Personal Finance

What consumers are doing to protect their data a year after huge Equifax breach

Key Points
  • A majority of consumers now check their bank and credit card statements for accuracy more frequently.
  • Just 8 percent have frozen their credit reports, which prevents fraudsters from opening new accounts using someone's personal data.

In the year since the massive data breach at Equifax was revealed, consumers appear to have become more vigilant about identity theft.

Nine out of 10 people have taken steps over the last year to protect themselves, mostly by reviewing their card and bank statements more often, according to a new survey by However, just 8 percent have taken the proactive step of freezing their credit report, which helps prevent fraud.

The survey results come as Friday marks the one-year anniversary of the announcement by Equifax that the personal data of at least 143 million consumers — including their names, birthdates and Social Security numbers — had been exposed to criminals in a cyberattack against the company several months earlier. By March 2018, the number of consumers affected was revised upward to 148 million.

Richard Smith, former chairman and CEO of Equifax Inc., testifies before House Energy and Commerce hearing on "Oversight of the Equifax Data Breach: Answers for Consumers" on Capitol Hill in Washington, U.S., October 3, 2017.
Kevin Lamarque | Reuters

"There's no question that the silver lining in the Equifax data breach is that it woke up a lot of people to the fact they need to take action," said Matt Schulz, chief industry analyst at CompareCards.

While the cyberattack at Equifax wasn't the first major breach at a U.S. company, it was different in that the revealed data included far more identifying information — and consumers did not willingly share any of it with the company. Like other credit reporting firms, Equifax collects and compiles consumers' personal data from various sources to create credit reports and calculate credit scores.

"Protecting the data entrusted to Equifax is the company's top priority," an Equifax spokesperson said in an emailed statement to CNBC, pointing to the variety of security, operational and technological improvements the company has made and the $200 million increase this year in its spending on those aspects of its business.

A year ago, the public outcry over the breach led to days of congressional hearings, government investigations and class-action lawsuits. Equifax's CEO and other top executives resigned after the breach as the company bungled its way handling the crisis: It accidentally sent consumers to a phishing site, consumers had problems signing up for its free credit-monitoring service, and it initially included a mandatory arbitration clause (meaning no class-actions) for anyone registering for that service.

In June, Equifax agreed to a consent order with a handful of state regulators to a variety of required actions, including that the company conduct security audits at least one a year and more closely monitor the technology vendors it uses.

And while the company remains the subject of both federal and state investigations, and is the target of a consolidated class-action lawsuit and other litigation, it appears otherwise to have emerged relatively unscathed.

Its stock closed Thursday above $135. While that's below the high of $145 in August 2017, it's still 45 percent above the $93 share price following its data breach announcement. And although the company's most recent quarterly report shows its second-quarter revenue fell short of expectations, its earnings beat analyst forecasts.

While the outcry on Capitol Hill receded after the Equifax hearings last year as lawmakers moved on to other things — i.e., tax reform — at least one consumer-friendly change related to the debacle came out of Congress.

More from Personal Finance:
More than 4 out of 10 workers aren't taking this key step to keep 401(k) fees in check
Whether Queen of Soul or commoner, here's why you should have a will
Forget college tuition. Annual child-care costs exceed $20,000 in these states

A bill signed into law by President Trump in April included a provision that prohibits credit-reporting firms to charge consumers for a credit freeze (or to lift a freeze). It is scheduled to take effect Sept. 21. However, you must alert each credit-reporting firm — Equifax, Experian and TransUnion are the biggest — to freeze your reports at all three.

Freezing your credit report generally blocks outside access to your file. This means a scammer can't use your personal information to get a loan or establish credit, because the potential lender can't check your report to approve the application.

Spotting errors on your credit report
Spotting errors on your credit report

Additionally, short-term fraud alerts will be extended to one year from the current 90 days. These alerts are separate from freezes: Under a fraud alert, a lender seeking to approve an application must first contact you to verify the request is not from an imposter.

You only need to contact one credit reporting firm to initiate a fraud alert, which in turn is legally obligated to share your notice with others. It also already is free.

Meanwhile, consumer advocates think Equifax got off easy.

"Despite all the outrage and media attention last year, Congress has done little except make security freezes free, and Equifax has not been held accountable," said Chi Chi Wu, staff attorney for the National Consumer Law Center. "And this sensitive information is still out there, with the potential to wreak havoc for the majority of adult American consumers in perpetuity."