Equifax.com image capture

Equifax Inc. (EFX) announced Sept. 7 that 143 million of its customers were affected by a hack that occurred between mid-May and July. The company had known about the attack since July 29, but waited over a month to alert the public. As many as 209,000 customers' credit card numbers were exposed as a result of the hack, according to the company, and dispute documents related to 182,000 U.S. consumers – which include personal information – were compromised. Some British and Canadian consumers may also be affected by the breach, the firm said.

Given that the adult population of the U.S. is around 250 million, chances are good that you were affected by the breach. It is also possible that you have already been a victim of fraud, since the attack began nearly four months ago.

Atlanta-based Equifax, one of the big three consumer credit reporting agencies, collects data including Social Security numbers, credit card numbers, drivers license numbers, rent and utility payment information, and demographic data. Because Equifax's model is primarily business-to-business, many of its customers are unaware that their data is stored by the firm. (See also, 5 Biggest Credit Card Data Hacks in History.)

How to Check If You Were Affected

Equifax has set up a site where you can check if your information was compromised by giving your last name and the last six digits of your Social Security number. (We removed a link to the page following reports that it's vulnerable to phishing attacks.)

In addition, Equifax is offering customers the following services, which it calls TrustedID Premier: copies of an Equifax credit report, credit monitoring and automated alerts for all three major credit bureaus (the other two are Experian and TransUnion), the ability to block third-party access to your Equifax credit report (with exceptions), Social Security number monitoring, and $1 million in identity theft insurance. The deadline to apply is Nov. 21, 2017.

The company says these services are all complimentary, but placing a security freeze on a credit file was not initially free – at least not for everyone. When this reporter tried to freeze an Equifax credit file on Sept. 8, the company's site said the service would cost $3.00 and asked for credit card information to process the payment.

A screen grab from www.freeze.equifax.com (Sept. 8, 2017 at 11:46 a.m. EDT).

As a New York resident, I was able to place a freeze on my Experian file for free. TransUnion's site was unable to process the request initially – likely a symptom of increased traffic – but later allowed me to place a freeze free of charge.

In an emailed statement, an Equifax spokesperson told Investopedia on Sept. 14 that the company is waiving all charges to freeze credit files and is automatically refunding customers who paid to do so after the hack was made public. A new concern – and clear lapse in security – has now arisen around the PINs the company issued to customers who had frozen their credit reports. These PINs, which allow customers to unfreeze credit reports, follow an easily identifiable pattern. The spokesperson said that customers with these faulty PINs must call 866-349-5191 to speak to a live agent.

If you got a PIN after reporting the hack, yours may be one of the faulty ones. Having it fixed may not be so easy. Twelve calls to the line on the morning of Sept. 15 yielded eight busy signals and four instances of total silence.

The TrustedID Premier services Equifax lists as complimentary are only free for a year. An Equifax spokesperson told Investopedia that the company is not asking for credit card information when customers sign up for the service and that the company will not automatically renew it, charging a fee.

What to Do If You Were Affected

Liz Weston, a personal finance writer at NerdWallet, has the following advice for those affected by the Equifax breach, which she shared with Investopedia in an email: "Equifax will reach out to the victims and offer them credit monitoring. Victims should make sure that agreeing to the monitoring doesn't prevent them from joining in lawsuits or other actions down the road."

Initially, TrustedID Premier's terms of service page (archived version) did in fact require users to waive their right to join a class action suit against Equifax: "By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed." Following a backlash, the company's FAQ page was updated to say that the clause applied to the TrustedID Premier service, not the hack. As of the morning of Sept. 12, the terms of service no longer include an arbitration clause.

Weston says that affected customers should consider freezing their credit reports at all three major bureaus. As mentioned above, credit bureaus may impose fees for initiating that freeze. You may also be charged fees for unfreezing accounts when you need a credit check (to apply for cellphone service, for example). These fees are generally less than $10, but can pile up. Weston notes that another option is to place a fraud alert on your credit reports at the three credit bureaus. For more, see How to Recover from Identity Theft.

Other credit-monitoring services, not sponsored by Equifax, are also available. Identity Theft Protection Services: Worth Having? lists several of them for you to investigate.

Equifax's Response

Equifax's chairman and CEO, Richard Smith, said the hack was "clearly a disappointing incident for our company, and one that strikes at the heart of who we are and what we do."

Unlike the company's chief financial officer John Gamble, its president of workforce solutions Rodolfo Ploder, and its president of U.S. information solutions Joseph Loughran, Smith did not sell Equifax shares within a few days of uncovering the hack internally – and before revealing it to the public. Equifax said in a statement that the executives did not know about the breach when they sold their stock. Gamble, Ploder and Loughran collectively earned nearly $1.8 million from the sales.

As of Sept. 12 at 10:09 a.m. EDT, Equifax's stock had fallen 19.6% from its close on Sept. 7 (before the hack was announced) to $114.72.

Let the Lawsuits Begin

Reuters reported on Sept. 11 that more than 30 lawsuits – many of them seeking class action – have been filed against Equifax in U.S. courts. Several allege violations of securities law; others accuse TrustedID of pitching costly services to customers who were affected by the data breach. Five Utah residents have sued the company in U.S. District Court for failure to protect customers' sensitive data. The suit seeks monetary damages of $5 billion and the imposition of stricter industry standards.

A few affected customers are taking a less traditional route in seeking recourse from Equifax. The DoNotPay chatbot provides assistance in filing a complaint in state small claims courts, where maximum penalties range from $2,500 to $25,000. The bot can only generate paperwork for a lawsuit, not actually file it or appear in court, according to the Verge.

Congress Weighs In

On Sept. 12, the 24 Democratic members of the House Committee on Energy and Commerce sent a letter to Equifax CEO Richard Smith requesting answers to 16 questions related to the hack.

The letter probes Equifax's security controls leading up to the hack, pointing out that it was the third breach Equifax had seen in two years: "What security controls were in place that failed to protect sensitive customer information?" The letter points to a number of flaws in Equifax's response, from the month-long gap between its discovery and public disclosure of the breach, to stock sales by executives in the interim, to the controversial arbitration clause the company initially included in its TrustedID Premier terms of service.

The letter also questions the company's apparent intention to charge for credit monitoring services after a year: "How much money per year would an affected customer who received this free service pay Equifax to extend the 'complimentary' services beyond one year?" Also: "...how much money would Equifax make after one year on credit monitoring services that would be unnecessary but for Equifax's failure to safeguard consumer data?" The representatives set a deadline of Sept. 22 for the firm's response.

The Senate has also weighed in, with Republican Orrin Hatch of Utah and Democrat Ron Wyden of Oregon sending 13 questions related to the cyberattack to Smith on Sept. 11. The senators, who lead the U.S. Senate Finance Committee, questioned Smith on his colleagues' stock sales and the implications of the hack for federal agencies and programs, including the IRS, Social Security, Medicare and Medicaid. The letter called Equifax a "critical partner" and asked, "Has Equifax alerted or will it alert its federal agency customers about the degree and scope to which federal records may have been compromised?" The senators have asked Smith to respond by Sept. 28.

Want to learn how to invest?

Get a free 10 week email series that will teach you how to start investing.

Delivered twice a week, straight to your inbox.