Robert Neubecker

Weeks after Equifax acknowledged that hackers had breached the company’s system, the company’s interim chief executive, Paulino do Rego Barros Jr., apologized for its messy response. The breach meant that potentially millions of Social Security numbers, driver’s license numbers and other information had been stolen, leaving many of us to wonder how vulnerable we might be to identity theft.

“Answers to key consumer questions were too often delayed, incomplete or both,” Mr. Barros wrote in an op-ed column in The Wall Street Journal in late September.

He had his verb tenses wrong. The answers are still delayed and incomplete.

Many of you have asked us to put all we know in one place, so you’ll find my first attempt at that here. You’ll find questions and answers on a range of topics, from credit freezes to PINs to protecting the information of your children.

All the statements here from Equifax were emailed, as people representing the company have so far refused to speak with me on the record.

Did I miss anything, or is something here not actually happening? Drop me a note at lieber@nytimes.com and I’ll try to figure out why. My email tally on this matter is now over 2,000 messages, and while I’m trying to respond to every one, I can’t promise that I’ll get to them all.

What’s Happened?

How do I know if I’ve been affected by the Equifax breach?

Equifax has a website where you can check. The company will not inform you otherwise, even though it has your address (which was one of the things that the hackers helped themselves to).

But even if your name doesn’t appear on the website, it’s probably a good idea to freeze your credit anyway.

Why is freezing important? When a thief shows up with your Social Security number and address to apply for credit in your name, the lender will try to fetch your credit report before anything else happens. If it can’t retrieve the report because of the freeze, then no new account for the thief.

I’ve used the Equifax site a few times in the last several weeks and have received different answers about whether I was affected. How do I know which answer is the right answer?

Updated: Oct. 16 The company refused to directly answer this. My guess is that it is not completely certain whose information was stolen (and that its website still isn’t functioning properly). You should protect yourself accordingly.

I keep seeing different information about what the thieves actually stole. Could you please list all of it?

Updated: Oct. 7 According to the company, thieves took names, Social Security numbers, birth dates and addresses for up to 145.5 million people. They also helped themselves to some smaller number of driver’s license numbers.

Thieves may have your credit card number, too; this is the case for more than 200,000 people, and Equifax has said that it let those people know by mail.

Equifax has said that it has no evidence of a breach in its core consumer or commercial credit reporting databases, so your payment history is not floating around in the ether somewhere. Nor did the thieves get PINs that people use to unlock their frozen credit files.

Oh, and TransUnion and Experian (especially Experian, which has a similar name to Equifax) very much want you to know that their systems are not part of this particular breach.

Why are people so freaked out about this, and what is the worst-case scenario for a victim of identity theft?

New: Oct. 12 In theory, your financial losses are limited once you prove you are truly a victim. The Federal Trade Commission explains those limits well.

But the mess that an identity theft can create with your credit — and the time that it takes to fix problems every time they pop up, often for many years — is incalculable.

Drew Armstrong wrote a good first-person piece for Bloomberg that lays out some of the headaches, including the mortgage, tax and airport troubles one can encounter.

What Should I Do About It?

How do I freeze my credit file?

You can — and you should — set up a freeze on the websites of all three credit bureaus. There may be fees associated with doing it.




Go here »

Go here »

Go here »

Note: You’ll need to click “Create an Account” on the TransUnion page.

Don’t trust the security of the companies’ sites? Try calling them instead.







Note: If you call Experian, ignore the warning to call Equifax instead and the effort to get you to go online. Listen and wait for the freeze prompt that comes eventually.

A warning about the phone systems: The process may end with you receiving a PIN you’ll need when you want to thaw your credit file (say, when you apply for a car loan or credit card sometime in the future).

The automated phone system may give you the PIN quickly, without much warning and without repetition, so be ready to write it down.

Why freeze at all three bureaus? Because thieves might take your stolen data and apply for credit at a lender or other company that only checks Experian or TransUnion files. If you haven’t frozen those files, then you’re vulnerable.

If you’re married, both you and your spouse should freeze your files, since the companies maintain separate files for every adult that they track.

