the phone, the enrollment process will not ask for a credit card number, so the service will notautomatically renew after one year. CNET has not been able to independently verify this, however.
Once you’re enrolled, TrustedID will:
- Provide copies of your Equifax credit report
- Let you “lock” your Equifax credit report
- Provide three-bureau credit monitoring of your Equifax, Experian and TransUnion credit reports
- Provide internet scanning for your Social Security number
- Include identity theft insurance
Once we have some hands-on time with Trusted ID, we’ll update this story with more about how to use it.
How can I protect my identity?
You don’t have to wait to enroll in Equifax’s program to start protecting yourself right now. We put together, including this:
- Get a free credit report. Federal law guarantees your one free credit report per year from the three major bureaus (yes, including Equifax). Head to this website to get your most-recent credit report and evaluate it to find any malicious activity.
- Freeze your credit. Credit freezes make it harder for criminals to open credit cards in your name. You’ll need to call each of the credit bureaus — Equifax (1-800-349-9960), Experian (1‑888‑397‑3742) and TransUnion (1-888-909-8872) — to freeze your credit.
- Set a fraud alert. Anyone can sign up for a free, 90-day fraud alert. The FTC has information on how to do that here.
Should I be worried about identity theft?
The purpose of the free TrustedID enrollment program is to help protect you from identity theft. What we don’t know, however, is what happened during the months that Equifax didn’t know about the breach (or was preparing to tell the public). Because this gap represents several months that personal data was exposed, we suggest taking extra care in protecting your identity and watching for signs of identity theft.
The FTC outlines some of the major signs of identity theft, including:
- Unexplained withdrawals from your bank accounts
- You stop getting mail or bills (implying your address has been changed)
- Debt collectors call about debts you don’t recognize
- Your medical records don’t match with your history
What do I do if my identity was stolen?
Addressing identity theft is a long and frustrating process that has no simple solution. To help those affected by identity theft, the FTC provides this step-by-step recovery program.