It's been almost two weeks since Equifax first admitted it had been hacked in a massive breach affecting as many as 143 million consumers. Ever since, people have been begging Equifax to answer a simple question: "Am I on the list of victims?"
Much to America's dismay, Equifax has yet to provide a firm response. It's not clear when or if the country will ever get one. But the most depressing thing isn't Equifax's failure to tell consumers definitively whether they, individually, are at risk. The most depressing thing is that, at this point, the answer may not even matter.
"Once it’s out there, it’s out there," said Justin Shipe, vice president of information security at CardConnect, a payment processor.
You may be clinging to some sliver of hope that perhaps your information is not yet "out there." But with every subsequent breach, the likelihood of your never having been affected by hackers grows slimmer and slimmer.
What is the point of knowing whether Equifax was the one who leaked your data? Perhaps in the short term, you might become part of a class-action suit, and win a few dollars in the inevitable settlement. But in the long run, this knowledge doesn't help you any more than discovering you were affected by the 2013 data breach at Target, the 2014 incident at Home Depot and the 2015 break-in at the Office of Personnel Management.
If I knew I was affected, I'd take steps to protect myself, like freezing my credit, you say. To which I'd say: Why wait? Many Americans have already called to freeze their credit, or place preemptive fraud alerts on their accounts, and they're as in the dark right now as everyone else who isn't Equifax. You don't need knowledge that you were affected to protect yourself.
If Equifax told individuals whether their information was leaked, couldn't they trace cases of future identity theft to the hack? Experts say that's extremely unlikely.
"If we see a large increase in identity fraud, we can potentially hypothesize that some of this increase was due to the Equifax breach, but there’s no way to prove this 100 percent," said Richard White, the former chief information security officer for the U.S. Capitol Police. "The more time passes, the harder it becomes for a number of reasons, mainly [because of] new cyberattacks that expose more information."
Even if you could prove a link, what could you do with that revelation that you haven't already done?
Let's run a little thought experiment. Suppose you were a victim of not only the Equifax breach, but also the breaches at Target, Home Depot, OPM or Anthem. Now imagine that in 2020, you check your credit report and find out that somebody opened a fraudulent credit card account in your name.
How would you know which breach produced the data that allowed criminals to create the new line of credit? How could you distinguish that from information gathered by garden-variety social engineering attacks such as email phishing?
What would it even matter?
At that point, you've been compromised. Whether Equifax was the one to leak your data becomes irrelevant.
You should still be keeping a close eye on your credit reports for any suspicious or unusual activity, such as new loans or credit cards you didn't ask for. Under the Fair Credit Reporting Act, consumers are entitled to one free credit report from each of the three major reporting bureaus once a year. You can safely access your reports by visiting annualcreditreport.com. You can also apply a temporary fraud alert to your credit, or freeze it entirely so that nobody can open new lines of credit in your name.
Equifax is likely to pay a high price for its failures. But in the grand scheme of things, the one question plaguing all of us has mostly become a pointless mental exercise. And that's the depressing part.