By Russell Grantham and J. Scott Trubey

Cox Newspapers

Credit agency’s crumbling credibility

Credit agency Equifax traced the theft of sensitive information of about 143 million Americans to a software flaw that could have been fixed well before the burglary occurred, further undermining its credibility as the guardian of personal data that can easily be used for identity theft.

Equifax identified a weakness in an open-source software package called Apache Struts as the technological crack that allowed hackers to heist Social Security numbers, birthdates, addresses and full legal names from a massive database maintained primarily for lenders. Equifax was already under fire for not disclosing the break-in until Sept. 7 — nearly six weeks after the company discovered it.

Late Friday, Equifax announced that its chief information officer and chief security officer would leave the company immediately.

— The Associated Press

It’s a modern-day nightmare. Everyone fears a massive hack in which millions of Americans’ Social Security numbers, driver’s license information and credit card numbers are compromised, leaving them vulnerable to identity thieves who seek to wreak financial havoc.

That’s the reality that Atlanta-based Equifax Corp., one of the nation’s key credit reporting bureaus, disclosed last week.

So now what are you supposed to do, since odds are someone has that info on you?

According to the experts, you’ve got some work to do. The Federal Trade Commission has a good checklist of what to do at www.identity

But the to-do list basically boils down to this:

Step 1: Find out if any damage has been done

Get credit reports from all three credit-tracking agencies, Equifax, Experian and TransUnion, suggests Christopher Hart, a Boston lawyer with FoleyHoag, who works on cyber security cases for companies and other clients. Such reports can be obtained free once a year from

Lori Silverman, director of local consumer expert Clark Howard’s Team Clark Consumer Action Center, says there’s another important early step: sign up on Credit Karma ( for free credit monitoring.

They say do those steps first because you won’t be able to do them after the next step, which is most important.

Step 2: Freeze your credit at all three credit bureaus

This involves signing up with each credit bureau separately to block anyone from signing up for new loans or credit card accounts without your permission. You need to keep track of a personal identification number if you want to later “thaw” your credit to apply for new credit cards or bank accounts.

“You just have to do it,” said Silverman. She doesn’t recommend the credit monitoring services that Equifax initially offered. They simply notify customers after identity thieves have already done damage, she said.

Equifax has since offered free credit freezes to people who sign up within 30 days of the Sept. 7 data breach announcement.

Legislative action is needed to provide more protection to consumers, said Al Pascual, research director and head of fraud and security at Javelin Strategy and Research.

“One year of (credit) protection isn’t enough,” he said.

Some experts say it’s better to call rather than use the bureaus’ online sites to set up freezes. Their numbers for setting up freezes are:

• Equifax; 800-349-9960

• Experian: 888-397-3742

• TransUnion: 888-909-8872

Step 3: Monitor your accounts

This may last forever.

Freezing your credit only protects you from new criminal activity.

Because of the depth of what the hackers got, and the permanent nature of Social Security numbers, experts say they can cause problems with your existing accounts and go beyond credit cards or loans.

They could possibly use a combination of information to create new passwords on bank accounts or to send in false tax returns.

Stolen data could allow a crook to call a bank and get access to bank accounts or change log-in information.

“For financial institutions, it’s going to cause chaos,” Pascual said.

If there’s evidence an identity thief is at work, Hart suggests filing a Form 14039 with the IRS, an “Identity Theft Affidavit.”

Some accounts, such as 401(k) savings accounts and IRAs, may be difficult to mess with unless hackers also got account numbers, personal identification numbers and passwords, said Hart.

To be safe, Silverman suggests signing up for so-called two-tier authentication. Many banks, investment firms and other financial institutions now offer this type of account security feature.

It works like this: The customer signs in with his or her normal password, then receives a second ID number by text or a phone call that needs to be typed in to gain access to the account.

Step 4: Hurry, but be patient

People are having trouble signing up for Equifax’s free credit freeze because the company’s system is swamped, according to the experts and folks who have tried.

The breach is “grisly,” said Paige Schaffer, president and COO of insurer Generali Global Assistance’s Identity and Digital Protection Services division, which helps victims of cybercrimes.

At “our resolution center, the phones are ringing off the walls because they can’t get through to the bureaus,” she said.

Silverman said 1,500 people called Clark Howard’s Consumer Action Center on Wednesday, mostly for help with their questions on Equifax. The normal volume is 200 calls, she said.

“I tell people that 143 million of their fellow American citizens are trying to do the same thing, so it’s crashing,” said Silverman. “I’m telling people to wait” on ordering a credit freeze at Equifax, she said.

Hart disagrees. “I don’t think that it’s wise to wait, just because of the sensitivity of the information involved,” he said.

Vernon Keenan, director of the Georgia Bureau of Investigation, said he has tried four times since Wednesday to sign up on Equifax’s website, without success.

“It’s very frustrating to load in the information they ask for, only to get an error message,” he said. It’s sensitive information he doen’t like putting online: full name, Social Security number, address, date of birth.

But he said he’s going to keep doing it until he gets Equifax to freeze his credit information. “I don’t have a choice,” he said.

But Equifax should be “penalized,” he added. “I’d like to see them being held accountable … for having my personal information and losing it.”