(Image courtesy of the Los Angeles Times)

The Equifax Cybersecurity Incident: What It Means for Investors

Barry Armstrong
Founder and President, Armstrong Advisory Group


Equifax is one of the three major credit-reporting agencies in the United States. Its size and scope is massive: the organization handles information about approximately 820 million consumers and over 91 million businesses around the world (1). However, Equifax experienced its third major cybersecurity incident since 2015 this year when upwards of 143 million American consumers were impacted by a breach that occurred between the months of May and July (2). It resulted in the theft of names, Social Security numbers, birth dates, addresses, and even driver’s license numbers (2). In addition, the thieves stole the credit card numbers of 209,000 consumers, and information about 182,000 people engaged in disputes was compromised (2). According to the latest estimates, the population of the United States stands at approximately 323 million people (3). This means that the Equifax cybersecurity incident affected nearly half of all Americans.


Identity theft can have a significant impact on a consumer. According to a CNN report, thieves can earn as much as $30 for each identity they sell on online black markets (4). The same report indicated that the impact of identity theft could range from a criminal maxing out a consumer’s credit cards, which could adversely affect the individual’s ability to purchase a home, car, or even a cell phone, to using a consumer’s identity to make fraudulent prescription drug purchases (4).

Although those examples are harsh enough, the impact on investors could be especially frightening. Mutual fund companies are a good example of this reality. While FDIC-insured banks are obligated to restore assets stolen by hackers, mutual fund companies are not required to do so (5). Although this represents a key difference between organizations that are FDIC-insured and those that are not, all types of investment firms must still work to identify and respond to instances of possible identify theft (5). Nevertheless, it is important for investors to safeguard their retirement savings as cybersecurity incidents become more frequent.


While it is virtually impossible to stop all instances of identity theft, it is not impossible for consumers to take steps to protect their identity. First, it is important to avoid using unsecured Wi-Fi connections. It is possible for hackers to take advantage of people using these unsecured connections to steal sensitive information. Also, when using a computer, be sure to utilize strong passwords. It is important to change them frequently and use different passwords for different accounts.

Some of the most important steps to protect your identity include regularly monitoring your credit by keeping close tabs on your statements and credit report. A free copy of one’s credit report from the three major credit bureaus is available at https://www.annualcreditreport.com (6). Other steps include refusing to provide your Social Security number unless it is required and taking advantage of bill payment services through your bank instead of giving your information to multiple third-party payment services. Another key step is to enable two-step verification whenever possible. This system requires an individual to enter a password and an authorization code sent to a cellphone or an email address linked to the account in order to view its details.

In response to this latest cybersecurity incident, Equifax has established a website (https://www.equifaxsecurity2017.com) to allow consumers to identify whether their information was a part of the breach. The agency is also permitting people to sign up for free credit monitoring services. Despite some initial confusion about the agency’s arbitration clause, Equifax indicated on their website that enrolling in the free credit monitoring service “does not waive any rights to take legal action” against the agency (7). However, be sure to always read the fine print whenever enrolling in any type of service.


Although the utilization of credit monitoring services and fraud alerts could be a good way to track suspicious activity in your accounts, they usually require the payment of ongoing fees and do not provide the same level of security as a credit freeze. The purpose of a credit freeze is to prevent any new creditors from accessing your consumer credit report. This move stops anyone from opening a new line of credit in the name of the consumer who enacted the freeze, including the consumer.

For a list of the steps necessary to implement a credit freeze with all three major credit bureaus, visit http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide. Note that a consumer can implement a credit freeze with each agency by filling out an online form or calling the agency.

Caution: There is a fee to enact a credit freeze. This can range from $5 to $12 and it varies on a state-by-state basis. A consumer must pay this fee to each agency if they wish to implement a freeze, and the fee must be paid again in order to temporary thaw the consumer’s credit.

A credit freeze could be an option for a retired individual to consider. However, there are very strong reasons for consumers to avoid freezing their credit. For example, it would probably not be a smart move to freeze your credit if you are:

• About to look for a new job, since new employers may check your credit before offering you a job.
• About to apply for a new credit card.
• About to buy a new home and plan to apply for a mortgage or a home equity line of credit.
• About to buy a new homeowners insurance policy.
• About to buy a new car.
• About to buy a cell phone.

These are just a few examples of transactions that require credit. However, it is important to remember that a consumer is able to thaw their credit after freezing it, but this does come at the aforementioned cost.


The consequences of identity theft are frightening and potentially far more extensive than outlined in this brief guide. However, the federal government has established a system to report identity theft and formulate a recovery plan. It is available at https://www.identitytheft.gov. Examples of the steps outlined on the website include instituting a fraud alert, reporting identity theft to the Federal Trade Commission (FTC), closing new accounts opened in the victim’s name, removing fraudulent charges, and considering a credit freeze (8). Visit the website for a thorough list of what to do if a criminal steals your identity.

1 http://money.cnn.com/2017/09/11/pf/equifaxmyths/index.html
2 https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
3 https://www.census.gov/quickfacts/fact/table/US/PST045216
4 http://money.cnn.com/2017/09/11/technology/equifax-identity-theft
5 https://www.consumerreports.org/equifax/how-to-lock-down-your-money-after-the-equifax-breach
6 https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
7 https://www.equifaxsecurity2017.com
8 https://www.identitytheft.gov/Steps

Barry Armstrong has over 30 years of experience in the financial industry. He founded the Armstrong Advisory Group in 2004 and has been sharing his financial knowledge with New Englanders on a daily basis during his Boston-based radio broadcast for nearly 20 years. Learn more about Barry and the Armstrong Advisory Group at www.armstrongadvisory.com.  Securities offered through Securities America, Inc.  Member FINRA/SIPC and Advisory Services offered through Securities America Advisors. Barry Armstrong, Representative. Representatives of Securities America do not offer tax advice.  Always seek the assistance of a tax professional familiar with the laws in your state.  Armstrong Advisory Group and Securities America are unaffiliated.