You are here

The Equifax Data Breach: What to Do

Share this page

If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.

Here are the facts, according to Equifax. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

There are steps to take to help protect your information from being misused. Visit Equifax’s website, (This link takes you away from our site. is not controlled by the FTC.)

  • Find out if your information was exposed. Click on the “Potential Impact” tab and enter your last name and the last six digits of your Social Security number. Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection any time you enter it. The site will tell you if you’ve been affected by this breach.
  • Whether or not your information was exposed, U.S. consumers can get a year of free credit monitoring and other services. The site will give you a date when you can come back to enroll. Write down the date and come back to the site and click “Enroll” on that date. You have until January 31, 2018 to enroll.
  • You also can access frequently asked questions at the site.

Here are some other steps to take to help protect yourself after a data breach:

  • Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting Accounts or activity that you don’t recognize could indicate identity theft. Visit to find out what to do.
  • Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.
  • Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
  • If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
  • File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

Visit to learn more about protecting yourself after a data breach.

Note: This post was updated on October 5, 2017 to reflect that Equifax extended the enrollment period for free credit monitoring from November 21, 2017 to January 31, 2018.




Thank you, Bridget. I know everyone working on this is very busy and dedicated to getting it right. Spelling mistakes like the one you quoted here ("wavier" instead of waiver) are the hallmark of scammers, and I know that is not the intent here. I could not find who to contact at Equifax to make this correction--perhaps you know.

I just signed up for this is there a way to disenroll if my start date is in a few days

So if we choose "free monitoring" we can't be part of any lawsuits??? How is that even legal??? Do your job FTC!!! Protect us from this BS...they should be offering free monitoring to everyone regardless of lawsuits, etc!

So you can check if you were affected without waiving, but if you sign up for the free protection it still waives your rights? I think Equifax is being deliberately vague here.

That may not be enforceable. They need to amend the agreement which is easy given it is a web page.

The contract itself contains an integration clause. Sources outside the for corners of the document cannot alter the plain unambiguous language of a contract. Accordingly, this alleged waiver of the arbitration clause in the FAQ section of the Equifax website is useless.

Thanks for the clarification, ma'am.

Whereas this whole thing sucks, the fine print on the credit monitoring only waives the right to participate in a class-action related to their credit monitoring service (which could ruin us all as well, who knows). Signing up for the credit monitoring does not waive any arbitration for the cyber incident - so you'll still have that option. They just updated their site with some clarity on that -

I heard about that on the radio. Please FTC, let us know how we can get the info we need from Equifax without ending up paying for their services or making ourselves any more vulnerable than we already are. What is the FTC doing now to protect consumers. Should companies like Equifax have the kind of power they have if they can't even manage our data securely?

They have added a statement that people caught up in the breach will not be required to waive the right to participate in class action lawsuits.

Thanks for catching that. I havent even got that far yet. That should be criminal shouldn't it?

You can opt out of the right to NOT sue them by sending a letter within 30 days of signing up for their credit monitoring service. That means you are notifying them that you choose to have the right to sue.

FYI: Read the facts before you go "chicken little" on everyone. By spreading ignorant misinformation you are not helping the situation.

Thank you so much for pointing that out GK. My day to enroll is the 11th so I guess I should rest my eyes to read all the fine print!!

They dropped this requirement, due to negative responses.

Equifax has posted on 9/8/2017 a notice on their website ( stating that you DO NOT waive the right to participate in any class-action lawsuit brought against them regarding this particular incident.
Below is from their site:

In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.

This article states that on Friday Equifax said "The company's arbitration clause and class-action waiver would not apply to this incident"

Where does it say that? I can't find it

After that fine print class-action waiver language was pointed out to the FTC, Equifax backpedaled and agreed that this would NOT include ramifications of the current breach. So they probably TRIED but failed. My brother raised a couple good points. 1. WHY isn't this data kept off the grid? 2. How about people who already HAD frozen accounts -- was their data breached? 3. They should be taken down. They didn't fail their customers... banks, mortgage and credit card companies. They failed US.

A class-action lawsuit for 140+ million people. Even if you join the lawsuit you might get five dollars. It's not worth it to not except free credit protection

...but not the right to file a lawsuit. You should be clear with this, because joining a class action and suing yourself are different things.

The criminals keep reaping the benefits and the innocent good doing people keep getting screwed over. What hope is there? What can we trust or rely on?

FTC and equifax do not care about us. I tried enrolling in equifax's protection program, and I have to wait until 9/13 to enroll. Wow, you would think something as serious as a data breach of PII, actions would be taken immediately.

You can rely on getting screwed by the corrupt politicians that you keep voting into office.

Mine said the same thing and didn't bother to tell me whether not I was breached or not. I then called and nobody could tell me anything. They told me to go to FTC website because there was a list there but there wasn't. They're excuse was there was a lot of new people that didn't know what they were doing. They ended the conversation by saying that it sounded like I thought I was a victim of identity theft and I should call my local law enforcement and report it. I have no evidence that any of my info has been used. Everything is currently normal. I just wanted to know if my data was breached so I could protect myself in the future and nobody could tell me. Why set up a phone number if nobody can tell anything or even send you to the right place. I have to call them again and see if they've sorted things out because I'm afraid to enter my info on the website again.