Are there any other credit reporting agencies with whom I should initiate a freeze?

New: Oct. 12 I suggest setting up freezes at Innovis, a smaller firm, and ChexSystems, which helps banks check up on new account applicants.

Were the PINs for thawing freezes compromised in this breach?

No, according to Equifax.

For the people who got their PINs in the mail, why does Equifax write “Equifax Security Freeze” on the return envelope, giving thieves a signal that valuable information is inside?

New: Oct. 12 Equifax said it was looking into this, and I will update when I learn more.

If I had an Equifax freeze before, do I need to refreeze due to the breach?

No, the freeze is still in place. But the freeze did not prevent your information from being exposed by the breach.

Freezes at Equifax are free through January. Why not make them free for life?

Updated: Oct. 12 The company would not directly address the freeze question in the statement it sent me, but it seems to prefer locks over freezes, and promises to make locking and unlocking free for life as of Jan. 31. For more on the difference between freezes and locks, see this article about Experian’s decision not to offer free locks.

Thanks to those of you who have told me that Equifax’s automated freeze phone line is still telling them that freezes are free only through November. That information is wrong, and the company has generally proven to be slow in correcting its own systems after making policy changes in recent weeks.

Will thawing a frozen Equifax file also be free through January?

Updated: Oct. 2 Yes.

For people who paid for freezes after the breach announcement — but before Equifax made them temporarily free — will the company automatically refund their credit cards?

The company has said that it will, but I wouldn’t count on it happening. After all, its website was still charging many people days after the announcement that the company was lifting the fees.

If you have not seen a refund yet, dispute the charge with your credit card company when it shows up on your bill.

Does freezing my credit file hurt my credit score?

New: Oct. 12 No, according to all three companies.

Does freezing my credit file make it harder for me to instantly get my free credit report from annualcreditreport.com?

New: Oct. 12 No, according to the three companies. But many readers beg to differ. One, Pete Ho, found it impossible to get his Equifax report from the site, but the minute he lifted his freeze he received the report with no problem.

How Do I Navigate the Balky Systems?

If people are having problems with Equifax’s various websites, where is the best place to call to reach someone who knows what he or she is talking about?

Updated: Oct. 12 According to the company, the best number to dial for help is 1-866-447-7559.

The line is open seven days a week from 7 a.m. to 1 a.m. Eastern time.

After I first posted it, a reader called to tell me that the phone representatives at the above number did not know how to deal with questions about freeze PINs. Instead, they gave him another number to call, where the recorded voice touted “the hottest triple-X hardcore service.” (We checked.)

There seems to be no shortage of other numbers to try nor an easy way to figure out which ones are good for which questions. But readers have written in to say they found success with these:

• 1-865-410-8643

• 1-888-548-7878

“We acknowledge that some customers have experienced difficulty getting answers and support through our call centers and apologize for any inconvenience,” an Equifax spokesman said. “We have worked hard to improve the experience with our call centers. Call center performance is being monitored daily.”

Why were the PINs for security freezes based, until recently, entirely on the date and time that you made the freeze?

The procedure could suggest a casual approach to security at the company.

Equifax, for its part, said it had “confidence” in the old system but that it understood people’s concerns and would allow them to change their PINs. All new PINs, as of a few weeks ago, are randomly generated.

How should people with the old PINs (with the non-random numbers) change them?

Updated: Oct. 16 If someone wants a new PIN, they must call 1-866-349-5191 to speak to a live agent and provide identity verification information to receive a replacement PIN by mail.

Readers report having success with another process, too. They say they call, cancel their old freezes and then immediately start new ones to receive new PINs.

Where and how does Equifax store these PINs?

Many of you asked if they are stored with a higher level of security than the company deployed elsewhere, like where the breach had occurred. And what would Equifax say to people who, given the company’s perceived security failings, are worried that their PINs are vulnerable?

No answer on this one yet, and I don’t expect one either, for security reasons.

Is Equifax’s monitoring service groaning under the strain of all the new members?

Updated Oct. 16 Equifax said that anyone having trouble with the service should call 1-888-548-7878 for help.

