In September 2017, Equifax announced that hackers stole the personal data of 143 million U.S. consumers, making it the biggest data breach in 2017 and the fifth largest breach on record. Here is what you need to know about this massive breach.

What Was Stolen

During May through July 2017, hackers accessed Equifax’s computer systems by exploiting a vulnerability in a website application. Although Equifax immediately stopped the intrusion when it was discovered on July 29, the damage had already been done. The hackers got away with the names, Social Security numbers, birthdates, addresses, and, in some cases, driver license numbers of 143 million U.S. consumers. Plus, the hackers stole credit card numbers (209,000 U.S. consumers impacted) and dispute documents containing sensitive data (182,000 U.S. consumers affected). They also accessed a limited amount of personal information about certain Canadian and U.K. residents.

What Equifax Is Doing in Response to the Data Breach

After Equifax discovered the data breach, it hired an independent cybersecurity firm to forensically investigate the incident, conduct a security assessment, and recommend ways to help prevent this type of incident from happening again. Obtaining these recommendations, though, does not guarantee that another breach won’t occur. Equifax did not seem to learn from two previous data breaches. In 2016, cybercriminals stole U.S. W-2 tax information from an Equifax website. And, between April 2016 and March 2017, hackers accessed W-2 tax information from Equifax’s TALX subsidiary (now called Equifax Workforce Solutions), which provides online payroll, human resources, and tax services.

To keep the public informed about the 2017 data breach, Equifax established the Cybersecurity Incident & Important Consumer Information website. It contains detailed information about the incident as well as a tool that consumers can use to determine if their personal information was potentially involved in the breach. However, ZDNet reported that the tool is basically useless since it is giving out incorrect results.

To answer people’s questions about the data breach, Equifax set up a dedicated call center at 866-447-7559. It is available 7 days a week and nearly 24 hours a day. The only time it is closed is between 1 a.m. and 7 a.m.

Equifax is also offering a free one-year subscription to the TrustedID Premier service for all U.S. consumers, even if they have not been impacted by this breach. The service includes identity theft insurance and monitoring of Equifax, Experian, and TransUnion credit files. You can learn more about the TrustedID Premier service in the What Can I Do? page of the Cybersecurity Incident & Important Consumer Information website.

How to Protect Yourself

In the Equifax data breach, hackers obtained sensitive data — including Social Security and credit card numbers — for a massive number of U.S. consumers. Thus, the potential for identity theft and credit card fraud is high for many Americans. Until you know whether or not your data was stolen, it is a good idea to be proactive and take some or all of the following precautions to protect yourself:

  • Do not respond to data breach notification emails supposedly from Equifax, even if they look official. They are likely phishing scams. Equifax will be sending notices via snail mail to the people affected.
  • Monitor your accounts for suspicious activity. Besides checking your monthly credit card and bank account statements, review your online service accounts (e.g., PayPal).
  • Monitor your credit reports. If you are not enrolled in TrustedID Premier or another credit monitoring service, you might want to review your credit reports. U.S. citizens have the right to obtain free copies of their credit reports from Equifax, Experian, and TransUnion once a year. To request them, go to the website, which is the official site sanctioned by the U.S. government’s Consumer Financial Protection Bureau. Alternatively, you can call the staff at 877-322-8228.
  • Tell one of the three credit reporting bureaus (Equifax, Experian, or TransUnion) to put a fraud alert on your credit report. That company must then tell the other two bureaus. The fraud alert makes it harder for identity thieves to open accounts in your name, according to the U.S. Federal Trade Commission. There is no fee for this service. Although the alert lasts only 90 days, you can renew it.
  • Change your Equifax password if you subscribe to one of its services. Although login credentials were not stolen in the breach, it is a good idea to change your password, especially if it is a weak one. If you used that password for other accounts, change those passwords as well. Also, consider enabling two-step authentication on websites that offer it.