Equifax: The Breach, at Last

Equifax ad says “you data has a story to tell.” Who is it telling you “story” to now?

It was bound to happen, and now it has: One of the three major credit reporting bureaus has finally fallen victim to some form of hack attack. The company has not disclosed much information about the hack–nor is it likely to reveal much more–but Equifax itself concedes that around 143 million consumers in the United States may be victims of this attack. Equifax does not believe any credit reports experienced “unauthorized activity,” just that “names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers” of “consumers” were exposed. Note the verbiage, “consumers,” not “customers.”

For the most part, Equifax hoovers up your personal information and credit history and sells that information to businesses. The consumer credit reporting products they offer are recent additions to their portfolio. You likely aren’t a customer of Equifax, but you likely are a victim. And Equifax isn’t the only such problematic company out there: Experian and TransUnion perform the same basic business-to-business functions using your personal information. ChexSystems provides most banks and credit unions with similar information when you apply to open a bank account. Each of these companies, and others, know you just about as well as your spouse does, you are not likely a direct customer of any of them, and they can all completely bugger up your life.

Considering that the United States has about 324 million people, and the population above age 18 is likely around 250 million, nearly three out of every five people who are likely to have a credit file with Equifax may have had information divulged in this leak. This is absolutely and unequivocally shameful. More than almost any other, Equifax should have been vigilant with the information they have on us, and they clearly were not doing enough to separate that information from public-facing systems. I hope the Department of Justice crushes the corporation with a crippling lawsuit for what they allowed to happen. And I do not worry about the people who will lose their jobs; the other two major bureaus and the smaller bureaus out there will welcome them with open arms. This should never have happened, and it is easy to imagine that Equifax should have handled the situation better.

But what did Equifax executives do about the breach when they learned of it? They sat on the info for five weeks (and three of their top leaders allegedly exercised stock options) while formulating a public information campaign. Within their information package is investor data indicating that they remain committed to a financial model forecasting “7-10% revenue growth and 11-14% growth in Adjusted [Earnings Per Share] on average over a business cycle.” In other words, their investors shouldn’t worry. Their investors shouldn’t worry. You should. Central to Equifax’s messaging to consumers is an offering of credit monitoring services to you.

These are the very same people who use your information without explaining to you every way in which they may use it, who assign your credit worthiness scores without clearly telling you by what formulae they judge you, and who should have been protecting your personal data at least as well as your bank should. They failed. And now they want you to trust them to monitor your credit for the next year (after which they will be delighted to charge you to continue the service). You can find the offer at https://www.equifaxsecurity2017.com/.

But I wouldn’t trust them.

I recently had an issue with one of my annual credit reports (more on that concept in a moment), and these bureaus make it nigh onto impossible to talk to a human being to get answers or sort out the problem. There is no customer service for you and for me because we aren’t their customers. If you will be diligent about cancelling the monitoring service before the first bill, go ahead and sign up (as long as they don’t want more information about you); otherwise, think long and hard about trusting these jokers before you accept their free offer.

Instead, there are things you can and should do to protect yourself, and things you need to do with all of the bureaus. No, those paid, nationally-advertised credit monitoring services are not among the steps I recommend you take. I don’t like spending money needlessly. If you have the money on-hand, go ahead. But I’d rather not spend it. First off, lock down your credit reports.

By US law, the three bureaus must allow you to “freeze” your credit reports. This ensures that someone who has your name, your date of birth, and your Social Security Number still does not have information enough to open credit in your name. Go to the bureaus’ websites, https://www.equifax.com/, https://www.experian.com/, and https://www.transunion.com/ to set up your freezes. But don’t expect them to make it easy. As of this writing, the three hide these functions as follows:

  • Equifax: Shortcut the process at https://www.freeze.equifax.com/ or, from the Equifax homepage, ensure you are on the “Personal” section (at the top of the page). Click the “CREDIT REPORT ASSISTANCE” link on the second row of the homepage, and then click “Place a Security Freeze on Reports” in the flyout that opens up.
  • Experian: Shortcut the process at https://www.experian.com/freeze/ or, from the Experian homepage, ensure you are on the “Consumer” section (at the top of the page). Hover over the “Credit Report Assistance” link on the second row of the homepage, and then click “Security Freeze” in the menu that pops down.
  • TransUnion: Shortcut the process at https://www.transunion.com/credit-freeze/place-credit-freeze or, from the TransUnion homepage, ensure you are on the “Personal” section (at the top of the page). Click the “Credit Report Assistance” link on the second row of the homepage, and then click “Credit Freeze” in the flyout that opens up.

