NOTICE: What to do if you are affected by the Equifax data breach

Monday, September 11, 2017

September 11, 2017, Update

Information Assurance recommends that anyone who may have been affected by the Equifax data breach take the following five actions:

  1. Put a fraud alert on your credit report. You can put a fraud alert on your credit report for free by contacting one of the credit agencies, which is required to notify the other two. This means you'll be contacted if someone tries to apply for credit in your name. The alert will last for 90 days and can be renewed. You will need to remember to renew it; you will not be notified when it expires.
  2. Keep an eye on bank account and credit card statements. Monitor your financial and credit card accounts to look for any suspicious activity. It is always a good practice to check your online statements regularly and often. 
  3. Check your free credit reports. This will let you see if anyone has requested a check on your credit. This happens, for example, if someone tries to open a new credit card or apply for a loan in your name. Under federal law you are allowed to request a free copy of your credit report once a year from each of the three credit reporting agencies: Equifax, Experian, and TransUnion. You can request a copy of your credit report at annualcreditreport.com.
  4. Turn on two-factor for Weblogin and for personal accounts. Use two-factor wherever you have the option to do so. Two-factor protects your most valuable accounts, including email, social media, and financial. See Turn On Two-Factor for Weblogin and Two-Factor for Your Personal Accounts.
  5. When in doubt, delete or ignore. Scammers and others have been known to use data breaches and other incidents to send emails and posts related to the incident to lure people into providing sensitive information. Delete any suspicious emails or posts, and get information only from legitimate sources.

In addition, you might consider:

  • Sign up for a credit monitoring or identity theft protection service. The University of Michigan provides optional credit monitoring and identity theft services to employees through CyberScout with annual enrollment in the U-M Legal Services Plan. Note that most credit monitoring services only track your credit reports; they do not monitor and alert you to suspicious activity on your credit card or in your bank accounts. 
  • Freeze your credit (be aware this can be inconvenient). A credit freeze blocks anyone from accessing your credit reports without your permission. Though this is a worthwhile action, it can cause you inconvenience. If you want to take out a loan or open a new credit card, you'll have to contact the reporting agency to temporarily lift the freeze. In addition, you will be charged a fee to freeze your account. The charge varies by state, but commonly ranges from $5 to $10. 

Reference: 5 things to do right now if you're worried about the Equifax hack (CNN, 9/10/17)

September 8, 2017 Notice About Equifax Data Breach

The information below was sent to the IT Security Community and Frontline Notify groups on September 8, 2017.

Equifax, one of three nationwide credit-reporting companies, has announced a data breach affecting as many as 143 million Americans. According to CNN: "Cyber criminals have accessed sensitive information -- including names, social security numbers, birth dates, addresses, and the numbers of some driver's licenses. Additionally, Equifax said that credit card numbers for about 209,000 people were exposed, as was "personal identifying information" on roughly 182,000 customers involved in credit report disputes." (Giant Equifax data breach: 143 million people could be affected).

What You Can Do

Information Assurance recommends:

  • Turn on two-factor for Weblogin and for personal accounts. Use two-factor wherever you have the option to do so. Two-factor protects your most valuable accounts, including email, social media, and financial. See Turn On Two-Factor for Weblogin and Two-Factor for Your Personal Accounts.
  • Keep clean machines. Prevent infections by updating critical software as soon as patches or new operating system versions are available. This includes mobile and other internet-connected devices.
  • Monitor activity on your financial and credit card accounts. Check your online statements regularly and often. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus; this is free and may be included if credit monitoring is provided post breach. For more information, visit the Federal Trade Commission website identitytheft.gov and annualcreditreport.com.
  • When in doubt, delete or ignore. Scammers and others have been known to use data breaches and other incidents to send emails and posts related to the incident to lure people into providing sensitive information. Delete any suspicious emails or posts, and get information only from legitimate sources.

Equifax Response

The Information Assurance Office offers the following information, but leaves it to the individual whether they want to follow the steps below. Be aware that by signing up on Equifax’s help site, you risk giving up legal rights to sign up for a class action lawsuit or take individual action.

Equifax has created a  website—www.equifaxsecurity2017.com/potential-impact—where you can check to see if you are affected.  Visit the site, click the Check Potential Impact button, and enter your last name and the last six digits of your Social Security number. Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection any time you enter it. The site will tell you if you’ve been affected by this breach.

Next, you will be provided an opportunity to enroll in TrustedID Premier, an identity theft protection service, and provided an enrollment date.  Make sure to put this date into your calendar as you will not be reminded you of the date.

See the references below for additional information about the breach and dealing with identity theft.