Equifax: The Breach, at Last

Equifax ad says “you data has a story to tell.” Who is it telling you “story” to now?

It was bound to happen, and now it has: One of the three major credit reporting bureaus has finally fallen victim to some form of hack attack. The company has not disclosed much information about the hack–nor is it likely to reveal much more–but Equifax itself concedes that around 143 million consumers in the United States may be victims of this attack. Equifax does not believe any credit reports experienced “unauthorized activity,” just that “names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers” of “consumers” were exposed. Note the verbiage, “consumers,” not “customers.”

For the most part, Equifax hoovers up your personal information and credit history and sells that information to businesses. The consumer credit reporting products they offer are recent additions to their portfolio. You likely aren’t a customer of Equifax, but you likely are a victim. And Equifax isn’t the only such problematic company out there: Experian and TransUnion perform the same basic business-to-business functions using your personal information. ChexSystems provides most banks and credit unions with similar information when you apply to open a bank account. Each of these companies, and others, know you just about as well as your spouse does, you are not likely a direct customer of any of them, and they can all completely bugger up your life.

Considering that the United States has about 324 million people, and the population above age 18 is likely around 250 million, nearly three out of every five people who are likely to have a credit file with Equifax may have had information divulged in this leak. This is absolutely and unequivocally shameful. More than almost any other, Equifax should have been vigilant with the information they have on us, and they clearly were not doing enough to separate that information from public-facing systems. I hope the Department of Justice crushes the corporation with a crippling lawsuit for what they allowed to happen. And I do not worry about the people who will lose their jobs; the other two major bureaus and the smaller bureaus out there will welcome them with open arms. This should never have happened, and it is easy to imagine that Equifax should have handled the situation better.

But what did Equifax executives do about the breach when they learned of it? They sat on the info for five weeks (and three of their top leaders allegedly exercised stock options) while formulating a public information campaign. Within their information package is investor data indicating that they remain committed to a financial model forecasting “7-10% revenue growth and 11-14% growth in Adjusted [Earnings Per Share] on average over a business cycle.” In other words, their investors shouldn’t worry. Their investors shouldn’t worry. You should. Central to Equifax’s messaging to consumers is an offering of credit monitoring services to you.

These are the very same people who use your information without explaining to you every way in which they may use it, who assign your credit worthiness scores without clearly telling you by what formulae they judge you, and who should have been protecting your personal data at least as well as your bank should. They failed. And now they want you to trust them to monitor your credit for the next year (after which they will be delighted to charge you to continue the service). You can find the offer at https://www.equifaxsecurity2017.com/.

But I wouldn’t trust them.

I recently had an issue with one of my annual credit reports (more on that concept in a moment), and these bureaus make it nigh onto impossible to talk to a human being to get answers or sort out the problem. There is no customer service for you and for me because we aren’t their customers. If you will be diligent about cancelling the monitoring service before the first bill, go ahead and sign up (as long as they don’t want more information about you); otherwise, think long and hard about trusting these jokers before you accept their free offer.

Instead, there are things you can and should do to protect yourself, and things you need to do with all of the bureaus. No, those paid, nationally-advertised credit monitoring services are not among the steps I recommend you take. I don’t like spending money needlessly. If you have the money on-hand, go ahead. But I’d rather not spend it. First off, lock down your credit reports.

By US law, the three bureaus must allow you to “freeze” your credit reports. This ensures that someone who has your name, your date of birth, and your Social Security Number still does not have information enough to open credit in your name. Go to the bureaus’ websites, https://www.equifax.com/, https://www.experian.com/, and https://www.transunion.com/ to set up your freezes. But don’t expect them to make it easy. As of this writing, the three hide these functions as follows:

