For a majority of consumers, the recent Equifax data breach is raising more questions than answers. If you are confused about what's happening with your personal information and the solutions that are being offered, don't worry, you are not alone.
How massive was the Equifax data breach? As one of the three major credit reporting agencies, Equifax collects and handles the data of 820 million consumers and 91 million businesses globally. The attack affects 143 million U.S. consumers, as names, Social Security numbers, birth dates, addresses, and even driver's license numbers may have been compromised.
Additionally, credit card numbers for approximately 209,000 U.S. consumers and dispute documents with personal information for around 182,000 consumers may have been accessed.
According to Equifax, it detected the attack on July 29 and the unauthorized access may have occurred from mid-May through July 2017. The cybercriminals allegedly exploited a U.S. website application vulnerability to gain access.
The Equifax data breach is confusing compared to other massive corporate attacks like Yahoo's or Target's. While other companies try to retain customer loyalty after information has been stolen, Equifax doesn't have to since the consumers are not actually its customers.
Adding to the confusion is the amount of information spreading around. Read on as we attempt to separate fact from fiction:
1. I have to put in my Social Security number to see if I'm affected.
Yes, it's true. Equifax's online tool requires you to provide your last name and last six digits of your Social Security number to initiate the check. But would you really want to hand over more of your info to a company that just experienced the largest credit bureau data breach in history?
Experts are also saying that requesting six digits of your Social Security number instead of four is rare and it indicates that most common four digit combinations were likely compromised. For identification purposes, putting in six digits forces consumers to reveal more details about themselves.
2. Equifax's tool will tell me for sure if my personal information was compromised.
No. Not with certainty. Equifax's tool states that "based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident."
The use of the word "may" implies that the tool does not even give a definite answer as to whether your data was indeed compromised.
3. Equifax will inform me if there's a problem with my account.
Not for everyone. Equifax stated that it will start sending out direct mail notices to the 209,000 people whose credit card numbers were affected and to the 182,000 people with credit dispute documents with personal identifying information that may have been accessed.
The problem with this system is that even if you're not a part of this set of consumers and you don't receive this direct mail notice, your name, Social Security number, birth dates or address may still have been compromised. In these cases, Equifax will not inform you directly. You will have to monitor your credit accounts yourself for fraud.
Affected or not, consumers are offered a chance to enroll in Equifax's own credit monitoring program, TrustedID Premier, free of charge for one year.
4. If I take Equifax's offer for credit monitoring, I am giving up my right to sue.
Not anymore. There were initial concerns about enrolling in Equifax's credit monitoring tool program. People noticed that if you do enroll, you will have to agree to its Terms of Service and buried in the fine print is this - a specific arbitration clause that waives your ability to participate in a class action lawsuit against Equifax.
Naturally, this caused a frenzy! This is why we've been warning you against signing up for the program all along. However, just recently, the New York Attorney General required that Equifax remove this statement from its Terms of Service immediately.
Now, Equifax has updated its website to say:
However, even with the revised Terms of Service, we're still hesitant to recommend signing up for this free credit monitoring service since - again - it's from the same company that just had the worst credit data breach in history.
5. I have to provide my credit card number to sign up for free monitoring.
No. You are not required to. Equifax's TrustedID credit monitoring and identity theft protection program does not require consumers' card information upon signing up. The company also stated in an update that people who enroll with the complimentary free service won't be automatically enrolled or charged after the first year is over.
6. I can just stop using Equifax.
Unfortunately, that's not true. You'll have to stop using credit if you want to do that.
As a credit monitoring agency, consumers don't actually sign up for Equifax nor can they drop it either. The credit information is fed directly to Equifax by credit card companies, banks, credit unions, retailers and lenders - basically, every company who has in their best interest to review your credit to extend it. As long as consumers use credit, they don't really have control over the information that's being collected by Equifax.
There will surely be more questions that will be put forward regarding this unprecedented data breach and its aftermath in the days and months to come. Unfortunately, judging by the scope and amount of information stolen, we believe the threat of identity theft for those affected will surely be lifelong.
If you believe your private information has been compromised by this or one of the many past data breaches, be vigilant. Monitor your finances closely and for good measure, like we mentioned earlier, set up a security freeze and fraud alerts on your accounts.