Stop, Drop, and Freeze
Watching that 3rd rerun of Sports Center? Checking Instagram for the 4th time this hour?
Unless you are doing something urgent, it is probably worth it to set aside an hour or so right now to drastically reduce your chance of losing thousands of dollars and weeks of time. Have you shopped at Target? Home Depot? Or maybe you have health care through an Anthem affiliate? Worse yet, have you started a new line of service at TMobile in the last few years? Actually, do you have a name and have you lived somewhere ever? Those breaches cover a few hundred million people, so chances are some of your credit cards, current or past addresses, birthday, driver's license number, social security number, and more are floating around the internet darkweb somewhere. If they are not already, they will in the near future. Much like the security industry has done, you should transition from believing you can protect your information online to assuming it has already been compromised. While this initially feels debilitating, completing the short checklist compiled below can return some semblance of control and simplify your entire relationship with credit.
Aside from hardening your online presence (stay tuned for a post on this), you should add a 'fraud alert' to your credit file and strongly consider placing a 'freeze' as well. A credit freeze will block anyone from accessing your credit report, preventing most forms of identity theft while also preserving your credit score on failed credit applications. If you like opening lots of credit cards or have immediate plans for a new loan, you can stick with the fraud alerts for now and consider the freeze later.
Here are the TL;DR actions for this post:
Grab your free credit report to make sure everything is still kosher. You can start the process at this government maintained portal. You get 3 free credit reports a year (one from each credit bureau), as well as one from Innovis. So if you pull only one at a time every 3 months you get to check your credit report every 3 months for free indefinitely. Hit the '+' sign at the bottom right of this google calendar to receive a reminder every 3 months: Public Google Calendar for credit report reminders
Make sure to create an online account at the IRS and Social Security Administration benefits websites before a criminal does so in your name and claims your refund and/or benefits. Note: Do this even if you aren't receiving benefits yet.
If you were offered a complimentary identity monitoring service and plan to use it, now is the time to enroll before placing any fraud alerts or credit freezes (upcoming steps). These services are mildly useful for the insurance, but not so much for proactive protection. For example, Experian's credit monitoring service is underwritten by AIG for $1 million.
If you know your SSN or other core personal information has been included in a data breach, place a fraud alert on your credit file (this link will work for Experian, Equifax, and TransUnion), at Innovis (the lesser known credit bureau), and at ChexSystems (used by banks to check your identity). Even if you are not the victim of a breach, if you like the practical idea of someone calling you to verify a new credit card or loan in your name, go ahead and do this anyway. You can choose to do this independently of a credit freeze. While you are at it, remind yourself do this every 90 days right now:
Public Google Calendar for fraud alert reminders
UPDATE 10/01/2018: Companies are now mandated to let consumers place 1 year minimum fraud alerts!
Consider placing a credit freeze at all major credit bureaus (Experian, Equifax, TransUnion), Innovis, ChexSystems, and NCTUE . This will cost around $30 upfront depending on where you live (props to Chex and Innovis for keeping it free), which is worth it compared to identity monitoring services. If you are angry you are charged a fee for protecting your personal information after someone who did not own it gave it away, see the next step. Note: Make sure to use the most up to date mailing address, as you will receive a PIN/password and confirmation in the mail from these organizations once the freeze is applied.
UPDATE 10/01/2018: Companies are now mandated to let consumers place a credit freeze for free!
Consider signing this whitehouse.gov petition so we can have more sensible security breach response requirements.
If you no longer want to get credit card offers in the mail (another way thieves can open lines of credit in your name) opt-out for 5 years or permanently here: https://www.optoutprescreen.com/
If you are using any standard answers (birthplaces, maiden names, previous addresses, etc) for password recovery security questions, change the answer to something more unique (doesn't matter what it is). Do this at all your government, financial, and health related accounts (move on to your other less valuable accounts as you find more time).
Stay tuned for a future post on how to approach security questions used for verification and password recovery.Read through this guide for more information.
Share this post with your friends and family (you should do this for your children or parents) who might also be victims of data breaches. See the links at bottom of page.
All done? Congrats! Well that wasn't too bad was it? You can now return to your regularly scheduled programming of 'Sports Center reruns and chill' or Instagram stalking. If you feel like reading more about the Experian breach and their response however, continue reading part 2 of this blog post here.
The U.S. Public Interest Research Group has officially recommended the same 'freeze first' approach described above.