Why should we have to pay for credit reporting firm’s blunder?

Like everyone else with a credit card, my data was among that stolen from the ginormous Equifax credit reporting company. Assuming the hackers knew what they were doing, it won’t be long before they try to steal my identity.

They got our Social Security numbers in the hack.

“That puts you at peril of identity theft for as long as you’ve got a beating heart,” the Chicago Tribune says in an editorial today.

I don’t have much choice in this underreported affair; I have to freeze my credit at not only Equifax, but every other major credit reporting firm.

And I had to pay for each one.

Late yesterday, the company said it would no longer charge $5 for a credit freeze, but only until November. After that, their loss is your loss. And the company isn’t stepping forward to pick up the tab for freezing credit at the other agencies.

“It’s a logical reaction,” the New York Times’ Ron Lieber writes. “You did not ask Equifax to vacuum up data about you, and then resell it to marketers and loan sellers.”

And it is not your fault that the company could not keep that data safe. So why should you pay for a freeze, which keeps new creditors from seeing your credit file and thus can keep thieves from applying for credit in your name?

Somehow, that question did not occur to Equifax on Thursday, when it first announced the breach. It apparently thought a year of free credit monitoring would be enough to placate consumers. When I asked Equifax on Sunday why it was not making freezes free, Wyatt Jefferies, a spokesman, did not respond to that particular question

Among the other questions Lieber can’t get answers for: Why not make the freezes free permanently? Why not pay the other agencies to freeze credit?

At some of the other credit reporting agencies, in order to place a credit freeze, you have to agree to accept unsolicited offers for products.

Liebers asked one of Equifax’s execs in charge of not losing your data if he’d be resigning in the wake of the scandal.

“No, but for the record I am considering dropping my NYT subscription and picking up the Wash Post!” was the reply.

Keep in mind, company officials sold their stock in the days leading up to the public announcement of the theft, after they knew about it. It was more than a month before the rest of us were told our data was hacked.

These people are sneaky and despicable.

In its editorial today, the Boston Globe notes that some states mandate that credit freezes be free. Massachusetts’ politicians — just like Minnesota’s — never got around to such an obvious protection for consumers.

Equifax is a regular campaign contributor to lawmakers in Washington who sit on committees in charge of banking regulation, including Minnesota congressmen Tom Emmer and Keith Ellison, both members of the House Banking Committee. Republican Rep. Erik Paulsen received $4,000 in the last campaign, the most of any House member.

“No consumer asked companies like Equifax to amass vast amounts of private data about them,” the Globe asked. “Why should they be charged for asking the companies not to share it?”

That’s not only a good question for the companies, it’s a good question for legislators who’ve spent their time on far less important things.

  • Mike

    Has any reporter asked the SEC whether they’ll be investigating what certainly appears to be a massive amount of illegal trading on insider knowledge? And doesn’t accepting the free credit monitoring involve waiving your right to sue?

      • Mike

        For #2, according to the NPR article, it’s not entirely clear whether that language change would still allow those affected to sue.

        • From the Equifax FAQ: “To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. We have already removed that language from the Terms of Use on the site http://www.equifaxsecurity2017.com. The Terms of Use on http://www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident. Again, to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”

          • Mike

            The Executive Director of the National Association of Consumer Advocates still expresses skepticism that it’s as clear as it appears. Like he says, I guess we’ll see.

          • Barton

            I have to admit, I’ve still been afraid to sign up for their TrustedID product.

            It’s almost like I don’t trust them at all, for some strange reason…….

  • Gary F

    Bob, how did you know your data was hacked? Did you have some incident that triggered you to notice?

    • I went to the Equifax site and checked.

    • Barton

      Equifax has stated they won’t be providing notice (the cheapskates). It is up to you to go out and check.

      • jon

        And I suspect illegal in some states…
        I think at least CA and FL require notification on loss of personally identifying data, and they also require some level of identify monitoring after a breach… (or so I was told when we had to update our stolen laptop process at work)

        But given everything else going on around this I think it’s pretty clear that equifax believes themselves above the law… we’ll see what the various governments have to say about that.

      • Laurie K.

        That just ticks me off. I guess I hadn’t been paying much attention to the Equifax debacle because I assumed that I would get notice if my information was at risk. Luckily after reading this I checked it out and mine and my husband’s data “may be at risk”. What a bunch of crap. Equifax created the problem by selling my private data, they find out weeks before now that the data was compromised and when they finally get around to letting us know, oh hey guys, there may be a little problem with some identity theft, they do not bother to notify the people actually affected?

