In this story
- Equifax has created much confusion with its announcement
- Who stole the data? How? Why? Consumers, Congress need to demand answers.
- What consumers should do now? (Probably not follow Equifax’ advice
Equifax needs to start answering questions, fast. And this better be a turning point in consumer rights around use and storage of their personal information.
The credit reporting firm was hit by what could reasonably be called the worst theft of consumer data ever in July. I say “reasonably” because we barely have a sniff of what happened. Despite having more than a month to craft a statement (and why did it take that long?), Equifax told its victims almost nothing on Thursday. It’s not even clear from the PR-worded statement that 143 million SSNs were stolen, though that’s the clear implication. All we know is most Americans are “potentially” impacted. A bunch of driver’s license numbers were stolen, too.
Really, all we know is that “certain files” were stolen by criminals, with 143 million people potentially impacted. That’s not nearly good enough.
Victims are then told to go to a poorly-constructed website that really does look like a site set up by a criminal. (To see the comedy of errors — Equifax wasn’t initially listed as the domain owner — read Dan Goodin’s story here.)
Once at the Orwellian-named EquifaxSecurity2017, consumers are told to enter most of their SSN and last name and see if they are in the dataset that was stolen. But the responses are wildly unsatisfying. Readers tell me they range from “check back again soon,” to, “you’re a winner” to “sorry, you weren’t hit, but you can get a free* credit monitoring and ID theft-related service anyway.”
(*Free for one year. Then??)
If you’re like me, you’re wondering if this might be a clever marketing ploy to upsell Equifax’s TrustedID Premier. Will victims be auto-enrolled for a monthly fee at some later point? (Has anyone ever heard of TrustedID Premier? Is there a TrusterID Standard?>)
Meanwhile, TrustedID signup requires that consumers agree to one of those nasty ripoff clauses that make them waive their right to join a class action lawsuit. Would that waiver apply to this incident? I would hope not, but I’d sure not want to give a judge a chance to tell me I’m wrong.
We need answers. To questions like these:
Who were the hackers? What were their motives? What exactly was stolen? What is the chance something bad will happen to me? Why did you wait more than a month to tell me? And finally, the big one:
What good will one year of your ID theft protection service do if a clever criminal has my SSN? SSNs are forever. One year of free service is the most token of token gestures.
As I read the description, Trusted ID Premier is pretty basic. Credit monitoring (of dubious worth) and a credit report (already free), monitoring for SSNs posted online (how much of the Dark Web is really scanned?), insurance (you might already have it) and a credit report “lock” (a freeze should be free in most states now that you are a victim).
In other words, Equifax, what are you really giving people for their trouble?
You broke it, you fix it. Do better.
It’s hard to believe anyone at the firm, after a month to contemplate the impact of this hack, believed yesterday’s announcement would be sufficient. Consumers deserve answers now. Lawsuits should be filed (that’s already started!). Hearing should be held.
Most of all, real consumer protections need to be put in place with real pain for companies that engage in this kind of behavior. A token fine and a temporary “gift” of credit monitoring-plus is no punishment at all.
As a postscript to this story, here’s something you should that was happening yesterday in the halls of Congress. A House committee was debating a bill that would limit consumers’ ability to sue credit bureaus and cap potential damages — and END punitive damages. The Orwellian name for that legislation is the “FCRA Liability Harmonization Act and the Facilitating Access to Credit Act.”
Great timing, no?
WHAT SHOULD YOU DO NOW?
It’s still an OK idea to visit the Equifax site and see if you are in the at-risk pool. Doing so won’t do much for you, however. At the moment, I don’t recommend signing up for the firm’s ID theft service, at least not until we get more clear answers. Instead, do the the things you should always do:
- Get a copy of your credit report every year
- Watch your mail for anything suspicious
- Check all your bank accounts at least weekly for signs of fraud
- Get your annual SSN benefits statement online and look for anything unusual
- Consider putting a security freeze on your credit file. The rules are different in each state. Here’s a primer
Follow this story: AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.