What, you may be asking, does the Equifax data breach this week have to do with genealogy?
The answer is actually twofold.
- Everyone who works with genealogy now lives in a technology world – or you wouldn’t be reading this.
- People tend to use pieces of information to secure accounts – like their mother’s maiden name, their address, birth location and other pieces of data that they can remember. Don’t. Just Don’t. I’m begging you!
And please, please read this article, even though it’s not specifically about genealogy. I spent 30 years in the technology industry, and believe me, if your identity is stolen or your finances compromised, it WILL interfere with your genealogy research, big time.
I don’t normally discuss news items, but this security issue is mammoth, the largest breach ever, and could potentially destroy your credit and compromise your identity, either or both.
What’s worse yet, the breach itself occurred mid-May through July, Equifax discovered it on July 29th, but consumers weren’t notified until September 7th, 5 weeks and 5 days later, and then only in the news, not personally. That means that the crooks have had between 6 weeks and 4 months to use or to sell, or just hold your information to sell later.
You can read more about the breach here and here as well as a New York Times article with an update and additional instructions this morning, here.
Please do read those articles to understand the magnitude of this issue. The breach affects more than 143 million people, mostly Americans, with an additional 209,000 credit card numbers stolen as well, along with 182,000 “dispute documents” with additional information.
The US has about 260 million adults, so roughly 55% of the adult population has been affected by this breach. In other words, there is more than a 50% chance that your personal information, enough to file a tax return on your behalf and claim your return, among other things, is among thieves right now, on the black market.
And no, I’m not exaggerating.
Not. One. Bit!
AND, that’s just how many account records are known to be compromised. Equifax may not know the full extent of the breach.
If your spouse’s records are compromised, and yours aren’t, you may think one of you is safe. But guess again – because your life, credit and resulting misery is inextricably linked together.
If one is breached, both are breached. Period. So the actual breach numbers may actually be closer to 100%, based on “breach by marriage.”
My husband and I have been working on this issue all day today (and no, we didn’t have anything better to do, thank you for asking) and discovered that our shared account numbers are listed, with both names, of course. My accounts are his, and vice versa. Initially, only one of our Equifax accounts was reported as breached, which would have provided a false sense of security for one of us, until we looked closely.
However, later today, both accounts were reported as breached.
What Was Taken?
Equifax and other credit reporting agencies routinely track your credit history, including account numbers, as well as identifying personal information.
Information about consumers stolen from Equifax includes or may include:
- Name and Addresses (current and old)
- Credit History including balances and balance available
- Account Numbers
- Social security numbers (the hottest most desirable piece of your information for crooks)
- Birth dates
- Driver’s license numbers
The aspect that make this breach so serious is that it includes multiple pieces of information that should be unique to identifying you – such as your birthdate and social security number. You can’t change those or get new ones to protect yourself – and the crooks know that.
Additional information in your file that Equifax has not said was or was not compromised includes:
- Employer and position (current and former)
- Employment dates
- Phone numbers
- Spouses name
I would presume that this too was compromised.
If you think your information isn’t at Equifax, you’re wrong, because Equifax, as well as the other credit reporting services, routinely gather identifying and financial information about everyone.
How Do I Find Out About My Information?
Equifax has set up both a telephone hotline (that is, *surprise*, entirely jammed) and a website for you to enter a partial social security number along with your surname to determine if your account was compromised.
Click on the tab at the top of the page that says “Potential Impact.”
If your data is not known to be part of the breach, you see a notice to that affect, but note that the wording is not definitive. It says:
“Based on the information provided, we believe that your personal information was not impacted by this incident.”
However, and this is a HUGE HOWEVER, when I tried this a second time, to be sure of the wording for this article, I got the opposite result for the same person, which said,
“Based on the information provided, we believe that your personal information may have been impacted by this incident.”
Bottom line, I don’t think Equifax knows for sure and their system appears to be flawed, so ASSUME YOUR DATA HAS BEEN BREACHED.
If your information is known to be part of the breach, you are given the option for free credit monitoring, BUT, you must remember to return to the site on a specific date to begin credit monitoring. Personally, I think they should be required to provide this service AT A MINIMUM for everyone, but they are not. Neither are they making it easy.
Equifax provides you with a date that you must return to their website to set up credit monitoring service. Mine was September 11th. You have to remember. They aren’t going to remind you. This credit monitoring service is initially free, but becomes a chargeable service at some point in the future AND you have to relinquish your right to sue in order to obtain this free service. So yes, strings are attached.
Furthermore, a free year of monitoring won’t help you in the future, beyond year 1, when the crooks still have your data. The crooks know this and may simply wait for a year to begin using the information. You must assume your data base been breached permanently and act accordingly.
Worse yet, a free year of monitoring at Equifax, or even permanent monitoring at Equifax won’t help you at the other reporting agencies. The crooks can and will take your valuable information and simply use it elsewhere.
What Is Credit Reporting and Monitoring?
Credit reporting companies like Equifax gather information about you and your credit, including open and closed accounts, so that when you apply for a loan, the loan originator (the bank for example) only has to call one of three credit reporting services to obtain your information and verify that you are a good credit risk – instead of calling each of your current and past creditors individually.
Equifax is one of those services, along with Experian and Transunion.
A credit monitoring service, offered by a credit reporting company life Equifax, reports activity to you when it occurs on your account. That means if someone applies for a new credit card in your name, you are notified. That does NOT mean that the transaction is prevented. This also does nothing to stop other fraudulent activities, such as filing for your tax refund, running up medical bills in your name or charging items on an existing credit card.
