ATLANTA — It's a modern-day nightmare.
Everyone fears a massive hack in which millions of Americans' Social Security numbers, driver's license information and credit card numbers are compromised, leaving them vulnerable to identity thieves who seek to wreak financial havoc.
That's the reality that Atlanta-based Equifax Corp., one of the nation's key credit reporting bureaus, disclosed last week.
Late Friday it was announced that the firm's chief information officer and chief security officer would leave the company immediately, after the enormous breach of 143 million Americans' personal information.
Equifax said that Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring. Mauldin, a college music major, had come under media scrutiny for her qualifications in security. Equifax did not say in its statement what retirement packages the executives would receive.
Mauldin is being replaced by Russ Ayers, an information technology executive inside Equifax. Webb is being replaced by Mark Rohrwasser, who most recently was in charge of Equifax's international technology operations.
Three Equifax executives — not the ones who are departing — sold shares worth a combined $1.8 million just a few days after the company discovered the breach on July 29, according to documents filed with securities regulators.
Equifax shares have lost a third of their value since it announced the breach.
So now what are you supposed to do, since odds are someone has that info on you?
According to the experts, you've got some work to do. The Federal Trade Commission has a good checklist of what to do at identitytheft.gov.
But the to-do list basically boils down to this:
Step One: Find out if any damage has been done
Get credit reports from all three credit-tracking agencies, Equifax, Experian and TransUnion, suggests Christopher Hart, a Boston lawyer with FoleyHoag, who works on cyber security cases for companies and other clients. Such reports can be obtained free once a year from AnnualCreditReport.com.
Lori Silverman, director of local consumer expert Clark Howard's Team Clark Consumer Action Center, said there's another important early step: sign up on Credit Karma (creditkarma.com) for free credit monitoring.
They say do those steps first because you won't be able to do them after the next step, which is most important.
Step Two: Freeze your credit at all three credit bureaus
This involves signing up with each credit bureau separately to block anyone from signing up for new loans or credit card accounts without your permission. You need to keep track of a personal identification number if you want to later "thaw" your credit to apply for new credit cards or bank accounts.
In Georgia, the service typically costs $3 each time you freeze or unfreeze your credit information, and you need to do it at all three bureaus to block thieves. It's free for seniors over 65.
"You just have to do it," said Silverman. She doesn't recommend the credit monitoring services that Equifax initially offered. They simply notify customers after identity thieves have already done damage, she said.
Equifax has since offered free credit freezes to people who sign up within 30 days of the Sept. 7 data breach announcement.
Legislative action is needed to provide more protection to consumers, said Al Pascual, research director and head of fraud and security at Javelin Strategy and Research.
"One year of (credit) protection isn't enough," he said.
Some experts say it's better to call rather than use the bureaus' online sites to set up freezes. Their numbers for setting up freezes are: Equifax — (800) 349-9960; Experian — (888) 397-3742; TransUnion — (888) 909-8872.
Step Three: Monitor your accounts (This may last forever)
Freezing your credit only protects you from new criminal activity.
Because of the depth of what the hackers got, and the permanent nature of Social Security numbers, experts say they can cause problems with your existing accounts and go beyond credit cards or loans.
They could possibly use a combination of information to create new passwords on bank accounts or to send in false tax returns.
Stolen data could allow a crook to call a bank and get access to bank accounts or change log-in information.
"For financial institutions, it's going to cause chaos," Pascual said.
If there's evidence an identity thief is at work, Hart suggests filing a Form 14039 with the IRS, an "Identity Theft Affidavit."
Some accounts, such as 401(k) savings accounts and IRAs, may be difficult to mess with unless hackers also got account numbers, personal identification (PIN) numbers and passwords, said Hart.
To be safe, Silverman suggests signing up for so-called two-tier authentication. Many banks, investment firms and other financial institutions now offer this type of account security feature.
It works like this: The customer signs in with his or her normal password, then receives a second ID number by text or a phone call that needs to be typed in to gain access to the account.
Step Four: Hurry, but be patient (There may be technical difficulties)
People are having trouble signing up for Equifax's free credit freeze because the company's system is swamped, according to the experts and people who have tried.
The breach is "grisly," said Paige Schaffer, president and COO of insurer Generali Global Assistance's Identity and Digital Protection Services division, which helps victims of cybercrimes.
At "our resolution center, the phones are ringing off the walls because they can't get through to the bureaus," she said.
Silverman said 1,500 people called Clark Howard's Consumer Action Center on Wednesday, mostly for help with their questions on Equifax. The normal volume is 200 calls, she said.
"I tell people that 143 million of their fellow American citizens are trying to do the same thing, so it's crashing," said Silverman. "I'm telling people to wait" on ordering a credit freeze at Equifax, she said.
Hart disagrees. "I don't think that it's wise to wait, just because of the sensitivity of the information involved," he said.
Vernon Keenan, director of the Georgia Bureau of Investigation, said he has tried four times since Wednesday to sign up on Equifax's website, without success.
"It's very frustrating to load in the information they ask for, only to get an error message," he said. It's sensitive information he doen't like putting online: full name, Social Security number, address, date of birth.
But he said he's going to keep doing it until he gets Equifax to freeze his credit information. "I don't have a choice," he said.
But Equifax should be "penalized," he added. "I'd like to see them being held accountable … for having my personal information and losing it."
Information from the Associated Press was used in this report.