First you let yourself be hacked (Supposedly) for three months. Then you wait another 2-3 months in order for the(Supposed)Hackers to cover their trail. Then you ask us to reveal even more than the last four digits of our SS number by sending them to your (Supposedly) hacked servers. You should be shut down permanently. I believe you orchestrated the whole thing for political motives, that's my opinion. A study should be done of just who gets harmed by this (Supposed) breach and their political party and donation record!

I was thinking the same thing! That it's a setup.

Not only is Equifax responsible for this fiasco...but their top executives have become under the scrutiny of the SEC. The Execs knew that the unveiling of this "hacking" bomb would invariably send Equifax's stock plummeting. So instead of facing the music like humans, they sold mega shares of stock, months before the story broke. Of course, the day after the debacle was reported the stock did indeed take a nosedive. These tactics by the upper management in a company is not just unscrupulous, it is illegal and felonious. Being litigious in this case, as far as I am concerned, is warranted and seeing those felons behind bars for keeping this quiet is sweet.


I agree with Revealer totally. But firstly they should do away with all these funky credit bureaus. They are in my opinion as bad as the hackers and this is a scam in itself.

Im conservative and my whole family has been affected. You?

AND, a couple of executives dumped $2 million of their stock on August 1 & 2 ... just after the July 29 breach. THOSE 2 guys need immediate investigation, too! Yeah ... they have our interests at heart.

All these companies constantly get hacked because they have lax security and there are basically no real penalties for them.

Make them pay a fine per person/per incident to the person whose data was exposed and watch them start taking their security seriously. If they can't secure the data they should not be holding it.

Exactly, Eddie. These companies are getting wealthy using the public's personal data. They have a moral obligation to protect it. If you ask me, this is every bit as serious as the Enron/Arthur Anderson case.

Actually there is a penalty, Equifax has lost credibility and will lose business. Ask the innocent employees who lost their jobs at Arthur Anderson after the Enron scandal broke about consequences. All that be said there is that was pure criminal activity. This was faulty software security practices.

Agreed. Make them pay a fine and they will figure out how to secure the data.

If you think a fine will cause them will figure out how to secure the data then you better make it a multibillion dollar fine. That would be a start. But if you want them to take security seriously there should be criminal penalties for senior execs for this level of gross negligence.

So we only get 1 yr free? My SSN stays with me forever so why don't we get protection forever? Also why are they providing their credit monitoring service and not a third-party who isn't trying to resale a product. They got hacked/breached why would their credit monitoring be any better than the "credit service" they provide. The federal government should be doing more to protect us and hold Equifax accountable.

Preach it!

If you sign up for their free service, you waive the right to participate in a class-action lawsuit, and they will pummel you with advertisements for an entire year.

Couldn't agree more. Since we can't change SSN even if we wanted to, they should be required to provide lifetime credit protection and repair coverage. One year monitoring is insufficient. The government needs to protect people from companies that collect information that can lead to identify theft.

They should also have to compensate people for any expenses incurred. It can take years to recover from identity theft.

Inexcusable that such sensitive data was not made bullet-proof from hacking. Waiting to tell consumers, and if true, selling stock before releasing such information is criminal and anyone guilty should be fully prosecuted to the full extent of the law.

What LAW? What Inforcers? What Justice? These pronouns are for the privigled elite-not us serf`s-I mean deplorables-I mean minions-I mean.....Caste system.


I agree it is criminal. People trust their livelihood with these people at Equifax .I completely agree it is criminal. People trust their livelihood with these people at Equifax . We trusted that they would protect our Identities and financial accounts . It's like opening the door and telling the criminals to walk in and take whatever they want by not taking the necessary precautions to protect us . It's like opening the door and telling the criminals to walk in and take whatever they want . Then selling their shares to protect their own financial interests? They're criminals, and deserve to be prosecuted to the full extent of the law.

Our company just sent an email stating to absolutely NOT go to equafaxsecurity2017. Who are we supposed to believe. This is so frustrating!

what company do u work for that warned u?

I'm confused as well! I don't know what to do.

I knew that site sounded the hackers site. We should be able to go to the equifax site and take care of everything! And the last 6 digits of our SS#? I don't think so!

It's only monitoring & NOT protection, AND it's only free for a year. The thieves have your SSN for life now! If you don't write to an obscure POBox address in their fine print, they will begin charging you for credit monitoring service starting on the first day of month 13. Yeah .... we're ALL going to remember to do that next year, right?!?!?!??!?! PLUS, more importantly, you give up your right to court & must accept arbitration, where consumers invariably get less compensation & the companies (perpetrators) get the best deals compared to court cases. Vampires!

Write to the federal Consumer Financial Protection Bureau (CFPB) at their government website (maybe each state's Attorney General, too) & complain that Equifax should pay for all credit freeze & removal fees consumers have to pay to any or all 3 credit bureaus. And that because SSN theft is for life, they should offer monitoring for life. The executives who walked away w/$2 million in stock sales 3-4 days after the breach is a clear indication they can afford to pay every consumer in the US (Canada & the UK were also affected) for the lifetime fees their negligence has caused at least 50% of the US population.

There was also a warning on the national news yesterday not to access this address because it is "not secured."


Leave a Comment