Or, worse yet, using your information in your stolen Equifax account information to attempt to hack your passwords at banks, Paypal, etc.
There are other options for consumers, in addition to or instead of a credit monitoring service, such as a credit freeze or a fraud alert, which we’ll discuss just as soon as we talk about passwords and security questions.
Don’t Use Familiar Records as Part of Your Password or Security
Using information about you that is publicly available, or available in your credit report allows the crooks to crack your passwords much easier. And yes I’m referring here to passwords for financial accounts like bank accounts, retirement and investment accounts and Paypal.
DO NOT USE:
• Your mother’s maiden name
• Your address
• Your previous address
• A pet’s or child’s name or any name that can be found publicly, on any service like Intellus or social media platform like Facebook
• A hobby that is discussed publicly in any way (so genealogy, DNA, genetic genealogy, quilting and gardening words are all out for me)
• The name of a school that you attended
• Your, your parents’ or grandparents’ birth locations
• A date such as a birthday or an anniversary
• Pretty much anything you can remember easily
Let’s look at steps you need to take to protect yourself.
Twelve Fourteen Steps to Protect Yourself Right NOW!!!
Yes, I added two more steps because it’s critical to protect yourself and your family, now. Please complete ALL of these steps to secure yourself.
• First, check the Equifax site to see if your information is known to be breached. Regardless of their answer, assume that it has been.
Click on the Potential Impact tab.
• Second, order a free credit report, which you can do once yearly, from Annual Credit Report at the link below. Do NOT fall for scam sites that offer free reporting or your credit score.
Order a report from all 3 credit reporting companies to be sure that no fraudulent activity has taken place to date and that your report is accurate.
Unfortunately, and somewhat maddeningly, when we attempted to order our free credit report online for Equifax, the process has changed and we now have to fill out a form. Yes, I know their system is probably overwhelmed by this, BUT, making receiving a free credit report to which the consumer is entitled at a time like this difficult is reprehensible. Do whatever you have to do to obtain your reports, because this breach is incredibly serious. Do not be deterred.
• Third, while credit monitoring only tells you what has already taken place, placing a fraud alert on your account means that a lender must contact you to verify your identity before issuing credit in your name. However, this can only be done for 90 days when it expires. You must renew it every 90 days at Equifax, Transunion and Experian, all three. Again, the results of this breach will be very real for years, so 90 days isn’t going to help you if you forget to call and put the alert on your account every 90 days.
• Fourth, put a credit freeze on your account. A credit freeze actually freezes your account at the credit reporting agencies, meaning that if you are going to apply for credit, you have to go into your credit account and unlock your account with your pin to unfreeze the account, then refreeze it when you are done applying for new credit. The credit freeze service isn’t free in every state, but typically costs under $10, if anything, and is a whole lot less than the headaches you could have otherwise. Be sure to freeze your credit at all 3 credit reporting companies. This is what I’m doing. You can read more about this process here.
• Fifth, many credit cards have an option to notify you when charges are made on your account through text messaging before the end of the month when your bill is sent. Visit your credit card provider to see if this option is available, enabling you to catch fraudulent credit card activity immediately instead of later when your bill arrives.
• Sixth, monitor your credit card bills closely. Look back over your accounts since April. You might want to close any accounts you don’t need or use anymore.
• Seventh, change your passwords on existing accounts, everyplace, just in case, especially any that include any piece of information that even MIGHT be held in a credit report or public location.
DO NOT use any type of identifying information such as your place of birth, mother or grandmother’s maiden name, or anything else that is in any way publicly available on a social media site, your tree at a genealogy site or anything else that can in any way be associated with you.
• Eighth, at tax time, file your return immediately, as soon as possible. Guaranteed, if the crooks target you, they’ll file as soon as they can and you won’t find out you’ve been scammed until the IRS tells you that they already processed your refund and it’s long gone.
• Ninth, be sure, absolutely positive, that your spouse takes these steps too, because if they are exposed, so are you!
• Tenth, help family members that are not technologically savvy to be sure they are protected. The elderly are often targets.
• Eleventh, this could not have happened at a worse time with hurricane Harvey in Houston and Irma positioned to strike Florida. Be sure family members in those locations who are distracted presently are aware that this security issue occurred, that their data may well have been breached, and that they need to take action – sooner rather than later.
• Twelfth, take action NOW. Delay may well mean money – yours – gone – in someone else’s hands.
• Thirteenth, check your children’s names and social security numbers at the credit agencies. Social security numbers of children are considered high value items, because they last so much longer. Young children shouldn’t be in the system, but teenagers, you never know and much better safe than sorry.
• Fourtheenth, never ignore what seems like a “mistake” on a credit report, such as a misspelled name or an extraneous address. On my husband’s report, his name was misspelled, only slightly, in one “odd” entry and it turns out that someone had run up bills in his name in another state. When the creditor attempted to collect by contacting my husband, that’s when my husband discovered the issue. This also pertains to reported unpaid medical bills on your credit report. I know of someone who supposedly had a baby and was billed by the hospital for an exorbitant amount after her identity was stolen.
You can visit the Federal Trade Commission site to learn more about identity theft and how to protect yourself.
Ok, when you’re done with all that, feel free to resume genealogy research!
However, from here forward, you can never be complacent or really rest easy, because your identity truly is in jeopardy, forever.
Please note that these actions may not be the only actions you’ll need to take to keep yourself safe, now, or over time. This story and the ramifications are still developing. Please educate yourself and follow credible news sources.