Background

Now that some of the dust has settled on one of the worst cyber security breaches in history, we think everyone should go through the 5 steps listed below.  Why everyone?  Because there is no way to be certain if you have been affected by the Equifax breach or not.  I entered false info to test Equifax’s verification site including a last name of “test” and a SSN of “123456” only to find that it positively identified me as a person impacted by the breach.  [9/16/17 Update: Equifax's Chief Information Officer and Chief Security Officer are "retiring" and their internal investigation continues.]

Also, please make sure everyone in your family has taken these steps including your spouse, kids in college, domestic partner, and perhaps even minor children.

Step 1: Review Your Credit Report

Use the Annual Credit Report site to review your credit report from at least one of the three listed credit reporting agencies (“CRAs”).  By law, you are allowed one copy every 12 months, so we suggest you request a report from one of the three CRAs every 4 months.  Check for rogue activity or inaccuracies, and contact the CRAs to address the issue.

Step 2-A: Freeze Your Credit, and/or…

A credit freeze will not lower your credit score, but a fraudulent account certainly will.  We suggest you freeze your credit at all 3 major credit reporting agencies if you have not done so already.

• Equifax (fee waived until 11/21/17)
• Experian
• TransUnion (offers free "lock" option as well)

The cost to do this varies from state to state and typically is between $5 and $10 for each freeze and removal.  Consumers Union has a guide that lists the applicable fees for each state.  Also, Equifax just announced that they will waive their credit freeze charges for 30 days.

Some people might argue that freezing your credit can lead to inconveniences when you go to do something that requires a credit check like changing your cell phone plan or auto insurance.  That may be true depending on your circumstances; however, it doesn’t have to be a hassle if you keep your “unfreeze PIN” handy; and it may not cost anything to temporarily lift the freeze depending on the state you live in.

[9/21/17 Update: You can also opt to add a free 90-day fraud alert with one of the CRAs.  However, because this must be renewed every 3 months (unless you get the 7-year extension as an ID theft victim), and because it does not actually prevent new accounts being opened in your name, I didn't mention it in the original post and don't recommend it.]

Step 2-B: Enroll in Credit Monitoring/ID Security Services

If you cannot apply a credit freeze, or you want to add more protection, enroll in a monitoring service.  There are many reputable institutions like AAA/Auto Club and USAA that offer free credit/ID monitoring services that you should consider.  Presently, Equifax is offering a year of Trusted ID monitoring free of charge for those affected, and we would not be surprised if the term of service is extended given the level of public outrage on this breach.  Note that Equifax recently confirmed that the arbitration terms for the Trusted ID service do not apply to the cyber security breach itself, so it appears you can still participate in future litigation.

The reality is that no monitoring service (free or paid) will prevent ID theft, but they can help you address a problem before it develops into fiasco.

If you find that you don’t have the time or aptitude to apply freezes or regularly check credit reports, it may be worthwhile to use a paid service.  We haven’t evaluated these services in depth, but here are three providers worth a look: Identityforce, LifeLock, and IDShield.  If you are unsure, I suggest signing up for the Trusted ID service if you're eligible to enroll for free to see if a "paid" type of service would be worthwhile.

[9/21/17 Update: Experian currently offers their "CreditWorks Basic" monitoring free of charge after you apply a credit freeze with them - services like this can be helpful, but watch out for all the paid upgrade offers.]

Step 3: File Your Tax Return Early, and Don’t Over-withhold

With this breach, the hackers would have almost all the information they need to file fraudulent income tax returns.  Despite the security improvements the IRS has made in recent years, your income tax refund could still be stolen.  If possible, file your taxes early and electronically to mitigate the risk.  Also, consider adjusting your tax withholding so you don’t have a big refund check that’s worth stealing.

Step 4: Secure Your Phone and Email Accounts

Today, your email account and mobile phone number are just as important as your SSN.  Contact your phone service provider and see if you can add a verbal password or PIN to your account; and also find out what happens if you forget the password.  Ensure your email and other online accounts (like an Apple ID) utilize strong and unique passwords.

Also if you don’t already have one, create a dedicated “recovery” email address (free at gmail.com, outlook.com, etc.), and add this additional address to your online accounts like those for Facebook, Apple ID, Google, etc.  If you lose access to your primary email or online account, this can be a lifesaver.

Step 5: Strengthen Your Cyber Defenses

Taking the steps described on LockDownYourLogin will significantly improve your security.  The most important of these is using a password management system to help ensure you can maintain many unique and complex passwords.  Paper and spreadsheet methods are simpler, but harder to keep up to date – so it may be worth your while to use software like LastPass or KeePass instead.

Ultimately, educating yourself on cyber security may be one of the best investments you can make because most threats involve tricking us into doing something (referred to as social engineering).  We like to suggest the monthly Ouch! Newsletter since it breaks down a single security topic into a short and easy read.  Another good resource for security information is Brian Krebs, who offers excellent details on the breach.

Additional Steps to Consider

• Use an account aggregation tool to help review your bank and credit card transactions regularly in one place.  We can help clients get set up with eMoney Advisor to do this; or non-clients can use something like Mint.
• Add a security freeze to the fourth national consumer reporting agency: Innovis
• Opt out of pre-approved credit card offers on the OptOutPrescreen site.