Equifax Breach – Resources and Next Steps

The recent Equifax data breach has many consumers worried about possible identity theft – around three million consumers in Massachusetts may have been affected, out of 143 million nationwide. Here are some steps you can take, and some steps your state legislators are taking, to protect your information.

What you can do:

Go to www.equifaxsecurity2017.com to see consumer updates and determine if your personal information has been impacted using the “Potential Impact” link. If your information has been compromised, you can choose to enroll in one year for free of Equifax’s TrustedID Premier credit file monitoring program, which will alert you of any attempts to access your information or open accounts without your permission. Enrolling will not waive your right to take legal action. You can also call Equifax at 866-447-7559 to check if you have been affected by the breach or to ask other questions.

The Attorney General, who has announced intent to sue Equifax, has released a set of recommendations about how to protect yourself against identity theft, whether or not your information has been compromised by the Equifax breach.

First, you should consider placing a credit or security freeze on your files. This makes it harder for someone to open a new account in your name, although it won’t make prevent someone from making charges to an existing account. If you want someone to be able to review your credit, you will have to lift the freeze. It is important to place a freeze at all three credit reporting agencies, because fraudulent accounts may be opened with companies that report to the other bureaus besides Equifax (Experian or TransUnion). There may be about a $5 fee per credit bureau for placing, lifting, or removing a freeze. This is one of the strongest precautions you can take against identity theft. The FTC has more information on credit freezes.

You can also check your credit reports for free at www.annualcreditreport.com or by calling 877-322-8228. This will allow you to identify identity theft if there are any accounts or activity you don’t recognize. You can order a free report from each of the three credit reporting agencies – Equifax, Experian, and TransUnion – once per year. You can then file a fraud alert with the credit bureau which puts them on notice that your information has been compromised.

The Attorney General also recommends you try to file your taxes early, so that someone who has stolen your social security number can’t file them first. Some scammers will also contact you saying they are from the IRS – don’t believe someone who says you’ll be arrested unless you pay your taxes, even if they have your full social security number.

If you do believe you are the victim of identity theft, visit the FTC’s website to develop and implement a recovery plan.

What the legislature is doing:

An Act removing fees for security freezes and disclosures of consumer credit reports, S.130 sponsored by Senator L’Italien and H.134 sponsored by Representative Benson, updates Massachusetts law regarding consumer reporting agency’s responsibilities to protect consumers from identity theft. The bills reduce the fees necessary for obtaining important information such as a credit report in the case of identity theft.

Currently, every consumer reporting agency is required to advise consumers of their rights with a written notice. You have a right to obtain a copy of your credit file for up to an $8 fee. S.130 and H.134 amend current law (Section 56 of Chapter 93) to say that you are exempt from this fee if you have been a victim of identity theft and you submit a valid police report relating to the theft.

H.134 also removes a portion of the existing law (Section 59 of Chapter 93) that says that national consumer reporting agencies can charge up to $500 for copies of consumer reports. Additionally, both bills state that a consumer reporting agency wouldn’t be able to charge a consumer for any disclosures or copies of consumer reports for consumers who are victims of identity theft if the victim had submitted to the consumer reporting agency a valid police report relating to the identity theft.

Finally, S.130 and H.134 amend current law (Section 62A of Chapter 93) to say that a consumer reporting agency cannot charge a fee to any consumer who elects to freeze, lift, or remove a security freeze from a consumer report.

These are important changes that could make detection and prevention of identity theft and fraud easier for consumers. Both of these bills are scheduled to be heard by the Joint Committee on Consumer Protection and Professional Licensure next week, on September 26, at 1:00 pm in room B-1 at the State House.


Aja Watkins
Senator Brownsberger’s Office

If you have links to other useful resources or have other suggestions for legislation, please do post them as comments here!

24 replies on “Equifax Breach – Resources and Next Steps”

  1. If one is breached the others may be as well. And freezing accounts… would be good if this was not at a cost to consumers. Anytime a consumer does something re credit, debt, it is soon reported to the three. When they mess up and allow a major security breach to affect millions in the US, the UK etc. freezing accounts should be FREE at all three agencies. And that I think may be the law in some states and should be here in Massachusetts.

  2. Consumer Reports says Equifax should:

    1. Pay to freeze victims’ files at all bureaus.
    2. Monitor victims’ histories for free indefinitely.
    3. Explain each customer’s specific damages.
    4. End all mandatory arbitration clauses.
    5. Hire trained staff to resolve disputes quickly.
    6. Compensate current victims for all future damages.
    7. Prosecute insider trading violations.
    8. Preserve all records related to this scandal.

