"We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action," the agency said in an update on EquifaxSecurity2017.com.
Update 9/8/2017: This article has been edited to include a statement from Equifax.
This article was originally published on September 8, 2017.
People who want to check their credit scores generally pull the figures from one of the three major credit bureaus in the United States — Equifax, TransUnion, or Experian.
The three credit reporting agencies collect a vast array of personal data from consumers to calculate credit scores, which can determine an individual's loan-worthiness or the terms of a loan. At a minimum, the accrued information includes Social Security numbers and credit card information that would be nerve-wracking to have stolen.
Yesterday, this information from as many as 143 million people in the U.S. — about 44% of the population — was leaked after a cybersecurity breach of Equifax's database.
"The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed," the firm said in a statement. "As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents."
Equifax says the breach occurred from mid-May through July 2017, and they urge consumers to "check potential impact" at a dedicated website, which you can do here. They've also opened a call center line (which will be open on weekends), and recommend that people with questions check www.equifaxsecurity2017.com for information.
Robert Harrow, a credit expert at ValuePenguin, tells Refinery29 that he advises people who are worried about their information being exposed to consider placing a temporary fraud alert on their credit report for now.
"Consumers can contact just one of the three credit reporting bureaus to place a fraud alert," he says. "The bureau that is contacted is required by law to share the alert with the other two bureaus. A fraud alert tells lenders that the consumer in question is a potential victim of ID theft. This signals to the lender to take extra caution in verifying their ID every time a new account is opened in their name."
Harrow says the alerts last 90 days, and that consumers can secure an extended fraud alert that lasts seven years by filing a police report indicating they have been a victim of identity theft.
Freezing one's credit report is another, "more drastic action" that Harrow says can be done independently of Equifax. To do so, individuals must contact each of the three bureaus and make the request. This option prevents lenders from pulling your credit report, "and ostensibly keeps anyone from being able to open an account in your name," he continues. But, he adds, "it is not a good option for someone who plans to apply for credit, such as a mortgage or auto loan in the near future. To do so, they will need to unfreeze their credit reports first."
It will take a bit of time to determine exactly what the breach means for each person, but Harrow has a simple lesson moving forward: remain alert about your money outlook.
"Check your credit report periodically, even if you have no special reason to suspect irregularities with your credit," he advises. "Everyone is entitled to a free credit report from each credit bureau — Experian, Equifax, and TransUnion — once every 12 months."
Equifax is giving consumers the option to enroll in TrustedID Premier by November 21, 2017, "regardless of whether your information may have been impacted. The service touts five complimentary offers, including receiving copies of your Equifax credit report, monitoring and alerts of changes to files through all three bureaus, placing a credit report lock that prevents third parties from pulling the information, Social Security number monitoring, and up to $1 million in identity theft insurance (subject to terms and conditions).
The offers might seem 100% above-board, but Harrow says that consumers might want to wait on more information before they accept.
"We're still digging into the implications of signing up for Equifax's TrustedID service for consumers," he says. "Since the announcement last night, there has been a lot of confusion over how their service will help, when it will start working, as well as language in the terms and conditions on opting out of a class action lawsuit if consumers sign up for the service. In light of this, we recommend that consumers wait on Equifax to provide more clarification on what this will mean for them."
In other words, you can check whether you're part of the security breach, free and clear. But if you are part of the breach and decide to enroll in Equifax's TrustedId Premier program, you won't be able to sue the agency, class action or otherwise.
Finally, it might be wise to refresh the passwords on your major accounts, steering clear of options that use information potentially stolen in the breach. Check out these suggestions for creating an un-hackable password.