Blog

Consumer Tips and FAQ about the Equifax Breach

By Mike Litt
Director, Campaign to Defend the Consumer Bureau

Last updated on January 25, 2018.

Hackers gained access to the personal data of over 145 million Americans in the Equifax breach. Here are some recommended actions consumers can take to protect themselves and answers to frequently asked questions. 

Tips:

  1. Request a free credit report - all three credit bureaus will give you one free report per year.
  2. Consider placing a credit freeze (also known as a security freeze) with all three credit bureaus. See our step-by-step guide for getting credit freezes.

  3. Place a free fraud alert if you choose not to get credit freezes. Any consumer can place a free renewable 90-day fraud alert by law by contacting any one of the three credit bureaus. You’ll need to set a tickler on your calendar to renew it every three months.
  4. Don't accept any deal from Equifax until you understand how Equifax has modified its terms of service, and read our summary of the limitations and potential risks of Equifax’s offering.

  5. If you’ve already been affected, take steps to recover from identity theft by visiting identitytheft.gov.

Frequently Asked Questions:

What happened?
Am I affected?
What should I do?
What is a credit freeze?
Should I accept the package offered by Equifax?
What is Equifax offering? And why does it fall short?
How do I place a credit freeze?
Can I get the fees for a credit freeze refunded to me from Equifax?
What should the government be doing about this incident?
What do I do if I detect New Account Identity Theft?
What is our consumer team doing to solve the problems?

Q: What happened?
A: Equifax, one of the big three credit reporting agencies, announced on September 7th that it had been hacked, potentially compromising the data of 143 million Americans. This number was later updated to 145.5 million.

The types of information taken from the massive credit bureau, particularly Social Security numbers and dates of birth, are the keys to new account identity theft. This means identity thieves could open fraudulent credit accounts and rack up tons of debt in your name.

Reports on September 14th suggest that Equifax failed to install Apache Struts security updates it was told about two months before its breach.

This is a big deal. To make matters worse, there’s a lot of confusion over what to do now.

Q: Am I affected?
A: Equifax has a website where you can use a tool to see whether your information has been hacked. We have seen numerous press reports that it gives different results at different times.1 Presume instead that it is more likely than not that your information has been compromised. 

Q: What should I do? 
A: We recommend taking the following steps:

  • Request free credit reports at all three credit bureaus to spot any unauthorized activity. If you request a copy of your report every 3-4 months throughout the year, you are essentially doing your own free credit monitoring. The official website authorized by the government for requesting these free reports is annualcreditreport.com.

  • Consider placing credit freezes on your credit reports with all three credit bureaus.More info about credit freezes and how-to do this are answered below.

  • Place free, renewable fraud alerts on your credit report if you decide not to place credit freezes on your credit reports.

  • Additionally, identitytheft.gov is the government’s official website that will walk you through clear checklists of actions you can take to recover from identity theft.

Q: What is a credit freeze?
A:  A credit freeze is a commonsense tool that allows consumers to freeze access to their credit history and scores, denying thieves the ability to open any fake accounts in their names. Getting credit freezes at all three national credit bureaus is the best action consumers can take after the Equifax breach, whether they were affected by it or not.

A credit (or security) freeze prevents new accounts from being opened by blocking your credit report from being shared with potential new creditors, such as banks or credit card companies. Most creditors will not issue new credit to a customer if they cannot see that customer’s credit report or score derived from it from at least one of the three major national credit bureaus. So if a thief applies for a new account in your name with your Social Security number and his or her own address, but access to your credit report is frozen, creditors will simply not open a new account. Because creditors run credit checks with any one or a combination of the credit bureaus, you need to block access to your reports with all three bureaus.

A credit freeze does not affect your ability to use existing credit you already have, such as a credit card or loan, nor does it prevent existing creditors from reviewing your continued eligibility for current or additional credit.

  • You can easily unfreeze or “thaw” your credit report when you want to apply for new credit, a loan, insurance, or in some cases, jobs that run credit checks.

  • A credit freeze does not affect your credit score. In fact, a security freeze helps protect your score by preventing your credit from being negatively scored if someone tries to fraudulently apply for credit in your name.

  • Credit freezes are available to consumers in all 50 states and the District of Columbia. A credit freeze costs between $3-10 at each of the three major national credit bureaus, depending on the state. There is a $2-12 fee, depending on the state, for unfreezing your credit report with each bureau. U.S. PIRG opposes these fees because consumers shouldn’t have to pay to protect themselves for a problem they didn’t create. However, we recommend paying the fees for the peace of mind that comes with protecting yourself from new account identity theft. Fees by state can be found on our interactive map here.

