More than half of Americans may be seriously compromised.
On September 7, Equifax announced that the most massive and severe hack of consumer data in American history had occurred from one of their websites.
For 1.5 - 2.5 months, hackers stole the most sensitive information of 62% of US citizens (209,000):Social Security numbers, birth dates, addresses and in some cases driver's license numbers. In addition, they stole even more personally identifying information from dispute documents belonging to 56% (182,00) of us. (UK and Canadian residents were also affected). The fallout from this looks like it will be historic and industry changing.
Why does this matter?
In the past, people with that kind of confidential information stolen have been subject to identity theft, credit card fraud and theft, medical fraud, tax fraud, financial fraud, stolen deeds to houses, cell phone theft, theft of online financial accounts, theft of social media accounts, theft of online storage accounts with confidential information, etc., etc.. If your information is compromised, this is a really big deal.
How did this happen?
In short: human error and poor security practice.
In March 6th 2017, a a patch for security vulnerability in an Equifax public facing website was made available by Apache struts. (CVE-2017-5638). Standard IT security practice is to apply patches ASAP, but for some reason Equifax didn't.
3 days later, the bug was being used by hackers in a mass attack on many sites, although Equifax appeared to be lucky and wasn't one of them. However, the company still did nothing. 2 months after they should have patched their system, one or more hackers penetrated their Web server on May 13. They continue to do so for over 2.5 months until July 30, 2017.
On September 15, heads rolled. Equifax announced that the chief information officer and chief security officer "retired".
How do I protect myself from hackers and theft?
1st let me tell you what not to do. In a band-aid move Equifax is offering a "solution" of credit monitoring for year. (At first they were even charging for this and making money from their own mistakes! After public outcry, at least it's now free).
Credit monitoring is nice to know if someone has stolen your identity and is opening up credit cards, bank accounts, buying a car, creating medical bills etc. in your name. However, it's a little bit like closing the barn door after the horses have already left. By that point, it's already too late, because now you have to try to prove to the institutions that you are the real person and the other one isn't. By the time you finally do, the hacker can do a lot of damage that may take you years to repair. In my opinion, credit monitoring is not the answer.
What's a better option?
You should immediately do a credit freeze on all 4 (not 3) credit bureaus and bank account approval bureau. What this does is prevent anyone from opening up new credit cards, bank accounts, buying a car, etc. in your name.
Then, if you ever need to access the credit report to do one of these things legitimately, you use a pin number that only you know to temporarily unfreeze it. It's important to keep your pin number secure (preferably off-line where no one can steal it).
A freeze is a little bit of a pain. There is (deliberately) no one click way to do it at all for bureaus: you have to go to each one individually. And in some states it's free, but others it cost $5 or $10 per bureau. (Currently Equifax has waived their fee, and Innovis is free). And it may cost the same every time you temporarily unfreeze it.
It's completely ridiculous to charge for something like this and Congress is pushing for these fees to be removed. But if you were victimized, then waiting for this to eventually or hopefully happen is not a great idea. Speed is essential, and it makes sense to just bite the bullet now and protect yourself now.
How do I do this?
Freeze your credit:
Visit https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/ and click on the 4 links to freeze your credit with the 4 bureaus: Equifax, Experian, Innovis and Trans Union (not just 3 as some people still believe).
You may have to be patient.Some of them like Equifax are swamped because millions of other people are doing the same thing right now. If you get a timeout, try again, or try again later at night, etc.
Also, don't be fooled. Some of them will do their best to steer you away from a credit freeze and convince you that all you need is a security alert or proprietary credit lock (like TransUnion). In my opinion, these are halfway measures, and the credit lock is bordering on a scam.
A security alert relies on the viewing party to voluntarily comply with it. When you're dealing with criminals, relying on honor is not an effective strategy.
And a credit lock exposes you to paid advertising with TransUnion (while a credit freeze protects you from it). So the company is making money off of supposedly protecting you. Also, the terms of service force you to give up your rights to sue the bureau for credit breaches and other issues! Pretty convenient after they have done some very lawsuit worthy things.
Some bureaus even charge money for a credit lock. And on all of them, the terms of service are very vague. So far none of the bureaus have confirmed to reporters that it has all of the protections of a true freeze (which is what they imply but don't come out and actually say when they are aggressively trying to steer you in that direction).
In my opinion, they are just trying to save their business model, not your identity. In my opinion, the only way to go is with a full credit freeze.
Freeze opening up new bank accounts:
This is done through ChexSystems. Again, don't fall for doing just a security alert or anything less than a full freeze. https://www.consumerdebit.com/consumerinfo/us/en/chexsystems/theftaffidavit/index.htm
Monitor your credit
A freeze only protects you against new attempts. If someone has already initiated one, it's important to know. Equifax is offering a service that is free for a year. Personally, I'd rather not reward the company that caused the problem in the 1st place. And there are many other sources of completely free credit monitoring. Check out: Credit Karma, Wallet Hub and others.
(For some) Protect your tax refund with a pin number
Hackers will often used a stolen Social Security numbers to commit tax fraud. This can put your own refund into limbo and is in general a huge mess to clean up.Residents of Florida, Georgia and the District of Columbia can get a pin number with the IRS to protect against this. (I don't know why this isn't allowed in every state, because it seems an ounce of prevention is worth a pound of cure). Check out: https://www.irs.gov/identity-theft-fraud-scams/the-identity-protection-pin-ip-pin
That's a great start, but you may not be done.
After you've done that, make sure you also secured your cell phone from being stolen (which can lead to every online account being stolen as well).
See this article on cell phone porting for what this problem is and how to fix it.