Consumers must demand answers on Equifax data breach
Until murky details are cleared up, follow best practices for protecting personal information
By Bob Sullivan, ThirdCertainty
Equifax needs to start answering questions, fast. And this better be a turning point in consumer rights around use and storage of their personal information.
The credit-reporting firm was hit in July by what could reasonably be called the worst theft of consumer data ever. I say “reasonably” because we barely have a sniff of what happened. Despite having more than a month to craft a statement (and why did it take that long?), Equifax told its victims almost nothing on Thursday.
It’s not even clear from the PR-worded statement that 143 million Social Security numbers were stolen, though that’s the clear implication. All we know is most Americans are “potentially” impacted. A bunch of driver’s license numbers were stolen, too.
Related infographic: Hackers cast wider nets in data breach attempts
Really, all we know is that criminals stole “certain files,” with 143 million people potentially impacted. That’s not nearly good enough. Victims are then told to go to a poorly constructed website that really does look like a site set up by a criminal.
Equifax ‘help’ unacceptable
Once at the Orwellian-named EquifaxSecurity2017, consumers are told to enter most of their Social Security number and last name and see if they are in the dataset that was stolen. But the responses are wildly unsatisfying. Readers tell me they range from “check back again soon” to “you’re a winner” to “sorry, you weren’t hit, but you can get a free credit monitoring and ID theft-related service anyway.”
If you’re like me, you’re wondering if this might be a clever marketing ploy to upsell Equifax’s TrustedID Premier. Will victims be auto-enrolled for a monthly fee at some later point?
Victims’ rights unclear
Meanwhile, TrustedID signup requires that consumers agree to one of those nasty rip-off clauses that make them waive their right to join a class-action lawsuit. Would that waiver apply to this incident? I would hope not, but I’d sure not want to give a judge a chance to tell me I’m wrong.
We need answers to questions like these: Who were the hackers? What were their motives? What exactly was stolen? What is the chance something bad will happen to me? Why did you wait more than a month to tell me? And finally, the big one:
Protection service moot
What good will one year of your ID theft protection service do if a clever criminal has my Social Security number? SSNs are forever. One year of free service is the most token of token gestures.
It’s hard to believe anyone at the firm, after having a month to contemplate the impact of this hack, believed yesterday’s announcement would be sufficient. Consumers deserve answers now. Consumer lawsuits already have commenced. Congressional hearings should be held.
Companies must face real consequences
Most of all, real consumer protections need to be put in place with real pain for companies that engage in this kind of behavior. A token fine and a temporary “gift” of credit monitoring-plus is no punishment at all.
As a postscript to this story, here’s something you should know that was happening yesterday in the halls of Congress. A House committee was debating a bill that would limit consumers’ ability to sue credit bureaus and cap potential damages—and end punitive damages. The Orwellian name for that legislation is the “FCRA Liability Harmonization Act and the Facilitating Access to Credit Act.”
Be wary when taking next steps
It’s still an OK idea to visit the Equifax site and see if you are in the at-risk pool. Doing so won’t do much for you, however. At the moment, I don’t recommend signing up for the firm’s ID theft service, at least not until we get more clear answers. Instead, do the things you should always do:
• Get a copy of your credit report every year
• Watch your mail for anything suspicious
• Check all your bank accounts at least weekly for signs of fraud
• Get your annual SSN benefits statement online and look for anything unusual
• Consider putting a security freeze on your credit file. The rules are different in each state.
More stories related to upsurge in cyber attacks:
Expect ransomware targets, methods to broaden
Steps to avoid being infected by the ransomware pandemic
Despite precautions, DDoS attacks becoming more dire, damaging