X

Your guide to surviving the Equifax data breach

Most US adults are affected by the hack. Here's a step-by-step on what to do.

Sharon Profis Vice President of Content
Sharon Profis is a vice president of content.
Sharon Profis
4 min read
hacking-security-hackers-federal-liberty-computers-2772.jpg
James Martin/CNET

Editors' note, September 8: Equifax's hack checker seems to be broken. We recommend that anyone with a credit history assume they were affected. 

One of the largest data breaches in history has left 143 million people wondering if their highly personal data has been exposed to hackers. For now, Equifax doesn't explicitly tell you if you were a victim, and in 99.99 percent of cases (yes, literally), it won't notify you by direct mail. But, if you're concerned you're vulnerable to identity theft because of the breach, this guide is for you. 

Read more: Everything you need to know about the Equifax hack

Watch this: Equifax breach: Were you one of the 143 million affected?

But first: A quick recap

Equifax, one of the three major credit bureaus, lost control of customer data that included Social Security numbers, home addresses, credit card numbers, drivers license numbers and birth dates. The company estimates that the data of 143 million people were exposed, which equals roughly half the US population. That means that the chances you are affected are pretty high.

Even though Equifax set up a program to help people protect their potentially exposed data, it might not give everyone complete confidence in keeping their identities secure. Here's why:

  • The breach could have started as early as mid-May 2017. That means that the data of 143 million people were exposed for more than three months. It's unclear what the hackers did with the data during those months. 
  • Those who are concerned with Equifax's ongoing site vulnerabilities will have to take matters into their own hands. (Which is what this guide is for.)

You don't have to wait to enroll in Equifax's program to start protecting yourself against the hack. Here's what you can do. 

Step 1: Enroll in Equifax's program (or just move on to step 2)

Equifax's identity protection program, Trusted ID, is being offered to anyone who wants to enroll. The program is designed to help prevent identity theft and tampering with your credit. If you're willing to give Equifax another chance, you can sign up for the program here. But, be aware: the checker that lets you know if you were hacked might be broken and enrolling in the program prevents you from participating in a class-action lawsuit against Trusted ID, but doesn't prevent you from participating in lawsuits related to the cyber attack.  

Because of these circumstances, we recommend that, for now, anyone with a credit history should assume they were affected by the hack. 

Step 2: Check your credit reports

More than three months passed between the time the breach may have started and now. We're not sure if the data of those affected was used maliciously during that period, so consider looking through your credit reports for any suspicious activity. The US government guarantees everyone a free annual credit report from the three major bureaus -- yes, including Experian. You can get those reports here. (UK citizens can find links to credit agencies here.)

When looking through your reports, keep an eye out for new accounts you didn't open, late payments on debts you don't recognize and any other activity that looks unfamiliar. 

If you suspect someone used your identity to open credit cards, take on loans, or reopen closed accounts, contact the credit card company's fraud department immediately. You are not responsible for charges made on a fraudulent card, but you have to report the issue in a timely manner. Once you've reported the fraudulent credit, follow this guide to recovering from identity theft

Step 3: Freeze your credit

It's still early days, so even if your credit report comes back clean, remain vigilant about protecting your credit. One of the most reliable ways to prevent someone from opening credit cards in your name is to place what's called a "credit freeze." 

When you freeze your credit, you (or anyone masquerading as you) will be required to unfreeze your account by providing the PIN you got when you froze your credit. 

To freeze your credit, contact each of the credit bureaus using these phone numbers:

The process is usually automated and can be completed within a few minutes. Just be sure to write down your PINs in a secure place.

Step 4: Set a fraud alert

A fraud alert is another way to make it hard for identity thieves to open accounts in your name. When a fraud alert is set, credit card companies will be required to verify your identity before opening an account. That, combined with the credit freeze, is a great way to keep your credit secure.

To set a fraud alert, contact just one of the credit card bureaus and ask for an initial fraud alert. Once the alert is set, it will last 90 days. After that, you'll have to renew it. Here are the appropriate phone numbers for the bureaus (remember, just call one):

Step 5: Repeat the process for your loved ones 

Because Equifax is not notifying those affected through direct mail or email, some people will be left without the resources or tech savvy to protect their identities or find out if they were compromised. With that in mind, consider helping your loved ones -- especially the elderly without computer access -- with the above steps. 

Watch out for tax season

It's still too early to know if and how the data exposed in Equifax's breach will be misused, but one major concern comes around during tax season. Identity thieves can use stolen Social Security numbers to file fraudulent tax returns and receive refunds. 

Many victims find out they have been targeted in tax fraud when they try to file their taxes -- the IRS tells them that their taxes were already filed. One of the best ways to prevent this from happening is to file early. For more, the IRS has an easy-to-follow guide on tax fraud.