But it is by far the worst.
That's partly because Equifax--a "credit bureau" devoted to stockpiling all the information they can on each of us--allowed so much of that information to get stolen at once. The gatekeeper of our credit histories opened the gates to credit thieves. (Was there ever a better use for the "You had one job!" meme?)
This breach is also the worst because the company's response has been so abysmal.
Let's start with how long it took Equifax to alert customers: six weeks from late July, when it found out about a breach that started in May. (That's only good compared with Yahoo, victim of the largest data breach to date.) Adding insult to injury, three of Equifax's top executives, including its CFO, sold $1.8 million worth of their company stock in the days after the breach. Equifax says those executives had not yet been alerted to the breach, but it's not a good look.
Let's proceed with the lackluster methods that Equifax has used to communicate with customers. Like 143 million other Americans--almost 75 percent of Equifax's customers--I've discovered that my personal information was "potentially impacted" by the breach. But I haven't been alerted to that fact by any proactive Equifax communication.
No, instead I had to read about the Equifax hack online, find the link to the "scammy-looking" web page the company has set up for affected customers, give Equifax my last name and part of my Social Security number (information Equifax has; information Equifax allowed to get stolen), and wait for them to tell me that my data might-maybe-it's possible-just a chance have been exposed in the its breach.
Then, the crowning insult: Equifax will give me some free protection--against itself--if I remember to come back and sign up for its own product next week.
"Please be sure to mark your calendar as you will not receive additional reminders," the Equifax website snootily informed me.
Equifax did not immediately respond to a request for comment.
I've never been so grateful to already be a victim of identity theft. Getting my identity stolen last year in my own company's data breach was exhausting, and enraging, and I had never before felt so powerless for such a prolonged period of time. (Well. Until the most recent elections.)
That was bad: days lost to paperwork, hours wasted on hold with the IRS, a morning spent filling out paper forms in a police precinct...only to watch the police officer I gave them to proceed to fill out a second set of paper forms, and then inform me that I could get a copy of my report in several weeks. By mail.
But exhausting and tedious as the paperwork of victimhood became, the experience had the net effect of forcing me to jump through all the hoops I'd otherwise just now have to start thinking about.
These are the ones I'd recommend for anyone "potentially impacted" by this newest breach:
- I've already signed up for credit-monitoring services (not through Equifax); I'll probably become a lifetime customer, now. This Wall Street Journal guide has a good rundown of the risks and benefits of such services, as well as other steps you can take to keep an eye on your financial and credit information.
- I've already run the paperwork gauntlet of requesting a credit freeze, meaning no one can apply for a new loan in my name without the creditor getting in touch with me and asking me to lift the freeze.
- But getting the credit freeze required a police report, which I could only get after criminals tried to take out new loans in my name. Until and unless that happens to you, you can at least put 90-day "fraud alerts" on your information at the three bureaus (Experian, TransUnion and, yes, Equifax). A fraud alert is a milder version of a freeze; it won't stop a determined criminal from getting a loan in your name, but it might slow them down.
My credit freeze is good for seven years; I'm a bit daunted by the thought of going through the process of re-applying, but Equifax has probably made it necessary. As the Wall Street Journal understated, "for consumers the theft [of] uniquely identifying information such as Social Security numbers and birth dates could have a permanent effect."
In other words, to my 143 million fellow Americans, welcome to the unbearable exhaustion of getting hacked.