Security

Equifax data breach: Find out if you were one of 143 million hacked

This breach of personal data potentially affects a vast number of people in the US, UK and Canada. Here's how to find out if your identity is compromised.

pasted-image-at-2017-09-07-03-25-pm

CNET

Editor's note, Sept. 11, 2017: We recommend that anyone with a credit history assume they were affected by the hack, as Equifax's hack-checker tool proved unreliable in our tests. In addition, Equifax's credit-freeze website was also shown to be hackable, ZDNET reported. 


Credit rating company Equifax revealed Sept. 7 that its databases had been hacked. Here's what we know and what you can do to protect yourself.

What happened?

According to Equifax, which released a statement on Sept. 7, the company's database was breached through a vulnerability on its website, exposing the personal information of an estimated 143 million people, including some in the UK and Canada. 

The company thinks the hack happened some time between mid-May and the end of July, but has only now announced the breach. That's all we know.

When did Equifax find out about the hack?

Equifax learned about the hack on July 29, according to an FAQ. However, Sept. 7 was the first day the company publicly announced the hack. 

What information was accessed?

By exploiting Equifax website's vulnerability, the hackers were able to acquire names, Social Security numbers, birth dates, home addresses and some drivers' license information.

In addition, credit card numbers for an estimated 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed, according to the company.

If you were one of the fewer people whose credit card numbers or dispute documents were exposed, you'll receive postal mail letting you know you were affected. Otherwise, you'll need to use Equifax's website to find out if your data was exposed. 

Now Playing: Watch this: Equifax breach: Were you one of the 143 million affected?
1:29

How can I find out if I was affected?

Equifax has set up its own program to help people find out if they were one of the millions affected in the hack. It includes a tool that lets you check to see if you were affected and a program, Trusted ID, that may help prevent identity theft. But, be aware: the checker that lets you know if you were hacked might be broken and -- per the above note -- enrolling in the program might prevent you from participating in a class-action lawsuit against the company. Finally, on Sept. 11, ZDNET reported that Equifax's credit fraud alert sign-up site is vulnerable to hacking and has been left un-patched.

Because of these circumstances, we recommend that, for now, anyone with a credit history should assume they were affected by the hack. We also recommend supplementing Trusted ID with your own due diligence

If you're willing to give Equifax a chance, you can sign up for Trusted ID here. The program isn't exactly straightforward, however -- it requires a multi-step process that takes place over the course of at least one week. Here's an overview of the process:

Step 1: Head to this enrollment page and click "Begin enrollment." Enter your last name and last six digits of your social security number and head to the next page. Several reporters at CNET have attempted this process and received two different results: 

  • Equifax will let you know you may have been impacted.
  • Equifax will let you know you weren't impacted.

Step 2: If you received an enrollment date, write it down. Seriously, on paper (or, you know, Google Calendar). Equifax doesn't ask for your email address, so it won't remind you of your enrollment date. 

Step 3: On (or after) your enrollment date, head to this page to continue the enrollment process. You have to complete the enrollment process by Nov. 21.

What exactly am I enrolling in?

According to Equifax, those affected are enrolling in a free, one-year subscription TrustedID, which is an identity protection company owned and operated by Equifax. According to an Equifax representative we spoke to on the phone, the enrollment process won't ask for a credit card number, so the service won't automatically renew after one year. CNET hasn't been able to independently verify this, however.  

Once you're enrolled, TrustedID will: 

  • Provide copies of your Equifax credit report
  • Let you "lock" your Equifax credit report
  • Provide three-bureau credit monitoring of your Equifax, Experian and TransUnion credit reports
  • Provide internet scanning for your Social Security number
  • Include identity theft insurance

Once we have some hands-on time with Trusted ID, we'll update this story with more about how to use it. 

How can I protect my identity?

You don't have to wait to enroll in Equifax's program to start protecting yourself right now. We put together a guide on what you can do, including this:

  1. Get a free credit report. Federal law guarantees your one free credit report per year from the three major bureaus (yes, including Equifax). Head to this website to get your most-recent credit report and evaluate it to find any malicious activity.
  2. Freeze your credit. Credit freezes make it harder for criminals to open credit cards in your name. You'll need to call each of the credit bureaus -- Equifax (1-800-349-9960), Experian (1‑888‑397‑3742) and TransUnion (1-888-909-8872) -- to freeze your credit.
  3. Set a fraud alert. Anyone can sign up for a free, 90-day fraud alert. Here's how. (Don't use Equifax's site for this, as it may be vulnerable to hacking.)

Should I be worried about identity theft?

The purpose of the free TrustedID enrollment program is to help protect you from identity theft. What we don't know, however, is what happened during the months that Equifax didn't know about the breach (or was preparing to tell the public). Because this gap represents several months that personal data was exposed, we suggest taking extra care in protecting your identity and watching for signs of identity theft. 

The FTC outlines some of the major signs of identity theft, including:

  • Unexplained withdrawals from your bank accounts
  • You stop getting mail or bills (implying your address has been changed)
  • Debt collectors call about debts you don't recognize
  • Your medical records don't match with your history

What do I do if my identity was stolen?

Addressing identity theft is a long and frustrating process that has no simple solution. To help those affected by identity theft, the FTC provides this step-by-step recovery program

Editor's note: This story continues to be updated.