Equifax Hack: Facts, Myths & Protection

September 26, 2017



Equifax hack: Facts and myths

Following this month’s Equifax breach affecting 143 million people, rumors began swirling around the details of the hack. It’s not only important to take action and freeze your credit at the credit reporting bureaus, but also to understand, amid all the media squall, what’s true and what’s false concerning this event.

Let’s examine some of the “rumors” swirling about the Equifax hack.

If you sign up for Equifax’s credit monitoring system you waive your right to sue

MYTH(now): When the hack was first announced, Equifax included some confusing fine print in the details of their credit monitoring system, TrustedID. The statement implied that consumers who opted into the free credit monitoring offered by Equifax were giving up any right to sue the company on their own or as part of a class action lawsuit.

At the time we first reported details of the breach, we too were under the impression that opting in to TrustedID gave you limited legal action. Since then, Equifax clarified the language and those enrolled in TrustedID still have legal rights. However, as we have previously explained, credit monitoring does not protect you from identity theft. Freezing your credit is the best option.

Outdated software used by Equifax caused the breach

FACT: Experts are now reporting that hackers were able to infiltrate Equifax’s system through a flaw in Apache Struts software. In March of 2017, Apache discovered a vulnerability in the program and released a patch the same day.

Hackers first gained access to Equifax’s network in May, meaning that the company left the software unpatched for at least two months. At this point, Equifax has not made a statement on why the software was left outdated.

Take a lesson from Equifax and be sure to always update your software. Outdated software leaves you vulnerable to hacks and puts your security at risk. It’s best to update your software as soon as you are notified—better yet, set up auto-updates so you don’t have to worry about it.

Signing up for Equifax’s credit monitoring will keep my identity safe

MYTH: Credit monitoring is not a comprehensive identity theft prevention method. These programs alert you after credit has been taken out in your name. If the credit wasn’t taken out by you—there’s still a mess to clean up.

Instead you should sign up for a credit/security freeze. This action locks down your credit file with PINs that only you know. No new credit can be issued unless the freeze is lifted at the bureaus.

You can learn more about the details of setting up a security freeze here.

Over 200,000 credit cards were stolen in the hack

FACT: In addition to the 143 million personal records, hackers were also able to download credit card data of 200,000 people. The data included credit card numbers, names, and expiration dates of consumers who had provided their credit card info to Equifax between November 2016 and July 2017.

Be sure to monitor your credit card statements for any strange charges. For the ultimate protection, sign up for automatic text or email alerts on your credit and bank cards. Doing so will set off a text or email message anytime a charge is made on your account.

The details on the Equifax hack are still developing, and we will likely learn more details in the coming months. Again, for now, be sure to protect yourself from this breach and future breaches with a security freeze.

Be sure to keep an eye out for potential scams following this hack. Phishing emails may be on the rise as hackers take advantage of people’s fears surrounding this news.

What Can I Do To Protect Myself Against Identity Theft?

Following is a reminder of the different steps you can take to protect yourself against identity theft. Remember, there is no guarantee! A credit freeze will not protect you against identity theft 100%.  But a credit freeze along with the following steps will make you a less ideal target and give you added layers or protection. This list is long – it is not meant to overwhelm you but to inform and educate you. 

1. Credit Freeze: A freeze blocks anyone from accessing your credit reports without your permission—including you. This can usually be done online, and each bureau will provide a unique personal identification number that you can use to “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Another advantage: each credit inquiry from a creditor has the potential to lower your credit score, so a freeze helps to protect your score from scammers who file inquiries. 

See our previous newsletter regarding details on placing a credit freeze at each of the major credit bureaus.

Placing the credit freezes can be burdensome, and it can be more involved (difficult) for some. You can place a credit freeze on your file online, by phone, or via mail. But we do believe this is a critical step in protecting yourself.

Remember that each person in your household has an individual credit file and a credit freeze needs to be put in place per person (or social security number). Placing a credit freeze on a husband, does NOT include his wife, even if all of their accounts are held jointly. 

Don’t forget about your kids, especially minors! Minor children can be easy targets because their credit file is not typically monitored. It can be years before identity theft is discovered for a child and then the damage has been done. At this time, it appears that the only way a credit freeze can be placed on a minor’s file, is to MAIL in the request with the required documentation. Check out this article regarding Child Identity Theft.

Finally, yes, there is a 4th credit bureau, Innovis. Unlike the big three credit reporting agencies (Equifax, Experian, and TransUnion), Innovis does not sell credit reports. For that reason, it is not always mentioned when discussing a credit freeze. Some argue that it is not totally necessary to set up a credit freeze at Innovis. We want you to do the smart and prudent thing without becoming overwhelmed, so do what you feel is best.


2. Monitor Your Credit Report: Under federal law you’re allowed to request a free copy of your credit report once a year from each of the three credit reporting agencies: Equifax, Experian, and TransUnion—at www.annualcreditreport.com. By rotating among the agencies, you can spread this out over the year to consistently monitor your credit (request a report from a different agency every 122 days). Look for suspicious accounts or activity that you don’t recognize—such as someone trying to open a new credit card or apply for a loan in your name. If you DO see something, visit http://www.Identitytheft.gov/databreach to find out how to mitigate the damage.