Each will ask you questions to identify yourself, including past addresses, Social Security Number, companies with which you have done business in the past, etc. Eventually, each will charge you a nominal fee (Arizona allows for $5, some states allow for $10 or $15, and some reportedly make this process free of charge). It is worth the price. Spend the money.

At the end of the process, and you do need to repeat this process at all three bureaus, each will give you a PIN number. Make sure this is as long as possible, especially if you are allowed to set your own. Record this PIN and store it in a safe or a strongbox in your home, and possibly also in a safe deposit box or with a family member elsewhere. If you have an encrypted online store that you trust sufficiently, you may record it there as well, but know that you are trusting someone else not to mess up the security of that storage.

From now on, to take out any credit in your name, someone will have to provide your secret PIN in addition to your personal information to the bureau(s), not to the lender, to lift the freeze. I strongly recommend never sharing your PIN with anyone. If you are going to sign up for new cellular service, buy a car, rent an apartment, open a credit card, take out a mortgage, or do anything else that requires access to your credit, spend the few dollars to place a temporary thaw on your reports at each of the three bureaus. Do all three, because many creditors will check all three, because you won’t always know which bureau a creditor will use ahead of time if they only use one, and because it may take some time between thawing your report and a creditor having access. Handle the thaw yourself, and never trust some random (likely low-paid) employee of a creditor with your PIN.

My wife and I are big Dave Ramsey fans and do not open credit any longer. However, some employers may want to perform a credit check on hiring, and criminals can still harm even the most ardent Ramsey followers by opening credit illegally. Even if you do not have any form of credit or do not intend to take out any form of credit, freeze what the bureaus do know about you. This is an imperative, and the single most effective step you can take to protect your good name.

Once you have frozen your credit reports, set yourself a calendar reminder every four months to check one of the three bureaus for your credit report. There are companies that want you to buy their services to access these at any time. You can if you want, but I would rather spend that money elsewhere. Instead, every four months, go to https://www.annualcreditreport.com/ and request one of the three free reports available to you each year. Federal law mandates that the bureaus offer this service to you, so take full advantage, and be religious about it. This is how you yourself will detect criminal activity on your credit report–as well as the mistakes that may adversely affect you–whether or not you spend the money on a monitoring plan. Do this, no matter what. (These reports will not give you your credit score, unless you purchase that service for a nominal fee; but these will show you what credit others may have illegitimately opened in your name.)

If you have become a victim of identity theft, report that to the IRS via resources at https://www.irs.gov/identity-theft-fraud-scams/identity-protection, report the theft to the Federal Trade Commission via https://www.identitytheft.gov/, contact the local police, and place fraud alerts with your banks and the credit bureaus.

Breaches happen far too often in this digital age, so it is highly likely that your personal information has already been stolen. If you were one of the very few who had thus far escaped that fate, with Equifax’s hack, you are almost certainly now exposed. Take these steps to lock down your credit reports and put into place what protections these mysteriously opaque, greedy hoarders of your information offer you. Do the same for your kids, and help your family and friends. And pay attention to your finances. Ultimately, you are the only person responsible for making sure that you don’t owe many thousands of dollars because somebody else abused your good name. And the fact that it now takes effort to protect yourself from evildoers the world over is a sad state of affairs.

6 Comments on "Equifax: The Breach, at Last"

  1. The Evil One | September 8, 2017 at 6:14 am |

    Always remember, it is YOUR job to prove if something does not belong on you credit report. It is NOT their job to prove that it should.

  2. the Russians again!

  3. Dwayne Wolfswinkle | September 9, 2017 at 9:16 am |

    You have got to be kidding me.

    JUst saw an ad on Fox News by EQUIFAX telling people to go to their web site to check if your information is available on the DARK WEB.

    Fool me once, ………

    Why would you trust them.