  3. Contacting Equifax to see if your information has been compromised is useless. All you get is “maybe not…” or “maybe…”

  4. An additional option of prohibiting these agency’s from reporting and collecting credit information if requested by the consumer (if they can not be responsible – then we should be able to prohibit them from selling our information) , Also there needs to be a very stiff penalty payable to the consumer like $ 20,000 per person per occurrence

    1. Agreed. These criminal organizations exposed all of us to enormous risk entirely for their benefit, not ours. Permission to do business needs to be revoked.

  5. freezing accounts by phone is not hard- but it is very tedious, needing, in our case, many phone calls. whenever the phone system told us that we were not eligible to place a freeze by phone we were advised to mail our most sensitive personal information to the agency at a mailing address that led with: “Credit Freeze”. Seemed too risky (perhaps even stupid), so we would just hang up and try again a few hours later. Eventually we were able to freeze all three agencies using the automated telephone systems.

    Good to see efforts to make this process free for consumers! Seems like a rip-off to have to pay to protect ourselves from their vulnerability.

    More importantly, I suspect that the majority of consumers are not going to do any of this! Seems to me that we (we the people) are going about this less proactively than we should- would it not be better to require all three agencies to freeze EVERYONE’s reports and contact consumers with instructions to unfreeze as required? Certainly creditors needing credit reports could tell their prospective clients, on an as-needed basis, that in addition to filling out the application they also need to lift the blanket freeze. With a breech this massive, aren’t extraordinary measures warranted? As it stands, I am sure there are many citizens who will not be able to take the required steps to protect themselves, and everyone deserves to be protected from these criminals.

  6. One can’t help but note in passing that as the government gets itself in high dudgeon regarding the Equifax breech it lets itself off the hook for the OPM breech (on standing and sovereign immunity grounds) which arguably released far more sensitive and damaging personal information. See

    A take-away might be that if the private sector allows unauthorized access to your data you have recourse in the courts whereas if the public sector does the same thing you don’t.

    Perhaps the Senator would caution us against arriving at this conclusion but it does give one pause when one reflects on the amount of personal data held by various city, county, state, and Federal governmental organizations. One remains hopeful that the custodians of this data are more diligent than the folks at OPM.

  7. Me thinks that the upper echelon of people that run Equifax (EFX), like the CEO, CFO, etc. were playing games with the “financials”.

    They didn’t want to spend the extra money to update security to keep the profits HIGH so that they could collect their performance bonuses.

    They use the mantra “maximize shareholder profitability” while they shirk their “fiduciary responsibility”.

    They’ve “bastardized” the rules to fill their own pockets. They would fire you or me if it would make the margins for them to get a big,fat bonus check.

    Like they weren’t overpaid in the first place. They opened up everybody’s personal info to hackers, jeopardizing our financial future safety.

    They were too busy rushing to the exit door to sell their shares of EFX for their own personal gain.

    The greed never ends.

  8. Equifax has shown gross negligence in its duty to protect our most sensitive data. The three credit bureaus profit by selling our financial transactions to companies for marketing purposes, and charge us to check our credit reports. My information and 140 million others have been compromised. You can’t cancel and get another social security number and now we all have to worry who has that info for the rest of our lives. They need to do better than simply giving us a free year of credit monitoring and should be held liable for and financial damage the victims suffer as a result of their negligence.

  9. When the Boston Globe subscriber database was compromised about a decade ago, I cancelled my subscription and got a new credit card. After Equifax was breached, I kept my credit card, froze my record, and would have cancelled my subscription if I could. I kept the card knowing there were other lines of defense.

    I’ve been told that it’s SOP for identity thieves to bide their time as they triage the records, tranche them, then solicit bids on the black web. So the higher your credit score, the higher the price that your record may sell for.

    All this prep takes time, and then more time for whoever obtains your record to make a move. Probably a little one at first to see if the transaction goes through. So watch for bogus purchases on your credit card and contest them with the CC company and the vendor if necessary. I find my CC Co is pretty vigilant. It contacts me from time to time to verify purchases and is responsive to my queries. I would not say that’s true of the three reporting agencies. I’ve set up a firewall at Equifax. It went pretty smoothly. And thanks to this post I’ll do the same at the other two. Marginally more peace of mind is worth at least five dollars to me.

    If you got hit in this (and I’m pretty sure you did), my sense is that it’s unlikely that someone will make a major purchase or get a loan in your name, especially within a month of the breach, so if you plug all your holes expeditiously, your boat probably won’t sink.