    Note: In states where there are fees, January 31st, 2018 is the last day Equifax will waive the fee it normally charges consumers to get credit freezes on their Equifax credit reports. We recommend that you take advantage of this option. For complete protection, you’ll need to freeze your reports with the other two bureaus, too.

  • All states give you the right to free security freezes if you can prove that you are an identity theft victim. Some states offer them for free to consumer 65 years+.

  • There are eight states where freezes are free to all consumers, whether they are identity theft victims or not:Colorado, Indiana, Maine, Maryland, New Jersey, New York, North Carolina, and South Carolina. (It is free to unfreeze reports in seven states and D.C.)

  • Credit freezes can also be placed by parents and legal guardians of minors and medically incapacitated consumers.

Consumers who chose a security freeze should account for the time it can take to thaw their reports if they want to apply for credit in the future. In most cases if a request for a thaw is made online or over the phone, a report can be unfrozen within 15 minutes. However, it can take longer if a consumer lost his or her PIN number that was assigned when the report was frozen. It can also take up to three days of receipt of a thaw request if it is made via postal mail.

Q: I have heard that by agreeing to Equifax's offer I am signing away my right to sue? Should I accept what Equifax is offering?
A: Equifax initially offered a package called TrustedID Premier to anyone, whether their info was lost or not, made up of five different products and services. The deadline for signing up for this package is January 31st, 2018, when this offer will be replaced by a new offer called Lock & Alert. Both the original package and the newer offer fall short of protecting consumers. If you take any of these services, be aware of the limitations, also follow our tips above, and consider the following:

To take advantage of Equifax’s TrustedID Premier package, you have to agree to be bound by an online agreement. Equifax’s original package agreement included an arbitration clause, which Equifax could have tried to use to bar victims of the data breach from joining class action lawsuits. After public outcry, Equifax removed the arbitration clause from its agreement.

However, Equifax has a separate Terms of Use agreement on its website which includes an arbitration clause. There remained some concern that Equifax could try to use this clause to bind victims who agree to be bound by the package agreement. Due to continued public outcry, Equifax added language that says this separate agreement does not apply to its free package.

There is still the possibility that Equifax might change these agreements in the future. We advise consumers to generally be on alert for arbitration clauses in agreements with financial companies.

We will review the terms of service for the newer Lock & Alert service when they are made public on January 31st, 2018, to determine if it is a good option for consumers. This lock is only for Equifax reports, so credit freezes are also needed with the two other bureaus.

If you choose to take any of the services Equifax is offering, be aware of the limitations of these services and also follow our tips.

Q: What is Equifax offering? And why does it fall short?
A: Equifax initially offered a package called TrustedID Premier to anyone, whether their info was lost or not, made up of five different products or services. The deadline for signing up for this package is January 31st, 2018, when this offer will be replaced by a new offer called Lock & Alert. Both the original package and the newer offer fall short of protecting consumers.

TrustedID PremierIt doesn’t hurt to sign up for these services. However, you should know they are limited and, at best, only alert you to identity theft after it has occurred.Therefore, we also recommend you freeze your credit reports with all three national credit bureaus.

Here are the five services and products included with TrustedID Premier and what the limitations of each are:

