Computer with vault

On Wed, 13 September 2017 we hosted a webcast on the Equifax hack, which you can now find in the webcast archives.  One of the things that surprised us was the amount of questions asked, well over 100 hundred questions, a new record I believe for a SANS webcast!  Even though we spent over 30 minutes answering most of the questions we still ran out.  As promised, here is a list of answers to both the unanswered questions and the most commonly asked questions.  Remember, you can find the facts of the incident and the steps you and others should take in this earlier blog post. If you still have a question, ask me at

I'm trying to reach the Credit Bureaus (CBs) and freeze my credit but their site is not responding!

Alot of people are reporting that some of the CBs are not responding.  Be sure you try reaching them both online and via the phone.  My impression is that as more and more people read about the need to establish a credit freeze, the more and more the CBs are overwhelmed.  To be honest, it should not be that hard to enable a credit freeze.  If you are frustrated, contact your local representatives and let them just how disappointed you are.  As pointed out by Bruce Schneier, ultimately this problem can only be solved by government regulation, something I fully agree with.

What is the difference between a credit freeze or lock?

Some of the CBs are pushing people to put a lock on their credit account instead of a freeze (such as this dubious TransUnion example).  So what is a lock?  I don't know.  You know what is odd?  No one knows.  I've asked alot of people and no one can figure out exactly what one is.  It's economics.  Each CB can make up to $1 every time an organization checks your credit.  The more companies check your credit, the more money the CBs make.  Freeze your credit, no one can check your credit, CBs can't make money.  They are economically motivated to stop you from enabling a credit freeze.  That is why they make it so hard, both process and cost wise.  If the CBs were serious about security, they would freeze your credit by default, then have you unfreeze when needed.  I recommend skip their marketing ploy and do the actual freeze.

Do I need to put a freeze on my kids?

CBs can track and collect data on minors 13-18 years old.  Younger than 13 and it's illegal, 18 and older they are adults.  The question then becomes, have the CBs collected information about your kids?  You have to ask and find out.  If they have data on your kids, get a credit freeze for them also.  For minors you have to submit the freeze, they cannot do it.

How long is a credit freeze good for?

It's permanent, which is a good thing.   You have to manually 'unfreeze' your account when you want to get a loan or credit card.  However, its not that hard and how often do you need new credit?  Finally, you don't have to unfreeze all the CBs, just as your bank which CB they use and unfreeze that one.  Fraud alerts are temporary, you don't want to use those.

Should I do credit monitoring or freeze?

I would recommend both, they are two very different things.  You only need to do credit monitoring from one CB, credit freeze you have to do at all four.  For more info see previous blog.

What about internationals, such as Canada or the UK? We don't know.  The incident response teams and lawyers are still figuring that one out.  So stay tuned.

Who did the attack and/or why.

We don't know, that information has not been released.  Equifax may not even know at this point.

Should I be watching my existing retirement, bank or credit card accounts?

Absolutely.  Setup two-step verification whenever possible and automated alerts for any transactions and/or daily updates.  The sooner you detect unauthorized activity and report it, the better.  You can recover from most fraud incidents if you detect it within 24 hours.  After 72 hours and it's probably too late.

We will be adding more Questions and Answers as we get asked.  So return to this site time-to-time for latest updates.  If you have a question you want to ask, or a point you feel should be posted here, please contact me at  Learn the latest trends and lessons learned in managing human risk in the annual SANS 2017 Security Awareness Report.