It was announced last week that Equifax suffered one of the largest security breaches in US History. While the breach was just announced, Equifax is reporting that they became aware of the breach in late July and that the breach was likely ongoing from May to July 2017. In other words, you may have already been exposed for weeks, if not months.
Your default assumption should be that, assuming you have a pulse and a credit card in your name, that your data has been compromised. Now the primary question that needs to be answered is - what should you do now to protect yourself?
This time, it's different
There have been security breaches in the past. In 2013 Target experienced a breach in which 43 million credit cards numbers were stolen. In 2014 Home Depot experienced a similar breach in which 50 million credit card numbers were stolen. Those were big, but the fix was relatively simple - anyone who had a compromised credit card was simply issued a new card. If you were impacted it was annoying, but the impact was relatively contained.
It is our belief that there were other lesser known results of these breaches. For one, banks finally adopted the "chip card", that has technology designed to reduce future breaches such as those at Home Depot and Target. For another, it created a standard playbook for data breach crisis management that included free credit monitoring services. Finally, and probably the most worrisome, was that it started us down a slippery slope process of desensitization to data breaches.
In exploring why this time is different, we will use the metaphor of a hole, and describe why this hole is bigger than any data breach hole we have seen before. To start, we simply look at the numbers. The number of credit files compromised in this breach is 143 million. That's almost three times the size of the Home Depot breach. That is almost half of every living American. That represents approximately two out of every three Americans with a credit history. By almost any definition, that is a pretty wide hole.
The real problem in the Equifax case, and why this hole is so deep, is that the database that was breached has a lot more data than just credit card numbers. The breach reportedly involved an extensive amount of information. This is taken directly from the Experian press release: "The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers."
If it has not sunk in yet, those data points are the building blocks of credit history. In addition to the obvious things like applying for credit cards and loans, this is short list of things that a credit history check can be used for:
- A credit check is part of the validation mechanism used by a brokerage firm like TD and Schwab to validate account holders when new accounts are opened.
- Credit history is part of the identity validation process in electronic signature systems like DocuSign
- The Social Security Administration credit history data to control access to your benefits online
- If you apply for TSA Pre, they check your credit history
- A credit check can be run when you apply for a job
- Credit checks can be run when you apply for insurance
This list is the reason why this time is different - the information that was stolen will never change, and therefore the ripple effects of this breach may be felt for years, if not decades. This has the potential to change the very nature of identity validation in this country. It is a very deep, and very wide hole that Equifax has dug. Not just for itself, but for all of us.
What now? A call to action!
We would strongly encourage all readers to consider your next steps very carefully. This is your call to action.
What now? There are basically two strategies available to you: monitor and freeze.
Monitoring - the 411
Your first and most obvious option is to monitor your credit. You can, and should, review the charges that appear on your credit card statements on a regular basis.
The next step of monitoring is to look at your credit report. You can access your credit report once per year, per bureau, for free. The power of this is that you can see your entire credit history - everything that the agencies know about you is in there. The frequency with which you can check your history is the issue here - checking only once a year can leave big gaps in this monitoring strategy.
The next level of monitoring is to subscribe to a service that will monitor your credit history on your behalf. There are different levels of monitoring that you can pay for, and can alert you about things like new account openings and suspicious activity.
Equifax has offered this service to those affected - but only for one year. One year of monitoring for this breach is simply not sufficient. As of this writing, Equifax has not announced how they will roll the program out.
In case you are leaning in the direction of monitoring alone, consider this cautionary tale. You may remember the advertisements from a few years ago, in which the CEO of one these credit monitoring services prominently published his Social Security Number. "I'm so confident in our service, that here is my Social Security Number - I invite hackers to try and steal my credit". It turns out that they took him up on it, and the CEO later disclosed that his identity was stolen 13 times before the advertising campaign came to an end. As if to foreshadow what we might expect from the Equifax breach, you can still easily find his Social Security Number a decade later, and we have to assume he has by now frozen his credit.
Freeze out the bad guys
Depending on your situation, you may want to go to the next level, which is to freeze your credit. The biggest consideration here is your need for credit in the short term. If you do not have any short-term plans to finance a home or car, or to apply for a new credit card, you should consider freezing your credit history. If you are shopping for a home or for a car, you may have to forgo this level of protection (at least for the time being).
It is worth noting that the agencies do not want you to freeze your credit file. If everyone froze their credit file, then there would be no "product" to sell (the product being credit validation and credit scores against your credit history). To freeze your credit is to say "no one can open an account using my credit history because it is frozen". The process of freezing your credit is, while not simple, also not hard. You can freeze your credit history at all three major credit bureaus in about an hour. All three processes are slightly different; all three have a slightly different process to remove the freeze.
The good news of freezing your credit is that, should you need it, you can always remove the freeze later. There may be road bumps along the way - freezing your credit may have a downstream impact that you cannot envision today, and it will almost certainly lead to higher "transaction friction" (i.e. it harder to get instant credit instantly). However, we think the tradeoff is well worth the effort and the potential hassle.
The Federal Trade Commission (FTC) has a good FAQ on freezing your credit.
Below are the links to freeze your credit at the three major agencies, as well as a lesser known fourth:
A note on Fraud Alerts
Should you become an actual victim of identity fraud, where you have documented an incident where a third party opened an account in your name, there is one additional course of action available to you. You can contact the credit bureau and put a "fraud alert" on your account. The fraud alert is intended to raise a red flag whenever credit is applied for.
What is SVWA doing?
We recognize that all of this can be very scary. There are a couple of things that we are doing internally to help protect clients. The first is that we started a program in early 2017 to create secret passphrases and codes for certain transactions. We monitor our clients' accounts diligently looking for any unexpected activity.
We partner with TD Ameritrade and Schwab who are working on next-generation technology that includes voice recognition, facial recognition (for phone applications), and two-factor authentication strategies (2FA).
This is a significant data breach that affects two out of every three Americans with a credit history. The nature of the data involved in this breach may cause this issue to remain with us for years to come. At the very least, you should step up your diligence in monitoring your existing accounts. We highly recommend that you consider additional security measures above and beyond casual monitoring, including putting a freeze on your credit history at the reporting bureaus.
The information contained in this post represents the general opinion of Silicon Valley Wealth Advisors. Nothing contained within this post (including any content we link to or other 3rd party content) constitutes a solicitation, recommendation, endorsement, or offer to buy or sell any securities or other financial instrument. No advisor/client relationship is created by your access of this material.
In preparing this material, we have not analyzed the investment objectives, financial situation, or the specific needs of any person. We do not suggest that any strategy described herein is applicable to any client portfolio managed by Silicon Valley Wealth Advisors. Before making an investment decision, you should discuss with a professional financial advisor, whether the information provided in this material is appropriate considering your specific investment needs, objectives, and financial circumstances.
This information reflects our subjective judgments and assumptions, without regard to unanticipated market or other events that may occur. Therefore, there can be no assurance that events will unfold as discussed, or at all. This material reflects the opinion of Silicon Valley Wealth Advisors on the date made and is subject to change at any time without notice. Equally, Silicon Valley Wealth Advisors has no obligation to update this material on any given timetable, or at all. Silicon Valley Wealth Advisors does not warrant the accuracy of the materials provided herein.