One reader reported that the new free monitoring service that Equifax is providing to everyone, called TrustedID Premier, wasn’t working for her. She applied for a new credit card and was approved but she never got the alert that she was supposed to receive.

So Much of This Does Not Seem Sensible or Easy. Why?

Why didn’t Equifax make its credit freezes free the moment it announced the breach?

Updated: Oct. 2 The company sent me a response to this question that did not actually answer the question, noting only that it eventually made them free for a few months.

Why not take a leading approach to security and have frozen files be the default for all people?

Updated: Oct. 16 Instead of answering the question, Equifax told me that “consumers can choose to have their credit reports locked or frozen,” which we already knew.

The industry lives in mortal fear of being forced to freeze all files as a default, in part because it makes money from selling access to files, which is harder to do when they are on ice.

But while it seems like a good idea to just flip a switch on everyone’s credit files, imagine the practical ramifications. No matter how much warning the companies provided, millions of people would still be caught unaware and it would delay home purchases, job applications and scores of other things. So I don’t see it happening.

Why not coordinate with Experian and TransUnion so that consumers can get one year of freezes or locks for life at all three companies?

Updated: Oct. 16 Equifax ignored this question for weeks and then sent me an answer, stating that you have to do it separately at all three bureaus, which was, of course, the very premise of the question. Sigh.

TransUnion has a $19.95-per-month monitoring service that lets you lock your TransUnion and Equifax files. Experian said that because “not all locks are created equal” that it would be hard to create a one-stop locking shop.

Why are people running into technical problems when PINs are supposed to appear on their screens after getting an Equifax freeze?

I’ve received dozens of emails from people who were able to get freezes from the Equifax website but ran into technical problems when their PIN was supposed to appear on their screens. What is going on here?

“Our technology team is aware of some limited situations in which consumers are unable to view their PINs,” the company said in an emailed statement. “We have identified that this is caused by their browser settings. We are working on a fix for this issue.”

(I do not believe the problems to be “limited,” given the volume of my mail, but we’ll see.)

If you request a security freeze online, the PIN shows up on the screen only. The company said it does not currently email the PIN as a follow-up or send it via United States mail.

If you request a security freeze over the phone, Equifax said it will mail you your PIN, so don’t worry if you don’t catch it over the phone when the automated voice reads it quickly without warning or repetition. But I would expect the mailing process to take weeks, not days.

Didn’t get your PIN at all? Equifax said that you can call 1-866-349-5191 to get it, though you’ll have to answer a bunch of identification questions before the phone representatives will give it to you.

I’m having trouble getting Experian to accept my freeze request online or by phone, and they want me to send them a bunch of personal information by mail. Are they doing this on purpose to discourage me from getting a freeze in the first place?

Updated: Oct. 7 This is for your own protection! Or so said Experian, in a statement: “When we are unable to sufficiently match identification online or by telephone, we request additional documentation in order to verify the individual’s identity. We do so as an additional precaution in an effort to protect the consumer.”

Worried about insecure postal mail if Experian asks for, say, a copy of a driver’s license or Social Security card? Experian noted that “often” you can upload documentation at www.experian.com/upload.

The company would not tell me what percentage of people are given the “prove who you are with paper documents” treatment, but I’ve received a few dozen emails about Experian doing this and very few reports of it happening with Equifax or TransUnion.

Was Equifax deliberately throttling back its website to try to keep people from getting freezes?

And has Equifax deliberately programmed its website to fail to authenticate credit freeze applicants and tells them to use paper in the hopes that people will give up and not freeze their credit files at all?

No, the company told me. “We are experiencing a high volume of requests for security freezes, and have been experiencing some technical issues. We are working diligently to resolve those technical issues,” it said.

What’s with Equifax’s efforts to force people into arbitration if they have disputes related to its original offer of assistance?

“We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself,” the company said. “The arbitration language will not apply to any consumer who signed up before the language was removed.”

Will Equifax force people to submit to mandatory arbitration or some other loss of privileges or rights in exchange for the new offer of free credit locks for life?