  1. Copies of your Equifax credit report.
    Looking at your credit report is a good idea because you can spot unauthorized activity in your name. It's a good idea to check your credit report at all three bureaus, not just Equifax. You can request free copies of your credit report at all three bureaus at annualcreditreport.com, the official website authorized by the government for requesting these free reports. 
  2. Credit monitoring for one year at all three national credit bureaus.
    Credit monitoring alerts you to changes to your credit reports, which can help you spot unauthorized activity in your name.The types of stolen information, particularly social security numbers and dates of birth, can be used to commit new account identity theft against everyone whose info was breached. This means bad guys could open fraudulent credit accounts and rack up tons of debt in your name.Due to huge marketing pushes by credit monitoring services that only alert consumers to fraud after the fact, most Americans are not aware that they can actually prevent id thieves from opening new credit accounts in their names in the first place by placing freezes on their credit accounts at all three national credit bureaus. Credit freezes help prevent new account identity theft because they keep potential creditors from seeing consumer credit history, without which new accounts are typically not opened.  Equifax’s package includes credit monitoring at all three bureaus for only one year. Equifax should make it clear that monitoring only alerts people to fraudulent activity after it has occurred, and they should offer it indefinitely, not just one year. The stolen information does not have a shelf life.
  3. Equifax Credit Report Lock
    Equifax’s package also includes something similar to a credit freeze, something they call a “credit report lock,” but only for Equifax reports. Bad guys could still try to open credit accounts with companies that use the other two credit bureaus for credit checks. So a freeze or "lock" with only one bureau is incomplete protection. Equifax should make clear the benefits of the credit freeze and offer it for free with all three bureaus, not just themselves. Equifax should reimburse consumers who place freezes on their own.You're better off getting actual credit freezes with all three bureaus, not the one "lock" with Equifax. You can find out how to get all three credit freezes here.
  4. Social Security Number Monitoring
    Equifax advertises this services as searching "suspicious websites for your Social Security number." This service by itself  wouldn't' hurt,  but again, the only fraud that can actually be prevented once someone has your Social Security number is new account identity fraud. And the only way to prevent that is through credit freezes. You're best off getting credit freezes with all three bureaus.
  5. $1M Identity Theft Insurance
    This is a feature that reimburses you for costs incurred from identity theft. It’s worth noting that you might already have some sort of insurance or equivalent protection from fraud resulting from id theft that is extended to you voluntarily by your employer, your insurance company (as a rider on your existing homeowner’s or renter’s insurance), or your credit card issuer (as a perk), etc. It’s also important to point out that ID theft insurance, whether offered free or as part of a service that you’re paying for always has limitations, exclusions, and requirements and usually only covers incidental expenses to clear ID theft problems up such as postage and notary fees. It doesn’t usually reimburse you for money that’s been stolen from you, and if it claims to cover attorney’s fees, remember that such coverage is usually extremely limited.2

Lock & Alert: January 31st is the launch date for Lock & Alert, a service that will let consumers lock and unlock their Equifax credit reports indefinitely for free. This service only blocks access to Equifax credit reports, not credit reports at the other two bureaus. 

Locks appear to block access to credit reports the same way freezes do. However, freezes are a right by law and not conditional on terms set by companies. We will review the terms of service when they are made public to determine if it is a good option for consumers. This lock is only for Equifax reports, so credit freezes are also needed with the two other bureaus.

Q: How do I place a credit freeze?
A: You can place a freeze online, over the phone, or in writing.

Note: In states where there are fees, January 31st, 2018 is the last day Equifax will waive the fee it normally charges consumers to get credit freezes on their Equifax credit reports. We recommend that you take advantage of this option. For complete protection, you’ll need to freeze your reports with the other two bureaus, too.

Equifax
Online: https://www.freeze.equifax.com
Phone: 1-800-685-1111 (NY residents please call 1-800-349-9960)
Mail: Equifax Security Freeze, P.O. Box 105788, Atlanta, Georgia 30348

Experian
Online: https://www.experian.com/freeze/center.html
Phone: 1‑888‑397‑3742
Mail: Experian Security Freeze, P.O. Box 9554, Allen, Texas 75013

TransUnion
Online: http://www.transunion.com/securityfreeze
Phone: 888-909-8872
Mail: TransUnion LLC, P.O. Box 2000, Chester, PA 19016

Additional detailed Identity Theft Tips from the U.S. Federal Trade Commission are here.

Q: Can I get the fees for a credit freeze refunded to me from Equifax?
A: Originally, Equifax did not waive the fee for credit freezes on Equifax reports. (Again, it was offering a “lock,” which is similar but not the same thing.)  After public outcry over the fees, Equifax temporarily waived the fees, first until November 21st, then until January 31st, 2018.

According to The New York Times, it has also agreed to refund the fees already paid for freezes on Equifax reports after the breach was made public.

However, it does not yet appear to be paying the fees for placing freezes with the other two bureaus.

We are pushing Equifax to pay for credit freezes with all three bureaus, including providing refunds to people who have already paid for freezes.

Q: What should the government be doing about this incident?
A: Investigations by the Federal Trade Commission, the Consumer Financial Protection Bureau, and state attorneys general, have begun and are important steps in holding Equifax accountable to consumers who had no choice to be in a relationship with them to begin with. Potential criminal wrongdoing should also be investigated.

