The Equifax debacle is one of the worst possible breaches of our personal information in the history of breaches. The personal information of nearly every adult in the U.S. was leaked to cyber criminals. The information includes names, addresses, Social Security numbers, driver’s license numbers, birthdays, credit card numbers and more — just what the criminals need to make millions.
What’s so despicable about this is how this credit agency, one of three that we are forced to provide this information to if we want to get credit, failed to protect the data. It’s not as if they didn’t have warnings. This is the third time that their computers were hacked over the past two years. You wonder who’s managing their security.
But it gets worse. When they discovered that there was a theft of all their data, they waited six weeks before informing anyone. That’s a long time and it allowed the thieves to take their data, package it, and go to the underground web and sell it. And if you can believe it, the story gets even worse. Three of their executives sold stock during the time between the theft and the announcement. The company claims the three, including their chief financial officer, were unaware of the breach of data. That’s astounding since the CFO’s job requires him to know of any activity associated with the company that affects its financial conditions. Expect to see a well-deserved investigation and perhaps insider trading charges filed.
Because there are no government penalties when companies entrusted with our data do something like this, we are dependent on the integrity and capabilities of the companies. But there’s no way to know whom they entrust their security to and how good a job they do. Clearly, not so good in this case. We need some way for us to be assured that our personal information will be protected.
So what should you do now? First, I would do nothing that involves Equifax. They offer a free year of credit monitoring, a product they’ve offered for years, but because it’s an Equifax product I’d be suspicious. And when you apply, you waive rights for a class-action lawsuit. That was thought to include this incident, but the company says that’s not the case.
Equifax let weeks pass between the breach and the announcement, and now the website they are sending us to is broken. It’s an unprotected site, revealing confidential code. Security researcher Martin Hall told ZDNet that the site Equifax is directing people to in order set up credit alerts “can be easily spoofed.”
In addition, the instructions on what to do next are incomplete. While they say they’re sending us there to get the free protection, in reality, they schedule a future date for us to return and say they will not remind us about it.
When I went to the site it asked me to enter my email and partial Social Security number to see if I was at risk, and it returned with a message saying I was. I also tried entering a random number and fake email and got the same message. So, for goodness’ sakes, stay away from this mess of a company.
Instead, here are some options: First, I would be less concerned with someone using your credit card to make an unauthorized charge because your liability is limited to at most $50, and in practice, zero. No reputable credit card company will hold you responsible. It’s easy to monitor your charges by reviewing your written statements or going online to check. Or better yet, many of the cards, including Amex and Chase, will send you a real-time message on your phone when a charge is made, assuming you have their app or use the card for Apple Pay or a similar service.
The big problem is when someone tries taking out a loan or opening a credit card in your name. That’s what the credit card monitoring services (such as the ones offered by Equifax or LifeLock) check.
You can also check whether you’ve been compromised by requesting a copy of your credit report. You’re entitled to one per year from each of the three credit bureaus, so space them out. Go directly to Equifax, Experian, and TransUnion to request them. By the way, www.freecreditreport.com is not free. Stay away. It will force you to sign up for a trial subscription to a credit monitoring service.
You can also place a fraud alert on your credit by contacting any one of the bureaus. This means you will be contacted by one of the credit card bureaus if anyone applies for credit in your name. In fact, this is the way it should be, but the credit bureaus have a powerful lobby that has resisted this because it costs them more money. In fact, they’ve been so successful in lobbying that they can sell and use our personal information in most any way they choose without our being aware.
The most effective thing you can do is to put a freeze on your credit altogether. You call one of the credit bureaus and request it, and then no one can access your reports without your permission. So if a criminal purchases your personal information it will do him no good if he tries to use it to open an account or apply for a credit card. Of course, this also prevents you from applying for credit until you call and remove the block. You can go back and forth, placing and removing a block as needed, but there will be a charge to do so.
And now, while we watch Congress call for hearings to try to figure out how such a breach could have happened, refer to the list below. It’s the list of political contributions Equifax made for 2016, provided by the Center for Responsive Politics.
This information is based on data released by the FEC on May 16, 2017.