- The Equifax breach could affect 143 million consumers.
- Data stolen include names, Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers.
(Update: Since publication of this story, Equifax has updated the language on its website (www.equifaxsecurity2017.com) to make it clear that no consumer will be required to waive his or her legal right to a class action lawsuit as a condition for enrolling in the company's free credit monitoring and identify theft protection products.)
Don't be so quick to sign up for free credit monitoring from Equifax.
The company announced late Thursday that it had suffered a breach potentially affecting 143 million U.S. consumers.
"The first assumption a consumer should make is that they are affected," said Neal Creighton, chief executive of security firm CounterTack.
Exposed data includes names, Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers, Equifax said in its announcement. The breach also compromised credit card numbers for 209,000 consumers, and dispute documents with personal identifying information for 182,000 consumers.
"That's everything an identity thief would need," said Ryan O'Leary, vice president of the Threat Research Center at WhiteHat Security.
Consumers can check Equifax's site EquifaxSecurity2017.com to see if they have been affected. (Be warned: Consumer advocates say the system is confusing). The company has also said it will send direct mail notices to consumers whose credit card numbers or dispute information were compromised.
But while you should check to see if you're affected — and take other steps to protect yourself — experts say there are reasons to think twice before you take the next step of enrolling in the free "Trusted ID Premier" service the company is offering. (Equifax did not immediately respond to requests for comment.)
By agreeing to the terms and conditions for Equifax's monitoring, you may be giving up key consumer rights.
In a statement, the National Consumer Law Center warned consumers of fine print in the agreement that requires them to settle disputes through arbitration, and bans them from participating in class-action lawsuits. (There is already a class-action lawsuit in play, accusing Equifax of failing to adequately secure consumers' information.)
The fine print does give consumers the ability to opt out by notifying the company in writing within 30 days, Chi Chi Wu, a staff attorney for the National Consumer Law Center, said in the statement.
"However, most consumers will not see that fine print and will be forced to give up their access to the courts," she said.
New York Attorney General Eric Schneiderman announced Friday that he had launched an investigation into the Equifax breach. On Twitter, Schneiderman said the fine print language was "unacceptable and unenforceable," and that his staff had already reached out to Equifax about it.
Monitoring your credit is a typical first to-do after a breach — "but it's the credit monitoring agency that just got breached," O'Leary said.
O'Leary and Creighton both suggested consumers weigh paying for a third-party service like IDShield or LifeLock, if they want credit monitoring. Independent monitoring companies track more than your credit file to spot suspicious activity — which is key, considering that it's unclear if the attackers manipulated or changed Equifax's database, Creighton said. The paid services also typically bundle in assistance to help victims handle credit problems.
"I hate to tell people to sign up for things that cost money," O'Leary said, "especially when it's not their fault they've been compromised."
Equifax's offering — more than a month after the company discovered the breach, and several months after thieves began accessing the data — may come too late for consumers.
Thieves tend to sell and use such data quickly to capitalize on its value, Creighton said. In a Federal Trade Commission study from earlier this year, researchers found that thieves began to use stolen data within minutes of it being posted online.
"They probably already started using it," he said.
Check your existing credit accounts for suspicious transactions, and pull credit reports from AnnualCreditReport.com to check for new accounts in your name, Matt Schulz, senior industry analyst at CreditCards.com, said in a statement.
But you'll also need to keep watching: Thieves could easily make use of the stolen data for years.
"When breaches like these happen, consumers need to be diligent — and not just in the short term," Schulz said. "Just because nothing looks amiss on your bank statements or your credit report now, that doesn't mean you haven't been compromised."
Join CNBC, the Aspen Institute and the most influential cybersecurity players from government, business and tech at the Cambridge Cyber Summit, Oct. 4 in Boston.