Equifax customers should request a credit freeze from all three major credit bureaus to ensure hackers behind a massive data breach can't exploit their stolen information, a leading consumer advocacy group said Friday.
The National Consumer Law Center is calling on Equifax to pay for the freezes, which would prevent anyone from seeking a person's credit information without their authorization.
"It's the most effective measure against new identity theft when it involves Social Security numbers, dates of birth — the gold mine of information these hackers stole," said Chi Chi Wu, a staff attorney with the law center. "It prevents existing creditors and new creditors from using your information. And it prevents new accounts in your name."
Equifax, one of the three major U.S. credit bureaus, said Thursday that "criminals" exploited a U.S. website application to access files between mid-May and July of this year.
The hackers obtained consumers' names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers. The purloined data can be enough for crooks to hijack victims' identities, potentially wreaking havoc on their lives. Equifax said its core credit-reporting databases don't appear to have been breached.
The hack has already compelled New York Atty. Gen. Eric Schneiderman to launch an investigation into the breach. The House Financial Services Committee also announced it would hold a hearing on the hack.
"On a scale of one to 10, this is a 10 in terms of potential identity theft," said Gartner security analyst Avivah Litan. "Credit bureaus keep so much data about us that affects almost everything we do."
Credit freezes are offered in 35 states, including California. Fees vary from state to state. In California, it costs $10 to request the security measure, though it's free for residents age 65 and older.
Customers will receive a PIN that allows them to circumvent the freeze when necessary. To cover their bases, they must request the freeze at each of the three major credit bureaus: Equifax, Experian and TransUnion.
Equifax did not respond to a request for comment.
Equifax is not explicitly telling customers whether their information has been hacked. Instead, Equifax's website tells customers seeking more information that their private data "may have been impacted."
Customers are then urged to enroll in Equifax's TrustedID Premier, an additional security measure that includes credit file monitoring and identity theft protection.
Equifax is offering the service for free to U.S. customers for one year. However, signing up means forfeiting the right to sue the company. Instead, customers have to agree to one-on-one arbitration, if necessary.
Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are even sometimes done by employers when deciding whom to hire for a job.
Critics have long called for more reforms to the credit bureaus, labeling the industry an oligopoly that prioritizes shareholders over customers.
They say private companies should not have as much sway as they do over the financial well-being of Americans.
"You have no choice as a consumer," Wu said, because these companies determine your credit score whether you like it or not.
The three firms are among the most complained-about companies in the U.S., even ahead of banks such as Wells Fargo, according to data from the Consumer Financial Protection Bureau.
A report issued by the bureau in March said the three credit bureaus did not do enough to address mounting complaints by consumers disputing their credit scores. The bureau called for more oversight to find and correct any errors in reporting.
The potential aftershocks of the Equifax breach should make it clear that Social Security numbers are becoming an unreliable way to verify a person's identity, said Nathaniel Gleicher, the former director of cybersecurity policy in the White House during the Obama administration.
"This breach might just have put the nail in the coffin of the idea that we can use personal identifiers like Social Security numbers as security factors," Gleicher, who now oversees cybersecurity strategy for computer security firm Illumio, wrote in a statement.
There are many websites that sell access to credit reports, but the official, government sanctioned one that offers free reports is AnnualCreditReport.com. Be wary of look-alikes.
Experts say consumers should check this information not just in the immediate future but for the long term. Once personal data are out there, they can be used at any time.
"Bad guys can be very patient with data. This should be a wake-up call to be even more diligent with your information," said Matt Schultz, an analyst with CreditCards.com.
An even more extreme step? People can request to change their Social Security number with the Social Security Administration if they have repeatedly been a victim of identity fraud under their original number.
The Associated Press contributed to this report.
10:10 a.m.: This article was updated to include details about Equifax's arbitration policy and comment from Nathaniel Gleicher.