Wolf Richter: Worst US Consumer Data Hack Ever? Equifax Confesses

Jerri-Lynn here: This post provides good advice about how to protect yourself from having your identity stolen as a result of the Equifax data breach.

One thing you shouldn’t do: sign up for the Equifax’s offer to provide one year of “free” monitoring of your credit data. Why? Well, for starters, after one year, the monitoring will be automatically renewed, and you’ll have to pay up for the service.

And another reason for following Wolf’s advice and freezing your credit data rather than opting for the “free” monitoring is that monitoring is monitoring, but it won’t prevent misuse. Whereas initiating a security freeze is your best hope of preventing someone from stealing your identity.

Initially, another reason not to opt for the monitoring service was that Equifax required as a condition of signing up for it that a consumer waive the right to sue (including participating in a class action) and consent to mandatory arbitration. Following push-back from New York state attorney general Eric Schneiderman, concerns about enforceability, and a social media uproar, Equifax finally agreed not to limit a consumer’s right to sue—either for claims related to the free monitoring products offered or for claims related to the cybersecurity breach itself.

The only good thing that may come out of this debacle is that the Senate may now be so cowed by consumer outrage that it won’t follow through and pass a resolution of disapproval under the Congressional Review Act, allowing for the overturn of the Consumer Financial Protection Bureau’s ban on mandatory arbitration clauses. The House passed such a resolution in July–  which I discussed in this post, House Votes to Overturn CFPB Mandatory Arbitration Ban— and was awaiting Senate action before the ban could be scuppered.

By Wolf Richter, a San Francisco based executive, entrepreneur, start up specialist, and author, with extensive international work experience. Originally published at Wolf Street

Your data was likely stolen. Here’s what you can do to protect yourself even after the hack, and Equifax doesn’t want you to do it.

Equifax, as a consumer credit bureau, collects financial, credit, and other data on every US consumer. It has names, birth dates, social security numbers, driver’s license numbers, bank account numbers, credit card numbers, mortgage data, and payment history data, including to utilities, wireless service providers, and the like. It collects data on bank balances, loan balances, credit card balances, credit card purchases, and myriad personal details. It has massive digital dossiers on every consumer in the US and in some other countries. And it sells this data to other companies, such as banks, credit card companies, car dealerships, retailers, and others, as a routine part of its business model. That’s how it makes money.

But when someone breaks in and steals this data without paying Equifax for it, well, that’s a huge deal. And it is.

Turns out, Equifax got hacked – um, no, not today. Today it disclosed that it had discovered on July 29 – six weeks ago – that it had been hacked sometime between “mid-May through July,” and that key data on 143 million US consumers was stolen. There was no need to notify consumers right away. They’re screwed anyway. But it gave executives enough time to sell 2 million shares between the discovery of the hack and today, when they crashed 13% in late trading.

Given the quantity and sensitivity of the stolen data, it may well be the biggest and worst breach in US history.

That stolen data “primarily includes”:

  • Names
  • Social Security numbers
  • Birth dates
  • Addresses
  • “In some instances,” driver’s license numbers.

In addition, the stolen data includes:

  • Credit card numbers of around 209,000 US consumers
  • “Certain dispute documents with personal identifying information” of around 182,000 US consumers.
  • “Limited personal information for certain UK and Canadian residents.”

This is the kind of information with which identities can be stolen and money can be borrowed in your name. Those data points are the crown jewels for hackers.

If you ever looked at your full multi-page credit report from Equifax or the other consumer credit bureaus: that pile of details is just a brief summary of the massive amounts of data credit bureaus collect on consumers.

Equifax said that it “has found no evidence of unauthorized activity” on its “core consumer or commercial credit reporting databases.” That’s where the other consumer data – what you bought, how you paid for it, where you went to buy it, etc. – is apparently kept.

“Found no evidence” doesn’t mean it didn’t happen.

There have been hacks involving more accounts, including Yahoo’s breach that compromised 1 billion accounts, but many of them were inactive, used aliases, and weren’t associated with social security numbers, credit card numbers, and driver’s license numbers.

When EBay reported its mega-breach in May 2014, it refused to disclose how many accounts were compromised but asked 145 million users to change passwords. But given the data Equifax collects on consumers, it’s in an entirely different category.

Here’s what Equifax did to deal with this, according to the statement:

The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities.

It also got its PR and damage control campaign underway, put its legal team to work to defend against class-action lawsuits, and initiated other moves to stem the bloodletting of its shares. It also offers consumers its own 3-bureau credit monitoring service (Equifax, Experian and Trans Union) and identity theft protection.

But here is the most effective way to prevent identity theft:

Put a “security freeze” on each of the three major credit bureaus

A security freeze (aka “credit freeze”) will prevent the credit bureaus from selling your data to anyone. It will not prevent hackers from stealing that info, but it will make it very difficult for them – or for those who buy that data from them – to use this data to open credit accounts in your name and steal your identity. If they submit your data to a credit card company to apply in your name for a credit card, the credit card company checks with credit bureaus to confirm this information and review your credit. But since there is a credit freeze on your account, Equifax cannot disclose that information, and the credit card company will not open an account in your name.

Note: Even if you try to open a new bank account or credit account, you will not be able to, unless you first remove the credit freeze. Credit freezes do not impact current banking and credit relationships; they continue as normal.

Here are the pages of the three major credit bureaus where you can request or lift a security freeze: Equifax, TransUnion, and Experian.

Credit bureaus are required by law to provide this service, otherwise they wouldn’t. They hate it. Selling your data is how they get revenues. Locking this data eliminates those revenues. But it’s the most effective way to protect yourself.

And remember: you’re not their customer; you’re their product.

I initiated a security freeze with these credit bureaus in 2010 after the University of Texas at Austin notified me that all my data, including social security number, had been stolen. It was a great decision. As a positive side-effect, it stopped the “pre-approved” credit card promos since credit bureaus could no longer sell my data to promoters. So good luck.

Hype works, until it doesn’t. Read… Global Stock Prices Fueled by Ugly Earnings

Print Friendly, PDF & Email