    That said, please don’t pay for stuff with your phone. That’s asking for trouble.

  10. I am on the list of people whose information was compromised. No consumer should have to pay a fee for a security freeze, or to temporarily remove it when applying for a loan. There should be multiple lines of defense before anyone has access to our information (e.g. confirmation code sent via text).

    There is no incentive for companies to increase security. Since it costs money, they don’t. We are not customers to these companies. Selling our data is how they profit. It is up to our government to protect us from this threat.

    1. Agree with Anthony. These companies are for profit and represent their clients, i.e. financial institutions not those of us caught in the crosshairs of big business and their financial sponsors.

    2. Massachusetts law needs to recognize the personal private identifying information of its citizens as their own property.

  11. I agree with the proposals above as a first step. But the law should require that any company that has a breach of sensitive customer information notify those affected within a reasonable time (days not months). And there should be fines that scale with the number of people affected that cannot just be deducted as a cost of doing business.

  12. Will,
    Appears to be much misinformation out there regarding freezing credit, and obtaining monitoring. But may I first say this: would you want the very company who already failed to protect ones personal information “protecting” ones credit?
    Also the price for “freezing” credit inquiries is $19.99/month. It’s useless to freeze credit on only one bureau one must freeze on all three. To the tune of $60/month?
    There is a clear lack of professional integrity.
    The websites for the other two credit bureaus are obtuse and contradictory. One did not publish its prices for its services a credit card was required before a price was indicated.
    What I found out after perusing the websites for these credit bureaus is the lack of clear articulation of services suggesting the extreme lack of regulation.
    I hope Massachusetts can lead the country in
    helping to regulate this industry.

    1. I would also like to add that on the Experian website the pop up was “this is not a secure site.”
      The irony!!!

  13. The proposed bill S130 is a typical half-measure that’s inadequate. Credit reporting agencies are well paid by financial institutions and merchants who don’t adequately protect our data and identity. Then the legislature after being lobbied by the industry proposes to reduce the fees that Big Finance charges us when they’re negligent? Maybe that’s why voters have so little regard for their elected representatives. Consumers should have the right to free freezes, lifts, credit reports and other means of protecting against identity theft. That’s what a legislature that represents its consumer constituents should enact. No one should have to prove identity theft or show these agencies a police report to get these basic protections. Do you think consumers will scam credit reporting agencies to get free reports and freezes?

    1. Concur, and withdraw my comment not minding on paying for peace of mind. The lege should also do something about arbitration clauses in CC contracts. Arbitrating credit disputes ties consumers hands and hardly ever works out for them. If no-competes can be reined in, why not credit arbitration too?

  14. Thanks Will for the information, I am so happy to hear that MA is on the forefront for taking action against Equifax with AG Healey’s lawsuit. I hope other states and the federal government will follow. It was reported that several top executives at Equifax sold their stocks for millions after they found out about the breach but BEFORE they told the public. How is this not insider trading? These executives should be put in jail. I mean seriously, that stock money should just as well be dispensed to everyone whose data was breached.

  15. What I find interesting here is that the cause of the breach is fairly ordinary and, IMO, reveals more or less average security practices (unlike their Argentinian branch security problems which are horrendous). A vulnerability in software they use was found and reported world wide in March and someone took advantage of them not patching it by May.

    The cat is out of the bag re. private information. Given the state of the art in the computer software industry, companies are not able to keep your information safe. Some of the above seems a good response to that, in that it helps our ability to deal with this reality. What else could be done to get us to where your address and SSN is not critically sensitive info? And if we did do those things would it create privacy or government intrusiveness problems?

    I joke to other programmers at work that this makes my life easier. I used to worry about keeping my home computer secure. But since my SSN and address are the most sensitive pieces of info on there and the other computer systems in the world holding that same info cannot be trusted, I can take it easy securing my own system and only worry about the inconvenience factor of hard drive trashing vs. the harder problem of avoiding info leakage.

  16. Regarding how to protect ourselves: I found US Pirg’s Kathryn Lee instructions more comprehensive than AG’s recommendation: https://medium.com/u-s-pirg/pirg-security-freeze-and-identity-theft-prevention-tips-85fc747215c1

    Three clicks and credit frozen at all three institutions. A one time $10 for all three, and each member of your household…,, also you need to pay also to unfreeze.

    Regarding last year Equifax lobbying against protection for victims of data breach: see Represent.us post and link behind: https://www.facebook.com/RepresentUs/photos/a.558370124176863.139565.518194348194441/2008246712522523/?type=3&theater

Comments are closed.