  • Equifax: Shortcut the process at https://www.freeze.equifax.com/ or, from the Equifax homepage, ensure you are on the “Personal” section (at the top of the page). Click the “CREDIT REPORT ASSISTANCE” link on the second row of the homepage, and then click “Place a Security Freeze on Reports” in the flyout that opens up.
  • Experian: Shortcut the process at https://www.experian.com/freeze/ or, from the Experian homepage, ensure you are on the “Consumer” section (at the top of the page). Hover over the “Credit Report Assistance” link on the second row of the homepage, and then click “Security Freeze” in the menu that pops down.
  • TransUnion: Shortcut the process at https://www.transunion.com/credit-freeze/place-credit-freeze or, from the TransUnion homepage, ensure you are on the “Personal” section (at the top of the page). Click the “Credit Report Assistance” link on the second row of the homepage, and then click “Credit Freeze” in the flyout that opens up.

Each will ask you questions to identify yourself, including past addresses, Social Security Number, companies with which you have done business in the past, etc. Eventually, each will charge you a nominal fee (Arizona allows for $5, some states allow for $10 or $15, and some reportedly make this process free of charge). It is worth the price. Spend the money.

At the end of the process, and you do need to repeat this process at all three bureaus, each will give you a PIN number. Make sure this is as long as possible, especially if you are allowed to set your own. Record this PIN and store it in a safe or a strongbox in your home, and possibly also in a safe deposit box or with a family member elsewhere. If you have an encrypted online store that you trust sufficiently, you may record it there as well, but know that you are trusting someone else not to mess up the security of that storage.

From now on, to take out any credit in your name, someone will have to provide your secret PIN in addition to your personal information to the bureau(s), not to the lender, to lift the freeze. I strongly recommend never sharing your PIN with anyone. If you are going to sign up for new cellular service, buy a car, rent an apartment, open a credit card, take out a mortgage, or do anything else that requires access to your credit, spend the few dollars to place a temporary thaw on your reports at each of the three bureaus. Do all three, because many creditors will check all three, because you won’t always know which bureau a creditor will use ahead of time if they only use one, and because it may take some time between thawing your report and a creditor having access. Handle the thaw yourself, and never trust some random (likely low-paid) employee of a creditor with your PIN.

My wife and I are big Dave Ramsey fans and do not open credit any longer. However, some employers may want to perform a credit check on hiring, and criminals can still harm even the most ardent Ramsey followers by opening credit illegally. Even if you do not have any form of credit or do not intend to take out any form of credit, freeze what the bureaus do know about you. This is an imperative, and the single most effective step you can take to protect your good name.

Once you have frozen your credit reports, set yourself a calendar reminder every four months to check one of the three bureaus for your credit report. There are companies that want you to buy their services to access these at any time. You can if you want, but I would rather spend that money elsewhere. Instead, every four months, go to https://www.annualcreditreport.com/ and request one of the three free reports available to you each year. Federal law mandates that the bureaus offer this service to you, so take full advantage, and be religious about it. This is how you yourself will detect criminal activity on your credit report–as well as the mistakes that may adversely affect you–whether or not you spend the money on a monitoring plan. Do this, no matter what. (These reports will not give you your credit score, unless you purchase that service for a nominal fee; but these will show you what credit others may have illegitimately opened in your name.)

If you have become a victim of identity theft, report that to the IRS via resources at https://www.irs.gov/identity-theft-fraud-scams/identity-protection, report the theft to the Federal Trade Commission via https://www.identitytheft.gov/, contact the local police, and place fraud alerts with your banks and the credit bureaus.

Breaches happen far too often in this digital age, so it is highly likely that your personal information has already been stolen. If you were one of the very few who had thus far escaped that fate, with Equifax’s hack, you are almost certainly now exposed. Take these steps to lock down your credit reports and put into place what protections these mysteriously opaque, greedy hoarders of your information offer you. Do the same for your kids, and help your family and friends. And pay attention to your finances. Ultimately, you are the only person responsible for making sure that you don’t owe many thousands of dollars because somebody else abused your good name. And the fact that it now takes effort to protect yourself from evildoers the world over is a sad state of affairs.