Our Thoughts on the Equifax Hack

We’ve received several inquiries from clients who are asking basically the same set of questions: 

  • Am I at risk following the Equifax hack?
  • What can I do to protect my finances following the breach?

What Happened?

In short, hackers broke into Equifax’s credit database sometime in May. The hack was discovered in July, but wasn’t made public until early September. It’s estimated that 143 million records have been accessed by the hackers, or roughly 44% of the population of the United States (Canada and some other countries are included, too). 

Although unimaginable, this breach is far more serious than when retailers like Target or Home Depot are hacked. In those cases, thieves might get a credit card number, name and address, but likely little else. With the Equifax hack they have likely stolen Social Security numbers, past address information, account histories, etc. 

What Can You Do About It?

  1. Equifax has created a dedicated website that provides more information about the breach and a tool to determine if a consumer has potentially been affected (equifaxsecurity2017.com). Equifax is offering one year of free credit monitoring for those who’ve been affected by the breach (www.trustedidpremier.com/consumer-registration/html/personal-info.html) and we suggest taking advantage of this (note it is a two step process, once you submit information you will receive an email that you need to follow to complete the process). While there were initial concerns that by participating in this offer you would be giving up rights to participate in likely class action lawsuits against Equifax, that provision has been set aside. If you don’t want to take the offer from Equifax you can pay for a similar monitoring service.
  2. Check your credit report for free at annualcreditreport.com. Each of the three credit reporting companies (Equifax, Transunion and Experian) are all required to provide you with one free look at your report every year. You can thus pull a report from each every four months to keep on top of the financial accounts linked to your Social Security number. 
  3. Strongly consider placing a freeze on your credit (ncdoj.gov/freefreeze ). This makes it very difficult for others to access your credit report without your express authorization. This can make applying for new credit like auto loans or new credit cards somewhat cumbersome. But it is also the strongest protection for your financial information available today (see links below).
  4. If a freeze is a bit too drastic, you can place a fraud alert on your credit record with each of the credit companies. This will remain in effect for 90 days, and is often free. This will trigger a notice to you any time someone tries to open new credit in your name, though it can be somewhat involved to remove the alert. Each of the companies has instructions for how to do this on their websites (see below). 
  5. Always monitor your credit card and bank statements, but now be especially vigilant for charges that you don’t recognize. 
  6. Actively work to replace and update your passwords and security questions. If you had an account with Equifax (beyond your credit file), change the password on that account, and any other website where you used the same password. The best practice for a complex password these days is a long phrase that you can remember easily but is not widely known, which combines numbers and letters (knowledgebase.uchicago.edu/16276 ). If you want to take this a step further, consider a password generator / manager such as Lastpass, Dashlane or Roboform; these are subscription services which maintain your logins to meet website login requirements across computer and mobile platforms. 
  7. Consider putting a security freeze on your Chex Systems consumer report. Banks and credit unions use Chex Systems to identify accounts closed due to bank fraud, ATM abuse, substantial NSF transactions, overdrafts or similar, negative information. By placing a security freeze with Chex Systems, you can help prevent credit, loans, and services from being approved in your name without your consent. Once protection is in place, new account activity such as opening a bank account will be prohibited until you lift or remove the freeze, though normal banking activity should remain uninterrupted.

Freeze your Chex Systems report here

For either a Freeze or a Fraud Alert, contact:

What About Your Investments?

After something like this, it’s natural to worry about your investments. Bank accounts are guaranteed by the Federal Deposit Insurance Corporation (FDIC), but what about brokerage accounts? The short answer is that the Securities Investor Protection Corporation (SIPC) offers some protection against fraudulent removal of investments, but it is limited and designed to protect against loss of cash and securities in the event of a brokerage firm liquidation. Most institutions (including Schwab and TDAmeritrade) offer additional insurance as well. Charles Schwab and TD Ameritrade both offer security/asset protection guarantee programs that will reimburse you for cash or shares of securities lost due to fraudulent activity by an unauthorized third party. These custodians just request that you take proper safeguards, such as keeping your account access information secure and private, maintaining up to date personal contact information, and reporting any suspicious activity or unauthorized transactions immediately.

Still, clients who are concerned about unauthorized access to their accounts can contact their custodian (call Schwab’s security desk at 800-433-9196 or TDAmeritrade at 800-431-3500) to place additional security measures on their accounts. These include:

  • Voice recognition for phone calls and/or verbal passwords. Beyond a simple numerical PIN or passcode, voice recognition systems can verify the identity of those attempting to access accounts by phone. This is far more secure than asking questions like “what street did you grow up on” or “Mother’s maiden name”. 
  • Some custodians are now offering a Two Factor Authentication (security token) system that adds an additional layer of security to clients’ online login password. Whether you choose a key fob (like a remote car key) or a smart phone application which sends a text message to your phone, this will significantly enhance the security of your brokerage accounts since you can’t access your accounts without the special number generator. See this link for more information: https://www.fbi.gov/news/stories/cyber-tip-protect-yourself-with-two-factor-authentication

The suggestions above are intended to help you to understand that you have options available to you to thwart the efforts of these hackers, to protect your assets and to provide you some peace of mind. As always, if you’d like to discuss the security of your finances and your investments, we’re available to help you pick and choose the response that will work best for you. Please give us a call if you have any questions. 

On behalf of the SFG team, we encourage you to stay safe out there!