An unknown number of Canadian and British citizens are among the 143 million customers affected by the Equifax credit bureau hack.
Hackers stole names, social security numbers, addresses, birth dates, driver’s license numbers and approximately 209,000 credit card numbers using what Equifax is calling a “U.S. website application vulnerability to gain access to certain files.” The files affected are from May through to early July 2017 and while Equifax reports that there was no unauthorized access to core consumer and commercial credit reporting databases, Equifax also identified unauthorized access to “limited personal information for certain Canadian and U.K. residents.”
This is a major catastrophe for those affected. Unlike other breaches, it looks like this one exposes everything cyber thieves need to commit identity theft and more in your name.
“For those affected, they will need to be diligent in monitoring their financial life forever,” says Kelley Keehn, personal finance expert and author of Protecting You And Your Money – A Guide To Avoiding Identity Theft and Fraud
So what do you do if you are one of the unlucky Canadians who are affected and how can anyone properly protect themselves from identity theft going forward?
Put your credit file on ice
“It’s important that people realize that more than likely their Social Security or Social Insurance number is in the hands of a criminal. In 2016 alone, there have been almost 4 billion records compromised globally,” says Robert Siciliano, CEO of IDTheftSecurity.com.
“On a scale of one to ten, I’d say this breach is about a nine and the reason I don’t say a ten is because as far as we know the only data not involved in this hack is mobile phone numbers and biometric information.” he says.
In cases like this, both he and Keehn recommend those affected put a Fraud Alert (known as a credit freeze in the U.S.) on your credit file. This means that lenders will have to verify your identity before they can issue credit in your name. They may personally call you or require additional identification if you are trying to obtain credit in person. An initial fraud alert lasts 90 days, but if you are a victim of fraud or identity theft a fraud alert can be placed on your file for seven years with proof that incident took place. A Fraud Alert entitles you to one free copy of your credit report and once you notify one credit reporting company such as Equifax, they are legally obligated to notify the other one (TransUnion) on your behalf.
“If you don’t know if you’ve been affected, you can still put a pro-active credit alert on your file with each credit monitoring service for a small fee,” says Keehn.
“Check your credit report often, keep track of your mail,— if some of it goes missing, that might be a red flag your mail is being diverted by a criminal — change all of your passwords and PINs, notify all financial institutions that you deal with and check your bank and credit card statements meticulously.”
Of course, doing all this takes time, but you don’t necessarily have to do it all yourself.
Peace of mind for a small fee
For those who want to be extra pro-active Keehn and Siciliano both recommend investing in Identity Theft Protection.
“I know for some that might ring hollow due the fact that Equifax is one of the largest suppliers of identity theft protection services compromised, but that does not mean you shouldn’t engage in identity theft protection because you should,” says Siciliano.
Equifax isn’t the only company to offer this additional layer of protection. Companies like idAlerts will offer identity theft protection, detection and recovery services for about $20 per month, per person. This includes 24/7 monitoring of your credit file, notifications of any changes to your file, full recovery services if your identity is ever compromised and unfettered access to your credit report and credit score (Canadians are entitled to one free credit report per year).
“Security is all about layers of protection like when your mom tells you to wear multiple layers in the winter time,” says Siciliano. “The more layers you have, the more secure you’re going to be and the level of notification provided by Identity Theft Protection can give you real time insight as to how your credit is being used.”
Often these companies also monitor the dark web – the part of the internet only accessible through an IP address masking service such as Tor and frequented by criminals selling personal information to the highest bidder – so if your information is found anywhere in these nether-regions of cyberspace, you will likely be notified as well.
“Any identity theft protection service worth their salt also has advocates in place that will fix an identity that has been compromised,” says Siciliano. “They have relationships with various government agencies, various credit reporting agencies, lenders and all the organizations on the planet that are dealing with identity theft because their clients or customers can be affected. On your behalf they will make the phone calls, send the emails and reset the clock in regards to your identity through a limited power of attorney.”
This allows people to avoid the hassle of proving their identity multiple times to various lenders and makes sure the recovery process is done properly with nothing missed because everything is in in the hands of a professional.
Can you still trust Equifax?
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Equifax Chairman and Chief Executive Officer, Richard F. Smith in a statement. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
But can you really trust Equifax to keep your data safe?
“No, people should not trust them,”Siciliano says.
“That being said, this does not mean that you should not engage them. I don’t necessarily trust my government, but I still engage them. I don’t necessarily trust the guy who’s driving behind me, but I don’t have much of a choice in the matter. I don’t necessarily trust these corporations, but I still engage them because I do need them.”