1) Pull your credit reports or at least check your scores, which you can do with CreditKarma for free. Reports are for details, but scores will alert you to trends. If your score is normally 690 and it dips to 685, I wouldn't panic. But if it plummeted to 610 I would be pulling the reports to see what was going on.
2) Make sure the banks, etc. know your correct snail mail address. Change of address forms are often the first place identity thieves start, because that gives them more time to fleece you before you figure out what's going on. If you are getting services (oil, cable, etc.) or bank usage, but not the invoices and statements that go with them, that can be a sign that ID theft is starting.
3) If you have more than just a data breach but an actual ID theft, go to the IRS's website and fill out their identity theft form. This is because you'll need this form for step 4, but also because ID thieves might do otherwise legit work with your name and address on their W-2. With online work and Paypal, they can do this and no one's the wiser until you get the 1099 in the mail for that tax year. This protects you from being audited. The IRS will look at your returns more closely but it will be for ID theft patterns and not for the purposes of an audit.
4) Go to the cops and have them open a file. Take everything with you that's proof of ID theft (in my case - yes, I've done this - it was a 1099); they'll copy that stuff and make it a part of their file and they will give you a copy. In step 3, the IRS will give you access to their ID theft website. When you get the police report, copy that information (case number, etc.) into the online record. That site will also show give you tips on what you might want to do, like put a credit alert or a credit freeze (or both) on your file.
5) Consider a credit monitoring service. However, they are costly, and if you get CreditKarma and you can also read a credit report well enough to determine if it's wrong and/or if there are suspicious charges, then you might not need one.
Also - Equifax is trying to pull a fast one. They are offering one year of free credit monitoring from their competitor, Experian. Except the fine print says that if you accept that service, you are forever waiving your right to sue them about the breach.
This is highly
unethical and it won't hold up in court. Judges hate covenants not to sue, and they interpret them extremely narrowly and nearly always strike them down. When they don't, it's because of (a) transparency and (b ) more or less equal bargaining positions between the parties. Neither of those factors are at play here, plus the consequences of this breach could be staggering and long-lasting, and the company's failure to even report the breach for 6 weeks seems like negligence on its face. So the courts will not
look kindly upon that kind of nonsense.
This kind of breach (which is easily more than all of the adults in the US - the breach affects 143M people and the US only has 126M adults) can be used for fraud on a grand scale, including vote fraud. Talk to your local politicians about trying to set up some way of making sure the people who are voting are who they say they are.