        • Barton

          Agreed. Especially since we’ve now been talking about it at work since last Thursday (continued indepth discussion this morning, as we were helping co-workers navigate through the crap to protect themselves) and someone asks what we are talking about, as she hadn’t heard anything about it! Now, she doesn’t watch the news or the radio at all, and I don’t think she takes the paper. So, how IS she supposed to know if her information has been compromised?

          • Laurie K.

            When a purchase from Beijing for 26 pairs of Nikes shows up on her credit card statement I guess! Grrrr…..

  • MikeB

    A person should own his or her credit record. If companies want to pay them for that data, with incentives of some sort, then consumers should have the option of opting into such a program.

    There is no accountability in any of the credit rating agencies.

  • Barton

    Maybe, at the very least, it is time to start pushing our state legislators to require the 3 credit bureaus to provide us with credit lock for free. Other states have: ours seems to have mandated a $5 charge to do so.

  • AL287

    There is nothing more unsettling than the feeling of constantly having to look over your shoulder to make sure no one is following you.

    The Equifax breach has done this to millions of adults in America.

    If President Trump wants to continue cleaning out the swamp, he can start with the credit bureaus. They don’t appear to be accountable when they screw up and this is far worse than the retailer breaches of recent years.

    Considering the tangential relationships with the big Wall Street banks, I suspect that Congress will consider this a tempest in a tea cup and nothing much will be done because of lobbyist efforts.

    Before this latest debacle, it was impossible to reach a human at any of the credit reporting bureaus. If you wanted to get something corrected on your credit report, it took an Act of Congress to get it done.

    The sale of stock is insider trading. The “I didn’t know” excuse is as lame-brained as the clueless executives making the claim. OF COURSE THEY KNEW!

    This pattern of “cross your fingers and hope for the best” attitude regarding cybersecurity is maddening and foolhardy.

    Social Security numbers were never intended to be a form of identification but thousands of banks, medical organizations, insurance companies, employers and credit card companies use them to identify consumers which is what makes this breach so devastating.

    Medicare is mailing out new insurance cards to all Medicare beneficiaries that don’t have their Social Security numbers on them. For once the government has the jump on big business.

    I kept my maiden name on my SSN card because it is very unusual and the great majority of people can’t identify the country of origin.

    • Barton

      I work in financial services. I’ve had a LOT of friends ask me about insider trading this week.

      And it all starts the same: “you know,” they say. “What Martha Stewart went to jail for?” Except she didn’t: she went to jail for obstruction of justice and lying to investigators, the securities fraud/insider trading charges were dropped.. It is incredibly hard to prove insider trading, and really hard to get a conviction that means anything/is really a punishment. I think the last infamous case was against Raj Rajaratnam, who was convicted in 2009 of securities fraud and conspiracy.

      But if these executives didn’t know about the breech, then there is a failure of leadership at that firm. Except I have trouble believing that. I’m hopefully the SEC and FBI will be able to prove securities fraud and send these people away AND make them disgorge profits plus fines! Not that I’m vindictive…

      • RBHolb

        I was talking about the Equifax trading with some colleagues last night. I said that what bothered me about it the most was how blatant it was–did they think no one would notice? One person wondered if that wouldn’t be their defense: “Do you really think we would be that stupid?”

      • DavidG

        At my company (not financial services), all employees have a ~one month window after earnings reports in which we can sell company stock that is in our 401k or ESPP. After that, it’s closed until the after the next earnings report.

        We also get regular reminders that insider trading rules also apply to household members.

      • Dave S.

        We were talking about this at work. Someone suggested that an employee went to the executives and said, “I have something to tell you, but you should sell your stock first.”

  • Rob

    Taking financial advantage of a crisis – even if it’s one that you caused in the first place – is, very sad to say, the American way.

  • pleppik

    Bob:

    One thing to add to your article (which is otherwise spot-on) is that under MN law you are entitled to a free credit freeze if you have been the victim of ID theft: http://www.ag.state.mn.us/Consumer/Publications/IdentityTheft.asp

    I did this after my identity was used to open a Sprint account without authorization. They don’t make it easy (hint: keep a paper trail and be prepared to send letters to the state AG’s office if they turn you down the first time). But once I got through that, there’s been no charge, no hassle, and many years later the freeze is still in place and ticking.

  • rosswilliams

    There is a larger question here. Who owns your personal information? If it was given as much protection as other intellectual property, this would not be an issue.