Another fear is that Equifax will put people on lenders’ mailing lists, leading to no end of spam. The company has not answered these questions so far.

What should people do if they do not have a United States address and want a credit freeze?

Updated: Oct. 12 According to Equifax, you can send the documents listed below by email, fax or postal mail:

• Proof of your most recent address in the United States.

• Proof of your current address outside of the United States.

• A copy of your Social Security number or another document that provides proof of that number.

• A cover letter with a short description of the request.

Send the documents to: psol.legaldocuments@equifax.com

Or by fax: 1-866-313-7122

Or postal mail:

Attention: Atlanta Support

P.O. Box 105496

Atlanta, GA 30348

Updated: Oct. 3 A TransUnion spokesman said that United States citizens living outside the country but who know the American address that is on their file can follow normal procedures on its website. If you cannot provide a United States address, you should contact the company in writing.

TransUnion LLC

P.O. Box 2000

Chester, PA 19016

Experian said that the first step is to make sure you still have a credit file at all, as some people who have lived abroad for a while do not. Then, you have to provide proof of your last address in the United States and your current address wherever you live now. You can do all of this by phone (1-888-397 3742) or on the company’s website. If neither of those options work, you’ll need to write in by mail at the address below, though you may still be able to provide your proof of identity documents via Experian’s uploading webpage.


P. O. Box 9701

Allen, TX 75013

Why won’t Equifax have an on-the-record conversation with you?

New: Oct. 12 I wish I knew. At one point, the company invited me to Atlanta for a chat and then yanked the invitation after I’d already booked a plane ticket. The public relations megafirm Edelman is on the scene, but Steve Behm, an Edelman executive in the region, has not returned any of the messages I’ve sent him in the past five weeks.

Do you work for Equifax? Want to help me answer some questions? I’m easy to find and will keep our conversations private.

What Is This About ‘Locking’ Instead of ‘Freezing?’

What are these locking services that Equifax, Experian and TransUnion offer? How are they different from freezes?

Locking has the same effect as freezing, so no new lender or company will be able to check a file whether it’s locked or frozen. But there may be differences in processes, restrictions and fees.

The glass-half-full crowd will note that unlocking your file doesn’t require the random, hard-to-remember PIN that comes with a frozen file.

The glass-half-empty people will note TransUnion’s requirement that you waive legal rights and Experian’s high fees. I explained this in a column on Sept. 27. Equifax’s TrustedID Premier service includes a one-year lock but not a permanent freeze.

Equifax is saying on their breach website that its locking product requires 24-48 hours of notice to lock or unlock a file. You said in a Sept. 27 column that it’s instant. Who’s right?

New: Sept. 29 I’m right and Equifax is wrong, and it’s caused a great deal of confusion as other media have reported what Equifax was saying on its own website. I told the company about the error, but it hasn’t fixed it yet.

Lots of people who have registered for Equifax’s credit lock via its TrustedID Premier service have not received confirmations. Are they ever going to get them?

“Due to the number of consumers who have requested enrollment in the TrustedID Premier product, we are experiencing periodic delays in issuing confirmation emails,” the company said. “We assure you we are working diligently to send confirmation information as quickly as possible, and apologize to the consumers who have not yet received their confirmation emails. We appreciate your patience. We are continuing to make the experience smoother.”

Many people who finally do get the emails click on the activation link and land on a webpage that doesn’t work. Should they just keep trying?

Updated: Oct. 2 “Equifax continues to enhance our website to improve consumer experiences,” the company said. “We are making the navigation easier to understand and eliminating steps in the enrollment process and investing in technology that allows more people to register faster. The company is committed to making the site right and meeting consumer expectations.”

Why is Equifax sending people activation emails with links inside of them?

Updated Oct. 16 The company said that the links and emails have been designed with security in mind, but I have a hard time fully believing that. Every bit of advice we get on security says to never click a link that is inside an email purporting to be from a financial services firm, even if it appears to be from a company that you already do business with. This is in case the email came from a hacker masquerading as a trusted source and the link is going to harvest information from you in some way.