Consumers should have the right, by law, to control access to our credit reports and protect ourselves from new account ID theft for free.

The best way to protect consumers would be to freeze everyone’s credit reports by default. But making them free to all who take the step to opt in to get freezes would be a big win for consumers and an important first step with real benefits consumers deserve right now. 

Federal legislation has been introduced to make getting & removing freezes free for all Americans. Bills include the Free Credit Freeze Act (S. 1810 & H.R. 3878) sponsored by Sen. Ron Wyden (OR) and Congressman Ben Lujan (NM) and the Freedom from Equifax Exploitation Act (FREE ACT) sponsored by Sen. Elizabeth Warren (MA). We support these bills, but there isn’t really movement on them right now. 

There is also a free credit freeze provision in the Economic Growth, Regulatory Relief and Consumer Protection Act (S. 2155), a bipartisan bill that weakens oversight of banks the same size as firms that contributed to the ’08 economic crash. The addition of the free freeze fails to make up for the bill’s overall detriment to consumers and the economy. Disappointingly, the bill was voted out of the Senate Banking committee and could get passed by the full Senate. But if that happens, it is uncertain if and how long it would take to reconcile it with the House’s Financial CHOICE Act (what we call the “Wrong Choice Act.”)   

Therefore, states represent the best chance of passing consumer friendly freeze bills; Congress does not.

Depending on your state, credit freezes cost $3-10 at each bureau. Credit freezes are only free in 8 states. We’re working on making them free in several other states including California, Illinois, Massachusetts, Oregon, Washington, and Wisconsin. Congress should take the lead and make them free for everyone in the country.

Even with everything the Equifax breach has brought to light, many in Congress are trying to dismantle the Consumer Financial Protection Bureau (CFPB) and get rid of protections, including our right to a day in court with companies like Equifax. In fact, in November, Congress repealed this new protection before it could even go into effect. Protecting consumers is not a left-right issue, it’s a little guy-big guy issue.

Q: What do I do if I detect New Account Identity Theft?
A: Take the following steps.

Step 1: Notify your financial institutions. If you discover that your wallet, checkbook, credit card or other sensitive information has been lost or stolen, immediately notify the issuing bank, credit card issuer or relevant institution to close all existing accounts.
Step 2: Get an Identity Theft Affidavit. If you suspect identity theft, report it to the Federal Trade Commission using the online complaint form or by calling 1-877-ID-THEFT. When making the report, you will be given an option to receive an Identity Theft Affidavit. This document, together with the police report, will be critical to minimizing the damage.
Step 3: File a police report. If you believe you are a victim of identity theft, file a report with your local police department. When you make the report, bring a copy of the Identity Theft Affidavit. The police report will be important for insurance purposes. Keep copies of the police report and Identity Theft Affidavit.
Step 4: Contact the three major credit reporting companies and place a fraud alert on your accounts. If you haven’t already, it’s time to place a security freeze.

Q: What is our consumer team doing to solve the problems?
A: Plenty. First, we're spreading the word through the media and on social media about how consumers can protect themselves. Help us reach more people by sharing our Facebook post here.

Second, we're asking Equifax to do more to making things right for consumers. We're putting together a call to action requesting that the company offer free credit freezes for all three credit reporting companies; and, for consumers who choose not to freeze their credit reports, unlimited credit monitoring -- not just one year. After all, there's no expiration date on when thieves can use stolen personal information.

We testified before Congress urging it to address these issues and more, and reject legislation that would actually weaken protections at the credit reporting companies. We're also working with several state policymakers to make credit freezes free. And we'll continue to hold the companies accountable through our research, reports, consumer tips and media outreach. 

1. Brian Krebs, “Equifax Breach Response Turns Dumpster Fire,” Krebs on Security, September 8, 2017
2. Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation, personal communication, 17 September 2015
3. Because credit freezes are the only way to prevent new account ID theft, the best public policy is for everyone’s credit reports to be automatically frozen until consumers give consent to lift the freezes on their reports for credit checks. 

Defend the CFPB

Tell your senators to oppose the “Financial CHOICE Act,” which would gut Wall Street reforms and destroy the Consumer Financial Protection Bureau as we know it.

Support Us

Your donation supports OSPIRG’s work to stand up for consumers on the issues that matter, especially when powerful interests are blocking progress.

Consumer Alerts

Join our network and stay up to date on our campaigns, get important consumer updates, and take action on critical issues.
Optional Member Code