    We could make these companies strictly liable for any misuse of the information they gather and sell. That would put Equifax on the hook for any damage done by identity theft. Of course proving the information came from Equifax would be tough.

    But we won’t in any case. The real problem is that our laws are designed to protect the business interests of the rich and powerful, not the personal interests of the typical middle-class American. Companies should be responsible for any damage done when they issue credit to someone based on stolen information. But they aren’t because it would be “too expensive”, for them. Instead its up to us to figure out how to protect ourselves and pay them for doing so, Changing that is going to require a real revolution that overthrows our current ruling elite and restores self-government. And that is not going to happen easily.

  • Kassie

    Tony Webster discovered that your PIN when you freeze your Equifax account is just the date and time: https://twitter.com/webster/status/906346071210778625

    • Kassie

      But on the Equifax site, it looks like they did fix that. It says:
      1) Adjusted our PIN Generation for Security Freezes
      We understand and appreciate that consumers have questions about how a PIN is currently generated for a consumer initiating an Equifax security freeze solution. All consumers placing a security freeze will be provided a randomly generated PIN.

      • Barton

        …assuming you can even get INTO Equifax to free your credit. And don’t get me started on Experian wanting me to physically MAIL them a copy of my SSN, my DL, and a utility bill, plus the $5 check to freeze my credit.

        • Kassie

          FOR REAL! We bought a car last night, so I was waiting to freeze my reports to see if we were going to need to use credit or not. Anyway, went to freeze mine today. Can’t get into Equifax and Experian did the same thing to me. I don’t even get utility bills. I’m really frustrated right now. I think I’ll just keep checking Credit Karma every couple months.

      • I got my PIN three days ago. I wonder if it will work now, though, when I try to unlock my credit freeze.

        This is a disaster. Why it’s not getting more attention is beyond me.

        • Pej

          Bob you’ll get to keep your crappy non-random PIN. Though now that we know when you got your PIN, there are just that many less guesses needed to brute-force an unlock…

          If you are fully paranoid, I’d edit your comment to say “I got a non-random PIN…”

  • Jay Sieling

    It gets worse. Brian Krebs, from Krebs on Security blog (he broke the story of the Target breach a few years ago) posted an exclusive last night detailing how an online portal used by Equifax employees in Argentina was left basically wide open exposing thousands of customer PII (personally identifiable information). It makes one wonder about the rest of this bureaus attitude toward privacy and security. Certainly have a huge trust problem now. I froze my reports at all the bureaus and counseled my daughter to do the same. Monitoring services offered may be helpful, but don’t prevent the id theft from happening – just alert you that it’s happened. And given the way Equifax has handled this, and the revelation of even more boneheaded lax security in their other divisions, I would not trust their monitoring service product at all.

    Here is the link to the Krebs article on the Equifax issue in Argentina: https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/#more-40712

    And here is a very helpful Q and A about the Equifax issue, including tips and links to freeze your file at each credit bureau: https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/

  • Glsai

    What would their reaction be if the CXOs and upper management at these credit bureaus had their information leaked in a very public manner and had their credit driven into the ground? It would be wrong as it would be wrong to leak anyone’s info, but it sure would feel like a little bit of justice. Oh well for the rest of us we will just get to worry for the rest of our lives that someone can steal our identity. Those at the top won’t have to care about it.

  • Barton

    So. Umm. One of the tech guys at work just shared this article. He considers them a trusted source, and I don’t find him to be a conspiracy-theorist-sort-of-dude….

    I’m not sure how scientific his evidence is (not at all, from what I’m reading), but it does make me worry for the very few people I know who think they are safe: maybe they aren’t….

    https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/

  • lusophone

    On top of the fee to freeze your credit with the other credit bureaus, I bet a lot of people who sign up for Equifax’s offer for 1 year of free credit protection will either forget to cancel their subscriptions or have difficulty doing so (maybe deal with a hard sell when calling to cancel it) and will get charged for another year or more after that.

  • Just FYI re: class action suit against Equifax:

    “[Y]ou can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.

    “You still have to serve the legal forms yourself.

    “The bot, which launched in all 50 states in July, is mainly known for helping with parking tickets. But with this new update, its creator, Joshua Browder, who was one of the 143 million affected by the breach, is tackling a much bigger target, with larger
    aspirations to match. He says, ‘I hope that my product will replace lawyers, and, with enough success, bankrupt Equifax.’”

    https://www.theverge.com/2017/9/11/16290730/equifax-chatbots-ai-joshua-browder-security-breach