  4. The Equifax Executives, [3 of whom “accidentally” sold
    $1,800,000. worth of stock within a couple days of the breach]
    were shocked they were hacked.

    Other sources revealed that in exchange
    for generous campaign donations,
    Hillary had assured them that hosting on her server
    was the safest possible option.

  5. Steve;
    Equifax not the first of the big 3 to be compromised:
    See article below:

    Sam Thielman in New York @samthielman
    Thursday 1 October 2015 23.15 EDT
    First published on Thursday 1 October 2015 17.19 EDT

    Experian hack exposes 15 million people’s personal information

    Hack of one of the largest data brokers and credit agencies in the world affects T-Mobile USA users who applied for credit checks, company says

    Information from the hack includes names, addresses, and social security, driver’s license and passport numbers.

    Experian, one of the largest credit agency data brokers in the world, has been hacked. Some 15 million people who used the company’s services, among them customers of cellular company T-Mobile who had applied for Experian credit checks, may have had their private information exposed, the company confirmed on Thursday.

    Information from the hack includes names, addresses, and social security, driver’s license and passport numbers. The license and passport numbers were in an encrypted field, but Experian said that encryption may also have been compromised.

    Connecticut’s attorney general said he will launch an investigation into the breach.

    The company said its consumer credit database was not affected and that “no other clients’ data was accessed”, presumably meaning the damage is limited to T-Mobile.

    Experian did not name the perpetrator but in a statement the company said it had contacted law enforcement. The hack specifically affects “those who applied for T-Mobile USA postpaid services or device financing from September 1, 2013 through September 16, 2015”, according to Experian.

    “Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server,” the company said in a questions page addressed to consumers. Experian is offering consumers affected by the breach free credit monitoring services.

    T-Mobile said it won’t delete credit check data from the Experian servers because of credit laws that require retention for 25 months.

    “Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” wrote T-Mobile’s CEO, John Legere. “I take our customer and prospective customer privacy VERY [sic] seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”

    Experian’s businesses extend into every area of American life, from customer loyalty cards that track the purchases of everyday necessities to public records including real estate liens and bankruptcy. Its vast database is widely used by automated advertising networks to load ads relevant to a given user, but has many other applications besides.

    Jon Mandel, whose data firm PrecisionDemand was sold to AOL for an undisclosed sum last year, now works as a consultant in the industry and said that the breach has wide-ranging consequences across any number of industries. Data brokers, Mandel said, are often trusted by other companies to “anonymize” personally identifying information so as to keep it from accidentally leading to embarrassing mistakes such as the OfficeMax envelope addressed to “Mike Seay – Daughter Killed in Car Crash” (OfficeMax ultimately blamed an unidentified data broker for that incident).

    “The irony is that so many companies have used Experian as a ‘clean room’ to put your data together with other companies’ data to keep it from being personally identifiable,” Mandel said. “That very ability can make everything personally identifiable.”

    Experian has lobbied in support of the Cybersecurity Information Sharing Act, legislation currently being considered in the Senate that would broaden its immunity were it to share its stores of information with the Department of Homeland Security (which in turn would be compelled to share it with law enforcement and the NSA). “Congress has the responsibility to balance the need for facilitating greater information sharing, and thereby enhancing cybersecurity, with important consumer privacy concerns,” an Experian spokesperson wrote last month. “We encourage and support Congress’s effort in striking this balance.”

    The Experian hack is the most recent in a series of data breaches affecting organizations from the US government’s Office of Personnel Management to Target, often to the tune of tens of millions of users. The US government has blamed Chinese hackers for the OPM breach and pulled spies from the country because their cover stories could potentially have been blown by the breach.

    Private, identifying information is frequently reappropriated by data thieves, who have used it to wreak havoc among people from employees of multinational tech and entertainment company Sony and users of married hook-up site Ashley Madison, in the latter case leading to widespread blackmail.

    With respect to this specific incident, Mandel said: “It’s like anything else in life. All kinds of things sound good but everything’s good in moderation. Sometimes the best medicine turns out to be poisonous.”

    The latest incident is the second huge breach linked to Experian. An attack on an Experian subsidiary in 2014 exposed the social security numbers of 200 million Americans and prompted an investigation by at least four states, including Connecticut.

Comments are closed.