3. Two-Factor Authentication: Many sites now offer two-factor authentication when logging into accounts. For example, when logging into a site with two-factor authentication enabled, a code will be sent to your phone that you must enter after your password to gain full access. In order to log in, you must have your password and a special code that is changed every time. If a hacker successfully guesses your password but does not have your phone, they cannot get into your account. Currently, sites such as Gmail, Facebook, Dropbox, Twitter, and more offer this service. Many banks and credit card companies offer this service for online use as well.

4. Set Text or Email Alerts for Bank Accounts and Credit Cards: What if you could know exactly when money was leaving your accounts like the banks and credit card companies do? You could catch fraud as it is happening and limit your losses.

You can do this, actually. The majority of major banks and credit cards allow you to sign up for text or email alerts that are sent to you anytime money leaves your account or a charge is pushed through. If you receive an alert for a purchase or withdrawal that you did not make, you know right away to contact your financial institution and alert them of the fraud.

Often, you determine the dollar amount that triggers an alert. For example, you can choose to get notified only for charges that exceed $200. It’s best, however, to set that dollar amount as low as possible. Thieves commonly test accounts with small purchases and the sooner you catch them, the less damage they can do.

To enable these instant alerts on your account, log in or create an online account at your bank and credit card companies. If you have trouble finding the alert settings on your account, contact your institution’s customer service for assistance.

5. Monitor your existing credit card and bank accounts closely: A credit report won’t tell you if there’s been money stolen from a bank account or suspicious activity on your existing credit card. Unfortunately, you’ll have to turn this into a habit. In most cases, theft happens over time, starting with small amounts stolen from across your accounts.

6. Create a Secret Email Address for Your Financial Accounts: Our personal email addresses have become a key to our lives on the Internet. We enter them into countless databases when we sign up for newsletters, create new accounts, and order items online. We don’t think twice about giving out our email address.

But if we use that same email address for our online banking and credit card accounts, we’re putting our finances in danger. If one of those various databases is hacked we’re essentially handing half of our financial account credentials over to the hackers.

Make the hackers’ job harder by creating a “financial-only” email address that you use just for your online financial accounts. This secret email should not reveal anything about you. Make your username (the part before the @ sign) something generic that does not reference your name, initials, or other identifying information. Of course, create a strong password and use two-step verification on your account.

7. Credit Monitoring Service: Many Americans have opted to sign up for a credit monitoring service, which won’t prevent fraud from happening, but WILL alert you when your personal information is being used or requested. In most cases, there is a cost involved, but Equifax is offering a free year of credit monitoring through its TrustedID Premier business, regardless of whether you’ve been affected by the hack. It includes identity theft insurance, and it will also scan the Internet for use of your Social Security number—assuming you trust Equifax with this information after the breach.

8. Opt Out of Pre-approved Credit Offers: ID thieves like to intercept offers of new credit sent via postal mail. If you don’t want to receive pre-screened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years by calling toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visiting www.optoutprescreen.com.

Or you can opt out permanently online at www.optoutprescreen.com. To complete your request, you must return a signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.

9. Fraud Alert: If you are a victim of identity theft or suspect you may be, you can put a fraud alert on your credit file, for free, by contacting one of the credit agencies, which is required to notify the other two. This will warn creditors that you may be an identity theft victim, and they should verify that anyone seeking credit in your name is really you. The fraud alert will last for 90 days and can be renewed.

10. File your taxes early: As soon as you have the tax information you need, file your return - before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

Do not make the mistake of thinking “It won’t happen to me” when it comes to Identity Theft! Widespread, significant hacks have been and will continue making news headlines. While you may not be able to ensure this will never happen to you, you do have the power to improve your protection – but YOU need to take action to do so!

Good luck!





Edward J. Kohlhepp, Jr., CFP®, MBA



Edward J. Kohlhepp, CFP®, ChFC, CLU, CPC, MSPA

Founder & CEO











Horsesmouth Savvy Cybersecurity

KRACK Wi-Fi Vulnerability: What You Can Do Now
Cybersecurity Alert: What You Need To Do Now In Re...

Related Posts

Archived Newsletters

Investment Updates

Newsletters Sign Up

Account Login

Contact Info

Kohlhepp Investment Advisors, Ltd.
3655 Route 202, Suite 100
Doylestown, PA 18902
Phone: 215-340-5777
Fax: 215-340-5788
Email: Info@KohlheppAdvisors.com

Securities offered through Cambridge Investment Research, Inc. a Registered Broker/Dealer, Member FINRA/SIPC. Investment Advisory Services offered through Kohlhepp Investment Advisors, Ltd., a Registered Investment Advisor. Kohlhepp Investment Advisors, Ltd. and Cambridge Investment Research Advisors, Inc. are not affiliated.

Due to various state regulations and registration requirements concerning the dissemination of information regarding investment products and services, we are currently required to limit access of the following pages to individuals residing in states where we are currently registered. We are licensed in the following states: AZ, CA, CO, DE, FL, GA, IN, KY, LA, MA, MD, NC, NJ, NY, OR, PA, RI, SC, TX, VA, VT, WA

Check the background of this firm on FINRA's BrokerCheck