What You Need To Know About The Equifax Breach

In an effort to keep our customers informed, and in case you haven’t already heard, Equifax, a very large credit monitoring bureau suffered a very large, very severe breach of customer information that affects 143 million people.  You probably recognize the name from whenever you hear people talk about pulling your credit report from the “big three” credit bureaus.  However, there are actually 4 credit bureaus: Equifax, Experian, Innovis, and Trans Union.

So what happened?

At the end of July 2017, Equifax realized they had a massive breach of consumer information. A criminal was able to use a point of weakness in one of their web-based applications to steal personal and confidential information for 143 million people (nearly half of the population of the United States). The criminals were able to access social security numbers, birth dates, addresses, and some driver’s licenses for the affected individuals.

Equifax has set up a website (https://equifaxsecurity2017.com) dedicated to the breach. There’s more detailed information on the breach itself, and there’s also a tool where you can go to check and see if your information was included in the compromise. You simply enter your last name and the last 6 digits of your social security number. Equifax will then tell you whether your information was potentially involved in the breach.

They are offering a free one-year enrollment into their credit monitoring service, Trusted ID, but enrollment into this program means you must waive your right to class-action and personal lawsuits against Equifax to use the service.

Update: Sept. 9, 2017, 12:22pm
Since we published this post, Equifax has updated their breach alert page to include the following response regarding their unclear legalese for using their free monitoring service.

“In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

The Original Story

You might want to consider other options as credit monitoring is slightly different than identity theft protection.  There are other identity theft monitoring companies that you can pay for, in order to monitor your identity without forfeiting your right to a lawsuit.  One of the more well-known companies and one that we recommend is LifeLock.

Credit Freeze:

You also have the option to do a Credit Freeze. A Credit Freeze will prevent anyone from accessing your credit report. So, if a scammer tries to open a new line of credit using your personal information when the lender tries to pull your credit report, it’ll say that it’s blocked and to contact the credit bureau. This prevents the institution from being able to lend money to the person who’s using your stolen information.

To place a credit freeze, you’ll need to contact each of the 4 credit bureaus, you will also likely have to pay a small fee to freeze and unfreeze your credit reports.  Each of these bureaus will give you a 6-digit number (PIN) you can use to call and unfreeze or “thaw” your reports.  You should “hide” this PIN somewhere that you won’t lose it – because if you do, you’ll be stuck frozen.

If you need to open an account while your credit reports are frozen, you’ll have to contact the credit bureau ahead of time (either on the phone or online) and “thaw” your account for a little while. You can set the “thaw” either for a period of time or for a particular creditor. You can also choose to remove the freeze if you determine you don’t want the protection any longer. You will need that PIN you set for the bureaus to thaw or unfreeze your reports.

You also have the option to temporarily thaw your accounts. For example, if you know you’re going to be looking for a car over the next week, call the three bureaus and thaw your report for the next week. Or, if you are applying for a credit card, call and unfreeze your report for that company, and then turn the freeze back on.

Using credit freezes is a little more trouble and a bit of an inconvenience in your life, but it’s better than the alternative – cleaning up your credit after your identity has been stolen.

Who do I talk to about a Credit Freeze?

You’ll need to contact each of the 4 credit bureaus. Here are the links to each of their sites: Equifax, Experian, Innovis, and Trans Union.
Please be aware that a lot of phishing sites and scams will likely come out of a situation like this. Make sure that any site you visit for these bureaus is legitimate before entering any of your information. If you receive an unsolicited email from one of these companies, please delete it immediately and do not click on any links. Now is the time to be on high alert for phishing emails and sites, and not just from scammers posing as credit bureaus but in general as well. Scammers use these types of situations to take advantage of people who are vulnerable.

Fraud Alert:

A less-impactful alternative to a credit freeze is a fraud alert.  A fraud alert requires potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You are allowed by law to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union) every 90 days.  Whichever one you file with, they are required by law to alert the other two big bureaus as well. The fourth bureau, Innovis, follows the same rules as the big three, but you will have to file a fraud alert with them as well.

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can also apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).

Free Credit Reports:

You are entitled by law to a free credit report from each of the “big three” once a year.  This means you can check your credit 3 times a year (once every 4 months with each of those bureaus).  The site where you may obtain this free copy is annualcreditreport.com, or by phone at 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.  There are lots of look-alike sites out there (like freecreditreport.com) that are not the real, government-mandated service, so watch out.

Your free credit report will show all your lines of credit and other debt obligations, along with lots of data.  However, it won’t show your FICO score.  If that’s what you’re looking for, go to your bank or credit card company.  It usually costs money to get your FICO score.

What about my bank accounts?

We don’t anticipate that your bank accounts will be affected by this particular breach since no account or debit card numbers were compromised. However, we do recommend that you check your checking/savings and credit card accounts at least weekly to ensure there is no fraudulent activity.  This is just best practice, even when there isn’t a breach of this magnitude.  Another easy practice is to set up free text or email alerts on your account.  Those are free at The Callaway Bank and help you keep an instant pulse on your account activity.  (Your wireless carrier may charge for the text messages so check with them.)

If you suspect fraudulent activity on any of your Callaway Bank accounts, please contact our Customer Care Team at 800.446.2265 immediately.

There is a lot being reported about this breach, and we encourage you to seek additional information to protect yourself.  A great resource regarding this breach, an all things cybersecurity-related, is https://krebsonsecurity.com/.