Equifax breachUpdated: Sept. 28, 2017

In a statement released on Sept. 7, Equifax — one of the three major credit reporting bureaus in the U.S. — announced that it had discovered an intrusion by hackers into its systems, resulting in the personal information of 143 million consumers being compromised. That number makes this the third largest breach publicly disclosed by a major company in the U.S., only eclipsed by the two breaches disclosed by Yahoo in 2016. The breach was discovered by Equifax on July 29, after which it conducted an internal investigation with the assistance of law enforcement and an independent cybersecurity firm. Though it has disclosed to the public, Equifax noted in its statement that the investigation is not yet 100% complete, so additional information might yet come to light. To make matters worse, it’s been noted that this breach also includes limited personal information for certain residents of Canada and the U.K. — making this a headache on an international scale. To learn more about what information was exposed, how to determine whether or not you are at risk and what Equifax is doing about it, keep reading.

What customer information was exposed in this Equifax breach?

According to Equifax, the hackers exploited a vulnerability in a U.S. website application in order to gain access to certain files within its systems. The intrusion occurred sometime between mid-May through June 2017. There is no evidence of unauthorized activity on the credit bureau’s core consumer or commercial credit reporting databases, fortunately. The information accessed for the 143 million compromised customers included:

Possibly compromised Equifax customer data
  • Customer names
  • Social security numbers
  • Birth dates
  • Addresses
  • Driver’s licenses (in some instances)
  • Credit card numbers (in some instances)

In addition, approximately 209,000 U.S. consumers’ credit card numbers as well as another 182,000 credit dispute documents containing personal identifying information were exposed. As noted, some Canadian and U.K. residents were also among those indicated in this breach, though Equifax was not clear on how or what international breach victims could do to get assistance.

How can someone know if their information was exposed?

In response to this incident, Equifax has set up a website to provide information for concerned customers at www.equifaxsecurity2017.com. In addition to the company statement on the breach, FAQs and contact information, there is a tool which purports to help someone find out if they were potentially impacted by the breach. Unfortunately, the tool is not totally clear on how to get a definitive answer one way or another. When using its “check potential impact” tool, you must enter the last 6 digits of your social security number and your last name. Equifax says that you’ll be told whether or not your information may have been impacted, but that didn’t seem to be the case when we tested it out for ourselves. The credit bureau noted that it will be notifying those whose credit card numbers and credit dispute documents were exposed via direct mail, and there may be further contact to come from certain state governments, as Equifax has written notices to every U.S. state attorney general.

What is Equifax doing to protect consumers?

Regardless of direct impact or not, Equifax is offering free TrustedID Premier credit file monitoring and identity theft protection to all U.S. consumers for one year. In order to take advantage, you’ll need to provide your social security number and last name, which will give you an enrollment date. On or after that date, you can return to the Equifax website to enroll in TrustedID Premier. You’ll have until January 31, 2018 to enroll and take advantage of the free protection.

TrustedID Premier, which is a service from Equifax itself and not a separate company, will provide those enrolled with credit monitoring of all three of their credit reports (Experian, Equifax and TransUnion), free copies of their Equifax credit reports, the ability to lock and unlock their Equifax credit report, identity theft insurance and scanning on the Internet for their social security numbers. Additionally, Equifax has set up dedicated call centers open seven days a week, which concerned consumers can call from 7 a.m. to 1 a.m. ET. Note that if you do enroll in TrustedID Premier, you will waive your right to participate in any future class action lawsuits, according to the terms and conditions. (Editor’s note: This language was later removed from the terms and conditions, and all who enrolled before its removal will not be subject to any of the original terms.)

How can consumers protect themselves?

It might not feel quite right signing up for protection directly from the service which breached your information in the first place, so consumers should be aware that there are multiple other credit and identity monitoring services on the market which might be a more comfortable fit. Though they aren’t complementary, many do offer free trials or money-back guarantees so you can test them out. Additionally, you can take steps to protect yourself by contacting all of the credit bureaus yourself to place a fraud alert or a freeze on your credit files. Keep in mind that these are designed to make it harder (or impossible) for new credit to be opened in your name, so if you are planning to apply for a new credit card, take out a loan or rent a new apartment in the coming months, you’ll want to be sure to lift it prior to doing so. Take advantage of AnnualCreditReport.com, which is a government-run website that helps you get free copies of all three of your credit reports — as opposed to just one like you’ll get with TrustedID Premier — for free once every 12 months. It’s important to know what’s on all of your credit reports if you’re on the lookout for potential signs of identity theft.

Finally, you can follow our identity theft protection blog to learn about the different ways identity theft can impact you and how to protect yourself and your loved ones from it. Remember that if you do become a victim, it’s important to report the identity theft since it is a crime.