The personal information of up to 143 million U.S. consumers has been accessed in a “cybersecurity incident” at Equifax, one of the three major credit bureaus that monitor payments activity and other factors to determine your credit score. The company announced the attack in a press release Thursday.
According to the company, the attacks began in mid-May and continued through July. The information leaked includes names, Social Security numbers, birthdays and addresses — but in rarer cases, hackers were also able to unearth driver’s license and credit card numbers, with the latter affecting roughly 209,000 U.S. consumers. Further, “limited personal information for certain U.K. and Canadian residents” was also accessed, Equifax said.
“Our goal can’t be simply to fix the problem and move on,” Equifax CEO Richard Smith said in a statement. “While we’ve made significant investments in data security, we recognize we must do more.”
It’s not immediately clear how hackers gained access to the company’s files. In its statement about the attack, Equifax said criminals were able to exploit a “website application vulnerability,” but didn’t specify which website or vulnerability. An Equifax spokesman told Mic in an emailed statement the company had “no further information to contribute” beyond the details in their press release.
Equifax says it will notify affected people via direct mail, and the company has created a dedicated website — equifaxsecurity2017.com — for consumers looking to see if their personal details were leaked. The company has also set up a call center to handle inquiries, which you can reach at 866-447-7559.
After announcing the security breach Thursday, Equifax quickly received backlash: First it came to light that three top executives at the firm — including chief financial officer John Gamble — had sold company stock in the days immediately following the discovery of the breach on July 29, though the company claims the staffers didn’t yet know of the security incident at the time.
Then reports emerged that certain users accessing the security website on Thursday night to check if their data had been compromised were unable to find an answer — and that a customer service agent contacted via the phone number said he did not have information about which individuals were affected. Two Mic staffers tested out the website Friday morning, however, and were able to learn that their data had been compromised.
What can you do if your information was leaked? The company says it is offering one free year of TrustedID Premier, a complimentary credit and identify theft monitoring service, including a feature that scans the internet for any appearance of your Social Security number.
In the immediate aftermath of the leak, consumer advocates criticized TrustedID Premier’s terms agreement, pointing to a clause that had users waive their right to participate in a class action lawsuit — and must instead agree to lengthy arbitration provisions.
New York State’s attorney general Eric Schneiderman said on Twitter Friday that the language in the clauses is “unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it.” On Monday, Schneiderman announced on Twitter that the company had removed the clauses, and had updated their site to explicitly say that users could use the product without losing the right to pursue legal action. Already, two Oregon residents have filed a class action lawsuit alleging the company was negligent.
How to protect credit and personal data
“This is reason Number 10,000 to check your online bank statements and credit card statements on a regular basis, ideally weekly,” said Matt Schulz, CreditCards.com’s senior industry analyst, in a statement emailed to Mic. “Just because nothing looks amiss on your bank statements or your credit report now, that doesn’t mean you haven’t been compromised. Bad guys can be very patient, so it’s important to keep an eye out long after this story fades.”
Schulz added that if you aren’t doing so already, you should be checking your credit reports for unusual activity. Here’s how to get yours for free — three times per year (see number 4). You might also set up a fraud alert with one of the three credit bureaus: As the Federal Trade Commission explains, once you notify one company, it must inform the other two.
If you’re very worried about your personal information — and have seen evidence of fraud — you can also ask credit bureaus to set up a security freeze. That will prevent anyone able to get their hands on your information from actually being able to open up new lines of credit in your name.
Remember: You can also be vigilant against phishers and other schemes by using rigorous passwords and deleting any emails requesting personal information. It also never hurts to read up on the latest scams that are making the rounds, so you know how to spot them.
Sept. 13, 2017, 7:30 a.m.: This story has been updated.
Sign up for the Payoff — your weekly crash course on how to live your best financial life.