Instead, the safest move is to go to the company’s website by typing its address into a browser and then complete whatever task needs completing. The format of the activation email seems especially tone-deaf given that we’re just barely removed from a giant security breach.

Can I freeze and lock my Equifax account simultaneously?

New: Oct. 12 No.

I took Equifax up on its offer of TrustedID Premier monitoring, which includes locking. I had a freeze in place before I did so. Now I see an icon of an open lock when I log in to TrustedID Premier. Does this mean that my freeze is no longer in effect?

No. Because you cannot freeze and lock at the same time, your freeze stays in effect and the unlocked icon just means that your file is not locked. But it’s still frozen, and the other features of the TrustedID service are still supposed to work.

I signed up for a free Equifax lock for a year through the TrustedID Premier program. Once a year is up, will I automatically be switched into the free-lock-for-life program that begins Jan. 31, 2018?

Updated: Oct. 16 The company said it does not know yet.

You say that the locks will be free for life. Do the contracts specify what happens in case the company is purchased by a private equity firm, sold off for parts and/or renamed?

Updated: Oct. 16 The company would not directly answer this question.

What’s the Best Way to Push Back Against Equifax?

I’d like to punish Equifax by joining a class-action suit. How do I do that?

New: Oct. 12 There is no need to join, according to Stuart Rossman, director of litigation at the National Consumer Law Center. There will be an eventual consolidation of all the federal suits against the company, and any person whose information ended up with the thieves will eventually be eligible for any award. He warns that recoveries tend to be quite small.

I’d like to punish Equifax through the legislative process. How might this happen?

New: Oct. 12 Members of Congress have proposed a variety of solutions, but movement in this industry has historically happened in state legislatures. Contact your state representatives and ask them about legislation that would force the three credit bureaus to provide free credit freezes or locks for life, with free temporary lifts as well.

Will Equifax actively fight legislative action that forces freezes to be free or the default?

“This is a very complicated issue and we expect to engage with regulators and legislators on this topic in the future,” Equifax said.

Moreover, they will probably point to the availability of the credit locks — which Experian charges money for and TransUnion gives away only if you are willing to give up legal rights — as a reason why free freezes are not necessary.

Equifax’s announcement that its locks would be free for life was no doubt an effort to get out in front of this question.

How Else Should I React and Protect Myself?

Why can’t I just get a new Social Security number?

New: Oct. 12 You can try, but the Social Security Administration will allow it only in limited circumstances, including when “a victim of identity theft continues to be disadvantaged by using the original number.” Mere annoyance or existential fear over the Equifax breach probably won’t cut it.

I’m worried about someone using my data to file tax returns in my name and commit refund fraud, which would keep me from getting my legitimate refund. Can I do anything to stop it?

New: Oct. 12 Your best bet is to file your returns early, in order to get ahead of thieves who may try to beat you to it.

Some people are eligible to receive personal identification numbers from the Internal Revenue Service each year, which you’d have to include as you file your taxes in order to get your refund. For now, however, they are available only to people in places with high instances of fraud, like Florida, Georgia and the District of Columbia.

Victims of identity theft are also eligible to get a PIN if they fill out an affidavit, but the I.R.S. doesn’t give them out so easily if your only claim is being a victim of a breach like Equifax’s. It notes that “data breach victims should submit a Form 14039, Identity Theft Affidavit, only if your Social Security number has been compromised and your e-file return was rejected as a duplicate or I.R.S. has informed you that you may be a victim of tax-related identity theft.”

I’m worried about someone using my data to establish a Social Security Administration online account in my name and claiming my benefits. Can I do anything to stop it?

New: Oct. 12 Yes, but first review the aggravating experiences I and some readers had.

If you have a freeze on your credit files, you’ll need to temporarily lift it before setting up your Social Security online account. This is not clear to people using the site, to the great annoyance of the customer service representative I spoke with on the phone after waiting on hold for 45 minutes. (She gets a lot of calls about this issue, she said.)

She also told me that I needed to lift my freeze at Experian in order to set up my account. While a Social Security Administration spokesman said I needed only to lift my freeze at Equifax, I guess I’d go with the customer service representative’s word here.

