Personal Finance

Equifax response to data breach leaves many consumers confused

Key Points
  • Locking your credit report at Equifax still leaves those at TransUnion and Experian exposed.
  • Putting a fraud alert on your credit report is free and is good for 90 days.
  • Experts say it's best at this point to assume your information was hacked.

It looks like consumers will need more than a little assistance from Equifax if their personal data was compromised.

For starters, an Equifax webpage dedicated to alerting consumers if they are among the 143 million potentially affected by the breach is causing a great deal of confusion among people hoping for a definitive answer.

Equifax apparently took about 40 days to inform consumers about its data breach and now it is asking consumers to wait another five days to enroll in its free identity theft protection offering.

Users who enter their last name and the last six digits of their Social Security number receive a message intended to let them know if they have cause for concern. While some users have reported receiving a definitive no, other less-than-clear responses have left some people scratching their heads.

Equifax data breach exposes 143 million Americans

Given the size of the breach, representing 44 percent of the entire U.S. population, experts say that at this point, people should just assume their information was compromised.

"Do your own due diligence to see if there has already been any damage," said Matt Schulz, senior industry analyst at He recommends getting your credit reports from all three main credit reporting companies, checking bank and credit card statements and report any anomalies.

Equifax did not respond to a request for comment Friday.

In addition to the website issues, the solution being offered by Equifax may do little to prevent fraudsters from opening new credit lines in a victim's name.

The company's identity theft protection and credit file monitoring allow you to put a lock on your Equifax report to prevent it being pulled by a lender, among other services. Yet some lenders turn to the other two national credit reporting companies, TransUnion or Experian, when they receive credit or loan applications.

"The problem is that the service Equifax is giving away only allows you to lock down Equifax, not the other two," said John Ulzheimer, a credit expert and president of The Ulzheimer Group in Atlanta.

While Equifax typically includes fine print in its monitoring-service agreement that requires consumers to resolve disputes through arbitration, the company is excluding that clause for consumers whose information has been compromised.

In other words, if you sign up for the service and think Equifax runs afoul of your agreement, you have the right to sue or join a class-action lawsuit. Same goes for any company wrongdoing related to the cybersecurity incident itself, according to a statement on the Equifax website.

Putting a lock on a credit report basically means a lender cannot access it to check on your credit score or history, which generally means they won't approve the application. You can unlock it temporarily if you need to apply for credit or a loan.

Ulzheimer said you would need to put a lock on your reports from TransUnion and Experian to cover all your bases.

Those types of personal data are the crown jewels for fraudsters.
John Ulzheimer
president of The Ulzheimer Group

Putting a lock on your credit report — and unlocking it — typically comes with a fee ranging from $5 to $10, according to the Federal Trade Commission.

Alternatively, you can put a 90-day fraud alert on your credit reports, which is free. To do this, you need to only alert one credit reporting company, which in turn is legally obligated to share that alert with the others.

"The alert means that any lender has to contact you and verify that you're the one applying and it's not fraudulent," Ulzheimer said.

Data exposed in the breach, which was discovered July 29, include names, birth dates, Social Security numbers, addresses and some driver's license numbers, according to the company.

"Those types of personal data are the crown jewels for fraudsters," Ulzheimer said.

Join CNBC, the Aspen Institute and the most influential cybersecurity players from government, business and tech at the Cambridge Cyber Summit, October 4 in Boston.

— CNBC's Kelli B. Grant contributed to this report.

(This story was updated on Monday, Sept. 11 to reflect a change in the Equifax terms of its monitoring-service agreement.)