Consumers must demand answers on Equifax data breach

Until murky details are cleared up, follow best practices for protecting personal information

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Equifax needs to start answer­ing ques­tions, fast. And this bet­ter be a turn­ing point in con­sumer rights around use and stor­age of their per­son­al information.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of

The cred­it-report­ing firm was hit in July by what could rea­son­ably be called the worst theft of con­sumer data ever. I say “rea­son­ably” because we bare­ly have a sniff of what hap­pened. Despite hav­ing more than a month to craft a state­ment (and why did it take that long?), Equifax told its vic­tims almost noth­ing on Thursday.

It’s not even clear from the PR-word­ed state­ment that 143 mil­lion Social Secu­ri­ty num­bers were stolen, though that’s the clear impli­ca­tion. All we know is most Amer­i­cans are “poten­tial­ly” impact­ed. A bunch of driver’s license num­bers were stolen, too.

Relat­ed info­graph­ic: Hack­ers cast wider nets in data breach attempts

Real­ly, all we know is that crim­i­nals stole “cer­tain files,” with 143 mil­lion peo­ple poten­tial­ly impact­ed. That’s not near­ly good enough. Vic­tims are then told to go to a poor­ly con­struct­ed web­site that real­ly does look like a site set up by a criminal.

Equifax ‘help’ unacceptable

Once at the Orwellian-named EquifaxSecurity2017, con­sumers are told to enter most of their Social Secu­ri­ty num­ber and last name and see if they are in the dataset that was stolen. But the respons­es are wild­ly unsat­is­fy­ing. Read­ers tell me they range from “check back again soon” to “you’re a win­ner” to “sor­ry, you weren’t hit, but you can get a free cred­it mon­i­tor­ing and ID theft-relat­ed ser­vice anyway.”

If you’re like me, you’re won­der­ing if this might be a clever mar­ket­ing ploy to upsell Equifax’s Truste­dID Pre­mier. Will vic­tims be auto-enrolled for a month­ly fee at some lat­er point?

Vic­tims’ rights unclear

Mean­while, Truste­dID signup requires that con­sumers agree to one of those nasty rip-off claus­es that make them waive their right to join a class-action law­suit. Would that waiv­er apply to this inci­dent? I would hope not, but I’d sure not want to give a judge a chance to tell me I’m wrong.

We need answers to ques­tions like these: Who were the hack­ers? What were their motives? What exact­ly was stolen? What is the chance some­thing bad will hap­pen to me? Why did you wait more than a month to tell me? And final­ly, the big one:

Pro­tec­tion ser­vice moot

What good will one year of your ID theft pro­tec­tion ser­vice do if a clever crim­i­nal has my Social Secu­ri­ty num­ber? SSNs are for­ev­er. One year of free ser­vice is the most token of token gestures.

It’s hard to believe any­one at the firm, after hav­ing a month to con­tem­plate the impact of this hack, believed yesterday’s announce­ment would be suf­fi­cient. Con­sumers deserve answers now. Con­sumer law­suits already have com­menced. Con­gres­sion­al hear­ings should be held.

Com­pa­nies must face real consequences

Most of all, real con­sumer pro­tec­tions need to be put in place with real pain for com­pa­nies that engage in this kind of behav­ior. A token fine and a tem­po­rary “gift” of cred­it mon­i­tor­ing-plus is no pun­ish­ment at all.

As a post­script to this sto­ry, here’s some­thing you should know that was hap­pen­ing yes­ter­day in the halls of Con­gress. A House com­mit­tee was debat­ing a bill that would lim­it con­sumers’ abil­i­ty to sue cred­it bureaus and cap poten­tial damages—and end puni­tive dam­ages. The Orwellian name for that leg­is­la­tion is the “FCRA Lia­bil­i­ty Har­mo­niza­tion Act and the Facil­i­tat­ing Access to Cred­it Act.”

Be wary when tak­ing next steps

It’s still an OK idea to vis­it the Equifax site and see if you are in the at-risk pool. Doing so won’t do much for you, how­ev­er. At the moment, I don’t rec­om­mend sign­ing up for the firm’s ID theft ser­vice, at least not until we get more clear answers. Instead, do the things you should always do:

• Get a copy of your cred­it report every year
• Watch your mail for any­thing suspicious
• Check all your bank accounts at least week­ly for signs of fraud
• Get your annu­al SSN ben­e­fits state­ment online and look for any­thing unusual
• Con­sid­er putting a secu­ri­ty freeze on your cred­it file. The rules are dif­fer­ent in each state.

More sto­ries relat­ed to upsurge in cyber attacks:
Expect ran­somware tar­gets, meth­ods to broaden
Steps to avoid being infect­ed by the ran­somware pandemic
Despite pre­cau­tions, DDoS attacks becom­ing more dire, damaging

Posted in Featured Story