If you’re hoping to just ride out the Equifax breach scandal and do nothing about it, you might not have a problem next week or next month. Or even next year.
Since the credit reporting company Equifax EFX, -2.35% announced last Thursday it had been affected by a data breach earlier in the summer that potentially affected 143 million U.S. adults, consumers have had many questions about how to protect themselves. Some have not even been able to freeze their credit reports, as security experts have suggested, because Equifax and the other two credit bureaus TransUnion TRU, -1.35% and Experian EXPN, -4.83% have been overloaded with calls and credit-freezing requests they were unable to handle.
As a result of frustration, or maybe naiveté about the risks, some have decided to stop trying. “You can do nothing, and then you’ll be a sitting duck,” said Adam Levin, a consumer advocate and chairman of security firm CyberScout. “If you could do something preventative, as opposed to ending up in the hospital and having to do something reactive, wouldn’t you rather do something preventative?”
If you don’t take any steps? This is what could happen:
Financial identity theft
Because the Equifax credit reports contained so much personal information, including Social Security numbers and financial account information, fraudsters could use the report for reasons including new account fraud, medical identity theft — using insurance information to have a medical procedure, which can create confusion on the true insured person’s medical file for years — or tax fraud, Levin said.
The fraudster could open credit cards and start utility bills in your name, which would go unpaid, and into collections, which could ruin your credit score, said Adrian Nazari, the founder and chief executive of Credit Sesame, a credit monitoring service. As a result, it could become difficult to be approved for home loans, car loans, jobs and desirable interest rates in the future, he said.
Bloomberg reporter Drew Armstrong wrote this week about his experience when his identity was stolen, which took three years to resolve. In the meantime, the man posing as Armstrong opened accounts in his name at Wells Fargo and went to the Delano Hotel in Miami Beach.
Fraud affected some 15.4 million consumers in 2016, or roughly 6.15% of all consumers, up 16% from 5.3% of consumers in 2015, according to Javelin, a security firm, in a report sponsored by security company LifeLock (which obviously has vested interest in the findings.) The mean amount it cost per fraud victim was $1,038, according to Javelin.
Incidents of new account fraud have risen especially quickly, Javelin found, because so much personal information has been compromised in data breaches over time. New account fraud also takes the longest to resolve, said Al Pascual, a senior vice president and research director at the security firm Javelin. “If you don’t take steps to actively protect your identity, you’re basically playing Russian roulette,” Pascual said.
Criminal identity theft
The fraudster could even commit a crime and turn in fraudulent identification information, which could mistakenly give you a criminal record.
That’s what happened to Jessamyn Lovell, an artist whose identity was stolen when she lost her wallet in 2011, in the San Francisco Bay area. She didn’t realize what had happened until a year later, when the woman who stole her driver’s license checked into a hotel under her name. It seemed fishy to San Francisco’s Financial Crimes unit, which alerted Lovell.
It took years to track down and prosecute the woman; Lovell even had to hire a private investigator. By the time the whole situation was sorted out, the fraudster had shoplifted at Whole Foods, and Lovell had to fly to the Bay Area to appear in court (she had since moved to Albuquerque), to explain it wasn’t actually her.
Now, Lovell is training to become a private investigator herself, and she encourages anyone who suspects fraud, even a small credit-card charge, to report it right away. “It’s easy to miss or dismiss,” she said. “Get it taken care of.” Of course, preventing those situations from happening, if you’re able to, is even better, she said.
Many victims don’t have the time and money to sue
Some consumers have said they would prefer to just sue Equifax in the future, in a class-action suit or small claims court, if they have problems because of the breach, Levin said, but that would come with its own problems. An attorney could charge thousands of dollars, he said. “It’s not easy to do, and it’s time consuming,” he said. “You have to give up part of your life to do something like that.”
Some consumers have already joined class-action suits, even before they have experienced fraud because of a breach, because of the risks involved. At first, Equifax banned consumers from suing in its terms of service, but it has since clarified that consumers can sue because of the breach.
Your data may have already been breached
At an absolute minimum, consumers should check their financial accounts, credit reports and credit score frequently, Nazari of Credit Sesame said. But putting a freeze or fraud alert on an account is strongly recommended, he said. Fraud alerts won’t prevent fraud from happening, but can let a consumer know when something looks suspicious, and they can follow up with the appropriate financial institution after.
There is already “an enormous amount” of personal information on the internet, including a breach at the Internal Revenue Service in 2015 and at the insurance company Anthem, also in 2015, said Frances Zelazny, the vice president of global cybersecurity company BioCatch. It’s possible the information the hackers previously had was outdated, and they could add more detail to a fraudulent profile if they’re able to add new information from Equifax, Zelazny said.