Editor’s note, September 8: Trusted ID — which is owned and operated by Equifax — includes a Terms of Service agreement that waives your rights to a class-action lawsuit against the company. CNET is investigating the issue and is not yet sure if these terms will hold up in court. Meantime, New York’s Attorney General tweeted that the language is unenforceable and has asked the company to remove it. If you don’t want to agree to these potentially-binding terms, head to this guide and go to step 2.
Credit rating company Equifax. Here’s what we know — and what you can do to protect yourself.
According to Equifax, which released a statement today, the company’s database was breached through a vulnerability on its website, exposing the personal information of an estimated 143 million people, including some in the UK and Canada.
The company thinks the hack happened some time between mid-May and the end of July, but has only now announced the breach. That’s all we know.
When did Equifax find out about the hack?
Equifax learned about the hack on July 29, according to an FAQ. Sept. 7, however, was the first day the company publicly announced the hack.
What information was accessed?
By exploiting Equifax website’s vulnerability, the hackers were able to acquire names, social security numbers, birth dates, home addresses and some drivers’ license information.
In addition, credit card numbers for an estimated 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed, according to the company.
If you were one of the fewer people whose credit card numbers or dispute documents were exposed, you’ll receive postal mail letting you know you were affected. Otherwise, you’ll need to use Equifax’s website to find out if your data was exposed.
How can I find out if I was affected?
Equifax has set up its own program to help people find out if they were one of the millions affected in the hack. The program isn’t exactly straightforward, however — it requires a multi-step process that takes place over the course of at least one week. Here’s an overview of the process:
Step 1: Head to this enrollment page and click “Begin enrollment.” Enter your last name and last six digits of your social security number and head to the next page. Several reporters at CNET have attempted this process and received two different results:
- Equifax will provide you with an enrollment date for credit monitoring.
- Equifax will let you know you were not impacted.
CNET has reached out to Equifax to find out if receiving an enrollment date implies that you were affected, but as of now, it’s unclear.
Step 2: If you received an enrollment date, write it down. Seriously, on paper (or, you know, Google Calendar). Equifax does not ask for your email address, so it won’t remind you of your enrollment date.
Step 3: On (or after) your enrollment date, head to this page to continue the enrollment process. You have to complete the enrollment process by Nov. 21.
If you think the above process is opaque and a bit confusing, you’re not alone. Several CNETers were left uncertain if they were hacked, since Equifax doesn’t confirm that you were or not. These steps, however, are your best protection against the breach right now.
What exactly am I enrolling in?
According to Equifax, those affected are enrolling in a free, one-year subscription TrustedID, which is an identity protection company owned and operated by Equifax. According to this page, the service normally costs $27.99 per month for a family plan.
Once you’re enrolled, TrustedID will:
- Provide copies of your Equifax credit report
- Let you “lock” your Equifax credit report
- Provide three-bureau credit monitoring of your Equifax, Experian and TransUnion credit reports
- Provide internet scanning for your Social Security number
- Include identity theft insurance
Once we have some hands-on time with Trusted ID, we’ll update this story with more about how to use it.
How can I protect my identity?
You don’t have to wait to enroll in Equifax’s program to start protecting yourself right now. We put together, including this:
- Get a free credit report. Federal law guarantees your one free credit report per year from the three major bureaus (yes, including Equifax). Head to this website to get your most-recent credit report and evaluate it to find any malicious activity.
- Freeze your credit. Credit freezes make it harder for criminals to open credit cards in your name. You’ll need to call each of the credit bureaus — Equifax (1-800-349-9960), Experian (1‑888‑397‑3742) and TransUnion (1-888-909-8872) — to freeze your credit.
- Set a fraud alert. Anyone can sign up for a free, 90-day fraud alert. The FTC has information on how to do that here.
Should I be worried about identity theft?
The purpose of the free TrustedID enrollment program is to help protect you from identity theft. What we don’t know, however, is what happened during the months that Equifax didn’t know about the breach (or was preparing to tell the public). Because this gap represents several months that personal data was exposed, we suggest taking extra care in protecting your identity and watching for signs of identity theft.
The FTC outlines some of the major signs of identity theft, including:
- Unexplained withdrawals from your bank accounts
- You stop getting mail or bills (implying your address has been changed)
- Debt collectors call about debts you don’t recognize
- Your medical records don’t match with your history
What do I do if my identity was stolen?
Addressing identity theft is a long and frustrating process that has no simple solution. To help those affected by identity theft, the FTC provides this step-by-step recovery program.
Editor’s note: This story continues to be updated.