Saturday, September 9, 2017

The Equifax Hack

As a public service to those of you who have been living under a rock, yet somehow still manage to read this blog, an important update: Equifax, one of the three U.S. credit agencies, has allowed itself to be hacked.
The credit reporting agency announced Thursday that the personal information of as many as 143 million people was compromised in a data breach between May and July. The stolen data includes names, Social Security numbers, birth dates, addresses and driver's license numbers.
Most of the media I've seen about this incident is not nearly as alarmist as it ought to be.  The exact data stolen --- names, Social Security numbers, birth dates, addresses and driver's license numbers --- are everything a criminal needs to commit identity theft.  And since you've been living under a rock, I'll explain that the main issue with identity theft is that the thief can open credit cards and so forth under your name, running up huge debts that you then become responsible for.

And this article from USA Today goes on to point out that the potential problem extends beyond simple identity theft:
Some examples of non-credit related illegal uses of victims' personal data, Bearak says, include:
*Medical ID theft. With the cost of health care rising, a new trend is for identity thieves to go into hospital emergency rooms with IDs created from stolen data to pay for surgeries and other procedures. This creates all sorts of problems for the identity theft victim, who can get stuck with the balance of the bill, see their insurance deductible used up as well as be stuck with flawed medical records.
*Tax fraud. Fraudsters armed with names, addresses and Social Security numbers are increasingly filing fraudulent tax returns in an effort to profit illegally from refunds. This creates a major headache for the victimized taxpayer, who must resolve the theft with the IRS, wait for a delayed tax return they might desperately need and often pay an accountant to help resolve the issue.
*Synthetic ID theft. In this scam, the fraudster takes different pieces of personal data from numerous victims and blends them all together to "create a new ID," says Bearak. For example, the hacker may use one victim's name, another's Social Security number, another's address, and another's birth date to create a fake identity.
Fun!

What's more, these articles contain precious little in the way of helpful advice we can use to protect ourselves from being victimized in this manner because, well, there's precious little we can do.  The data is out there, and unlike cancelling a stolen credit card, we can't just cancel our Social Security number (The Social Security administration does issue new numbers to people, but only under extraordinary circumstances.  For example, it will issue a new number to a victim of identity theft, and thanks to Equifax, it just became much more likely that we'll meet this qualification!).

You can't change your birthdate or your address history, and in most states you probably can't change your drivers' license ID.  You can change your name, obviously, but that probably causes more problems than it solves, since you would need to do the work to get all institutions to recognize your new name, but your old name would still be on your credit record.

I suppose we could all just go into the federal witness protection program, and start rebuilding our credit histories from scratch.

HOWEVER, while I can't offer bulletproof recommendations to protect yourself, there's one very easy course of action we all can take right away, and that's to put a security freeze on our credit reports.  Since there are three credit agencies in the U.S. (Experian, TransUnion, and the one who ruined it for everybody, Equifax), you need to place the freeze with all three of them.

What is a security freeze?  TransUnion describes it this way:
Placing a freeze on your credit report will prevent lenders and others from accessing your TransUnion credit report in response to a new credit application. With a security freeze in place, even you will need to take special steps when you wish to apply for any type of credit.
You will need to place a security freeze separately with each of the three major credit reporting companies if you want the freeze on all of your credit files. There may be a fee for this service based on state law; see our chart below for further details. A security freeze remains on your credit file until you remove it or choose to lift it temporarily when applying for credit or credit-dependent services.
You can place these freezes with each of the credit agencies online:
  1. At Experian
  2. At TransUnion
  3. And the bastard Equifax
  4. New! Now there's a fourth, Innovis
  5. New! And another, just for bank accounts, ChexSystems
There will likely be a nominal fee for placing these freezes --- around $5 or so.  The amount varies from state to state.  But this is money well spent if it heads off identity theft (though, sadly, it will not eliminate other threats, like the ones referenced in the USA Today article).  And in most states, once a freeze goes into effect, it stays in effect permanently, unless you choose to remove it or temporarily lift it.  So there's a one-time fee to start the freeze, and then there will likely be an additional small fee each time you need it lifted so you can open a new bank account or credit card for yourself.

Another option is to pay for credit monitoring.  In this scenario, crooks can still obtain credit in your name, but you'll be alerted to it when they do.  Personally, I would rather lock the door than have an alarm go off after the crook is in the house.

You should also know that in the tradition of true corporate sleazebags, Equifax was briefly offering free credit monitoring to affected customers, but the fine print stated that by accepting the credit monitoring, you gave up your right to sue Equifax and agreed to settle any dispute via arbitration.  Apparently Equifax has been shamed off of this, but in any case, I think it's worth the $5 to protect myself without giving up the right to sue.

Finally, most places are recommending that you check your credit report on a regular basis to catch any fraudulent activity early.  This is good advice, but it may be costly.  I believe that by law U.S. consumers are only entitled to one free credit report per year, so checking monthly (say) will start to add up.  And the worst part is, the money we pay for these credit checks will go straight into the pockets of Equifax or the other two, all because Equifax screwed us in the first place.

Nice work if you can get it.

Update: I have now bought credit freezes for myself from all three credit agencies.  The process was quick and inexpensive, though perhaps unsettlingly easy.

Update (2/6/2018): Despite this being the largest data breach in U.S. history, exposing roughly half of the population to the risk of identity theft, Donald Trump's director of the Consumer Finance Protection Bureau has decided there's no reason to investigate Equifax over this tiny little mistake.

Making America great!

No comments:

Post a Comment