Many companies featured on Money advertise with us. Opinions are our own, but compensation and
in-depth research may determine where and how companies appear. Learn more about how we make money.

170919-equifax-hack-questions
Trading information and the company logo are displayed on a screen where the stock is traded on the floor of the New York Stock Exchange (NYSE) in New York, September 8, 2017.
Brendan McDermid—Reuters

Last week Equifax announced that the personal information of 143 million Americans was potentially compromised in one of the largest data breach's in U.S. history. Since then, millions of consumers have been left with unanswered questions about how they may be impacted and what, exactly, the hackers got away with.

While plenty of details are still cloudy, here's what we know so far, and what you can do to protect yourself.

What Accounts Could Be Compromised?

Hackers got away with a ton of information in the breach, and the consequences could be far-reaching for many Americans. While many experts have advised people to freeze their credit reports in the aftermath, actually many types of accounts are at risk. "A credit freeze will only block the opening of a new account," says Howard Tischler, co-founder and CEO of EverSafe, which offers identity theft protection services. "What about an existing account, or your bank account, or investing accounts? The credit freeze only affects accounts that have to do with credit."

Potentially, fraudsters could:

  • Open credit cards in your name
  • Open utility accounts or in your name
  • Open loans (like payday loans)
  • Commit insurance fraud
  • Take out a mortgage in your name
  • Steal your tax return
  • Steal your Social Security benefits
  • Access your Medicare benefits
  • Access your investments (including your 401(k) and other retirement accounts)
  • Acquire a SIM card in your name

Essentially, think of any type of financial account you have or could have. If you use your Social Security Number to sign up for or access it, it's at risk.

How Long Should I Be Worried About This?

A long, long time. According to experts, it's no longer a matter of if your information was stolen, but when it will be used. "Unfortunately this is a breach that could have lifelong impacts, which I don’t think anybody wants to hear," says Jocelyn Baird, an associate editor at NextAdvisor.

The magnitude of this hack means consumers will have to be proactive for the foreseeable future about monitoring their credit, bank accounts, and identity. Right now, hackers may be lying low, but as soon as it's been long enough for people to start feeling comfortable again (or for Equifax's free credit monitoring service to expire), they will likely strike.

"The data has a long shelf life," says Tischler. "Things like your Social Security Number, name, and birthday don’t change over time. So you should always be on the lookout."

And Baird points out that some things, like loans, may not appear on your credit report right away. It's all dependent on when the creditor reports them, if they report them at all, or if they go into collections. Plus, not all creditors report to all three agencies (TransUnion, Equifax, and Experian), which is why it's important to check each of your credit reports annually, at least. You could miss things if you only check one or two.

In other words, proactively checking your credit reports, bank accounts, and investments for fraud or suspicious activity should be part of your financial routine in the 21st century.

What Are the Alternatives to Equifax's Credit Monitoring Service?

If you are wary of using Equifax's offered security measures (and who isn'?t), there are other free services you can look into to monitor your credit. Credit Sesame, for example, offers free credit monitoring and ID theft protections. Additionally, Credit Karma and Clarity Money are useful (and free) apps that track your credit reports and alert you when something is potentially wrong. Your bank may also offer free credit alerts and changes to your score, so look into that.

However, as Tischler pointed out, this hack will go well beyond your credit. So consider purchasing more comprehensive security systems, such as LifeLock, Identity Guard, or EverSafe, which monitor your reports from all three credit agencies, but also comb the dark web for your information (the "dark web" is where hackers and fraudsters sell your information) and keep tabs on your investment and bank accounts.

"If you take advantage, a lot of them will offer 30 days free and that’s a good way to get in and see what information they provide and monitor, and if you like the website," suggests Baird.

This can all be time consuming, but as Tischler says, the time and money involved in rectifying identity theft is much more costly.

"People need to take responsibility for themselves," he says. "Granted, you would like Equifax to be better caretakers of your information, but at the end of the day the information is out there."

What Are the Consequences of Freezing My Credit Accounts?

Experts have recommended freezing your credit at the three main agencies (Equifax, Experian, TransUnion), which prevents them from providing your credit history to potential creditors (and therefore prevents scammers from using your ID to open credit cards, take out mortgages, etc.). If you do this, the main consequence is that you will not be able to immediately qualify for a new credit card or apartment yourself—instead you'll pay a fee (which varies by state) at each of the bureaus to unfreeze your reports. Freezing your credit will not impact your score.

People are understandably upset that Equifax could make money off of their own misdeeds. Given how much more identity theft would likely cost you, however, this is well worth the price. (The company tweeted that it intends to refund customers who paid for an Equifax Security Freeze after the breach was publicized.)

If hackers used your information before you put a freeze on your accounts, freezing them will not be able to prevent damage. But it allows you some peace of mind going forward.

What Can I Do Besides Freezing My Accounts?

Beyond freezing your credit accounts, there are many other steps you can take. As noted, you're going to want to pay special attention to your bank account, credit card statements, and tax refunds. You can place a fraud alert (and extended fraud alert) on your credit reports. "Fraud alerts are less stringent," says Baird, who prefers a full freeze to alerts. "They are also only good for 90 days and then you have to renew them."

Additionally, always turn on two-factor authentication when available (which requires users, for example, to enter a code texted or emailed to them in addition to a password) and consider resetting your passwords.

Can I Sue Equifax?

There was a minor controversy when the breach was first announced, and users noticed that signing up for Equifax's TrustedID Premier might waive their right to participate in a class action lawsuit against the company. Equifax has since said the arbitration clause does not apply to those who sign up for TrustedID Premiere after the breach (though lawyers say it could be trickier in court).

There have been at least 23 class action lawsuits filed against Equifax, USA TODAY reports, and you may also be able to file a lawsuit in a small claims court.

For more information on how to protect yourself, visit the CFPB's website.

So What's Congress Doing About This?

Democratic Senator Elizabeth Warren was quick to jump on the Equifax scandal—as soon as it was made public, Warren began demanding answers and culpability from the company, and she and fellow Democratic Senator Brian Schatz of Hawaii introduced the Freedom from Equifax Exploitation Act, which would make it free to freeze and unfreeze all three credit reports, though it does not appear to have picked up much steam in the Republican-led Senate.

Several Congressional committees have scheduled hearings, including the Democrats of the House Committee on Energy and Commerce, which sent Equifax a letter with questions about the breach (its hearing is reportedly being planned for sometime in October). Additionally, 40 states have launched a probe into the breach.

Ironically, Republicans are currently drafting bills that would deregulate credit agencies. Rep. Barry Loudermilk (R-Ga.)'s FCRA Liability Harmonization Act, for example, would "cap actual and statutory damages for class actions involving credit agencies at $500,000, and completely eliminate punitive damages," the Los Angeles Times reports.