Want to protect yourself further? You can block online access altogether. This is reversible, but you’ll have to contact the Social Security Administration for help when you’re ready.

How can people protect their children?

Updated: Oct. 16 Lots of people asked about this in a variety of ways:

• Are there mechanisms in place to proactively freeze a child's file (or, if one does not exist, create a file so it can be frozen), and when, if ever, does that depend on where you live?

• What if a child's Social Security number is showing that it “may” have been compromised via the Equifax breach but the Equifax system won't let parents sign up the child for monitoring due to their age or their lack of a credit file?

• Why is it so hard to, upon request, create a blank file for a kid simply to prophylactically freeze it?

• Or better yet, why not freeze all Social Security numbers for people under 18, period?

The nasty problem of child identity theft has been around for a while, and I wrote a column about it in 2015. Equifax’s response to my breach-related questions so far has been illogical. Here was its first pass:

“Equifax typically does not maintain files on minors. It is possible a parent may add an older minor as an authorized user to a credit card. Even if a minor was added as an authorized user to a credit card, Equifax has no indication that its core consumer credit database was impacted by the cybersecurity incident. To confirm, any information reported to Equifax by credit card companies on authorized users would not have been impacted.”

This is nonsense. Many parents have reported putting their children’s Social Security numbers into Equifax’s “Am I Impacted?” site and finding that their child “may” have been. If that’s the case, then parents need answers to their questions. If not, the website isn’t working.

When I pointed this out to the company, it refused to address the question of what happens when you put a minor’s Social Security number into its site. Instead, it just told people to call 1-866-447-7559 with any questions. If you call that number, please let me know what the phone representatives are saying and if they can answer your questions.

In general, here’s how things ought to work: There should be a database of Social Security numbers belonging to minors that effectively shuts down access to those digits until they all turn 18. But why should things be simple?

Instead, Equifax, Experian and TransUnion all have their own baroque processes that parents can use to figure out if a child has a credit file (they’re generally not supposed to) and if so, anything bad has happened to it. Some states let you freeze a child’s file, while others don’t. The National Conference of State Legislatures maintains a state-by-state guide on its website.

What’s a fraud alert, and how does it differ from a credit lock or freeze?

New: Oct. 12 If there’s a fraud alert on your credit report, it means that any lender is supposed to take additional steps to verify your identity (or that of a thief applying for credit in your name). TransUnion has a good explainer on its website of all the different types.

With a freeze or a lock, the new company could not get access to your file at all and would immediately shut down the application as opposed to merely sizing up the person applying.

If I want an extended fraud alert (and not a freeze), can I just take a screenshot of Equifax’s “Am I impacted” webpage that says I’m one of the 145.5 million that may have been impacted to prove that I am a victim?

Equifax has not answered this question so far. Typically, a person needs to submit a police report to receive an extended fraud alert.

Can you have a fraud alert and a freeze at the same time?

Updated: Oct. 12 Yes. I get that this is more or less redundant, but many people don't trust Equifax in particular to follow through, so they want to take a belt-and-suspenders approach to protection.

What was the distinguishing criteria that affected up to 145.5 million people vs. the people who supposedly weren’t affected?

New: Sept. 28 Equifax has not answered this yet.

Don’t I just need a name, address, Social Security number and date of birth to create an online Equifax account, which is the exact information that was stolen?

The presumption is that anyone with your information could set up your account before you get there, but enter their own email address and mobile phone number for confirmation, thus gaining control of the account.

New: Sept. 28 I’m still trying to figure out what Equifax is doing about it.

Is it possible to simply delete my Equifax credit file, so that I don’t have to worry about them setting any more of my data loose on the world?

Updated: Oct. 7 The company refused to answer when I wrote a column about this very question. It seems like the answer is no for now.

But for those who can bear the risk of not having an Equifax file (including potentially running into trouble with mortgage lenders who may want a look at credit reports from all three bureaus), it sure seems like a wish that Equifax ought to grant. And if it won’t, perhaps state or federal legislators should take up the question.