- An estimated 143 million consumers could be affected by the Equifax data breach.
- Next steps include monitoring accounts and weighing credit freezes.
To protect yourself in the wake of the Equifax data breach, presume the worst.
"The first assumption a consumer should make is that they are affected," said Neal Creighton, chief executive of security firm CounterTack.
Equifax announced late Thursday that it had suffered a breach potentially affecting 143 million U.S. consumers.
(For perspective, the entire U.S. population in July 2016 was roughly 323 million, according to Census Bureau data. That includes more than 249 million people over age 18 — i.e., those most likely to have a credit file.)
"That's significantly over half of the U.S. adult population that probably had their information taken," said Ryan O'Leary, vice president of the Threat Research Center at WhiteHat Security.
Exposed data includes names, Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers, Equifax said in its announcement. The breach also compromised credit card numbers for 209,000 consumers, and dispute documents with personal identifying information for 182,000 consumers.
In a statement, Mike Litt, consumer advocate at the U.S. PIRG Education Fund, called the breach "beyond troubling."
"The types of stolen information, including Social Security numbers and dates of birth, can be used to commit new account identity theft against all of these people," Litt said. "Additionally, stolen credit cards affecting over 200,000 people in this breach can also be used to commit existing account identity theft."
Consumers can check Equifax's site EquifaxSecurity2017.com to see if they have been affected. (Be warned: Experts say the system is confusing, and there are reasons to be cautious about signing up for credit monitoring there.) The company has also said it will send direct mail notices to consumers whose credit card numbers or dispute information were compromised.
But there are other steps to take, quickly. (See infographic below.)
Check your existing credit accounts for suspicious transactions, and pull credit reports from AnnualCreditReport.com to check for new accounts in your name, Matt Schulz, senior industry analyst at CreditCards.com, said in a statement. And keep watching.
"When breaches like these happen, consumers need to be diligent — and not just in the short term," Schulz said. "Just because nothing looks amiss on your bank statements or your credit report now, that doesn't mean you haven't been compromised."
Equifax reported that the unauthorized access occurred between mid-May and July, and was discovered July 29. Thieves tend to sell and use such data quickly to capitalize on its value, Creighton said.
"They probably already started using it," he said.
If you opt to sign up for credit monitoring, consider paying for a third-party service like IDShield or LifeLock, versus the free monitoring Equifax is offering or a paid service from another credit scoring company, O'Leary said. Independent monitoring companies tend to track more sources to spot suspicious activity and alert you to it, he said, and typically also bundle in assistance to help victims handle credit problems.
"I hate to tell people to sign up for things that cost money," he said, "especially when it's not their fault they've been compromised."
Another reason Equifax's free monitoring isn't the best bet: The terms and conditions require users to resolve disputes through arbitration, and ban them from participating in class-action lawsuits. That fine print gives consumers the ability to opt out by notifying the company in writing within 30 days, Chi Chi Wu, a staff attorney for the National Consumer Law Center, said in a statement.
"However, most consumers will not see that fine print and will be forced to give up their access to the courts," she said.
With so much information affected, consumers are better served by freezing their accounts with Equifax, Experian and Transunion rather than relying on monitoring services, U.S. PIRG's Litt said in the statement. That can keep thieves from opening new loans and lines of credit in your name.
But a freeze isn't a step to undertake lightly. Besides stopping criminals, a freeze also prevents you from getting new credit. You'll need to reach out to the credit reporting companies to temporarily lift the freeze any time you want say, a new credit card or to refinance your mortgage.
"Freeze it, and nothing can get through," O'Leary said.
Freezes don't always come cheap, either. There can be a fee each time you add, lift or remove a freeze — and you'll face up to three fees for taking that action with each company. Rates vary by company and state, as well as details including your age and whether you've been a victim of identity theft. Fees also vary by the kind of action you're taking.
For example, in Iowa, placing a freeze might be free, $5 or $10, depending on which category you fall under.
Join CNBC, the Aspen Institute and the most influential cybersecurity players from government, business and tech at the Cambridge Cyber Summit, October 4 in Boston.