Equifax emailWhen we last left off in our chronicles of the 2017 Equifax data breach, it was uncertain what might be in store for those breach victims who had elected to sign up for the free TrustedID Premier credit monitoring once the free year of coverage came to an end. Our editor received an email on Sept. 4, slightly prior to her one-year anniversary, stating that the free coverage had been extended “until further notice,” but since then, all had been quiet. That is, until Oct. 31, when a new email arrived proclaiming an end to the uncertainty.

In what might seem unusual to those used to viewing the three credit bureaus as competitors, Equifax has opted to offer an additional year of free credit monitoring to breach victims — courtesy of Experian. Those TrustedID Premier members who received this email will have 14 days from its receipt to “opt out” from having their information shared with Experian — after that, the data will be shared to help facilitate the switch from TrustedID Premier to the new Experian product, dubbed IDnotify. Unfortunately, Equifax seems to be following its standard pattern of providing few resources and limited information regarding this update, so it’s likely there are quite a few confused people out there wondering whether the email in their inboxes is legitimate, what it means and what they should do. That’s why we’re digging into the details to help you make the best choice.

What does the Equifax email look like?

Equifax email

Part of the Equifax email. Click on this image to view the full-size email.

Before we get into what the email means, we wanted to make sure to show you what the official email looks like. You can see a snippet of the email in the image above, and click on it to view the email in its entirety. Its subject line reads “Important Information About Your TrustedID® Premier Product.” It’s a sad truth of today’s online world that cybercriminals will take every advantage they can get to trick people, and when a company conducts business via email only, that is a huge opportunity for fraudsters to develop phishing emails designed to spoof the authentic ones. Unfortunately, as of now, there isn’t a way to get around clicking on the primary link in the Equifax email — it’s the only way those who wish to opt out of having their information shared with Experian can do so. We normally advise caution when clicking links in emails, and this is no different. Make sure you double-check the email’s sender information and look for obvious clues to a phony missive, such as misaligned text, misspellings and grammatical errors. You can also highlight your cursor over the link(s) and see a preview of the URL before you click. Since these are personalized emails, you’re going to see a long string of gibberish, but all valid links should begin with click.e.equifax.com.

Important takeaways from this announcement

Here are some of the key points we can glean from the email Equifax sent:

Not all TrustedID Premier subscribers are eligible for additional monitoring

First, it’s important to note that — based on information from the FAQ on Equifax’s TrustedID Premier website — not all who signed up for TrustedID Premier following the 2017 data breach will receive this offer. According to Equifax, while it offered free credit monitoring to all U.S. adults in the aftermath of its devastating breach, it will only be extending this additional monitoring to “TrustedID Premier subscribers whose information was impacted by the cybersecurity incident.” Considering a whopping 148 million people were impacted in some way by that incident, we can’t imagine too many people won’t qualify. However, it’s possible that some people who took advantage of the free credit monitoring were not among those known to have been impacted, so if you did not receive an email from Equifax on or around Oct. 31, 2018, that’s probably why. Additionally, anyone who cancels or has canceled their TrustedID Premier account (or anyone who opted not to sign up for TrustedID Premier) will not be eligible to receive this continued coverage from Experian.

If you don’t opt out within 14 days, your data will be shared

Perhaps the most concerning part of this email is the super tight deadline Equifax is giving its TrustedID Premier customers to opt out of having their information automatically shared with Experian. Recipients of the email have just 14 days from its send date — Oct. 31, 2018 — to click the orange “I decline the extended offer” button (or the link in the paragraph before it). Failing to do so in a timely manner means that “Equifax will share your name, address, date of birth, social security number, and self-provided phone number and email address.” Though the email does point out that, as a credit reporting agency, Experian already has the majority of this information; the self-provided phone number and email address are what you are ostensibly opting out of being shared by Equifax. Regardless of whether the data is already possessed by Experian or not, it seems decidedly underhanded to provide consumers with just two weeks’ notice to opt out of having their information shared. This feels especially dirty considering how closely data privacy issues have been held under the national microscope in the past year.

The new coverage from Experian is called IDnotify

Those who elect not to opt out (or don’t get a chance to do so) will have their information shared with Experian to facilitate the process of validating their identity for enrollment in the new credit monitoring service. This service is being called IDnotify, and those who wish to take advantage of this additional year of coverage will need to do so by Jan. 31, 2019. Equifax promised additional emails to follow with instructions on how to get enrolled. According to the Equifax email, IDnotify will provide the following:

  • Three-bureau credit file monitoring
  • $1 million identity theft insurance
  • Enhanced Internet scanning for your social security number, email, phone number, medical ID, passport, credit card and other personal information
  • Experian CreditLock

These features are fairly standard for free credit monitoring, though it does seem odd that Equifax would choose an option that seemingly doesn’t allow impacted breach victims to be able to lock their Equifax credit file — something that is currently a key feature of TrustedID Premier. According to the FAQ Equifax set up, once TrustedID Premier expires, all credit files locked with that service will automatically be unlocked. Consumers must take further steps to re-lock it or place a freeze on their credit file. With credit freezes now totally free for every U.S. citizen, we advise consumers to take that option anyway, considering there are no legal protections for the credit locks that the bureaus have rolled out in recent years.

Should you take advantage of this extended coverage?

The big question on many people’s minds is likely: should I bother? While you have a very small window to opt out, you have a bit longer to decide if you want to bother enrolling in Experian’s IDnotify service. If you don’t mind having your self-provided email and phone number shared with Experian, then it could be worth it to find out whether IDnotify is effective. We will be reviewing it as soon as our editor can get access to the service. However, ultimately, these free monitoring services are rarely all they’re cracked up to be.

The most important lesson to learn about identity theft is that it cannot be outright prevented; you can only mitigate what’s already occurred and reduce your attack surface to minimize the likelihood of becoming a victim. If you treat identity theft protection services like an extra layer of protection so far as alerting you if suspicious activity has already occurred, then it’s not inherently wrong to use them. But you should take steps on your own to protect yourself — such as placing credit freezes yourself (rather than relying on the credit lock features that these companies have started pushing in wake of real legislation on credit freezes), monitoring your credit card statements and credit reports as often as possible and familiarizing yourself with the signs of fraud and how to deal with it.

Our coverage of Equifax will continue, and you can follow it all by bookmarking our Equifax breach blog. To keep abreast of all the privacy and cybersecurity issues that matter most, keep reading our credit monitoring blog.