If anything could be worse than half of the adults in the country having their personal and credit information hacked and stolen, it could be the way the company from whom it was stolen has handled it. Equifax, one of the nation's three major credit reporting companies, was the target of hackers this spring and, by all accounts, is more concerned about its bottom line than its customers' security.
What should be the most important details of the story are that the intrusion took place between May and July of this year and the credit records of 143 million people may have been affected. To put this in perspective, the Census Bureau estimates the population of the U.S. is 321 million.
Thieves took Social Security numbers, birth dates, addresses as well as driver's license numbers. In some cases, they also accessed secret security questions and answers (i.e. who is your favorite Sesame Street character?), which would allow the perpetrators to alter account settings or change passwords.
In addition, according to a company statement, they also gained the credit card numbers for 209,000 consumers, including "dispute documents with personal identifying information for approximately 182,000 U.S. consumers." In addition to the millions of American consumer accounts there were also an unknown number of UK and Canadian accounts involved in the hack.
What is rapidly becoming the main topic of news coverage however is the way Equifax has performed. Quite apart from the fact that this personal and financial data was held in a way that was not immune from attack, there appears to be a lot to criticize. First, although thieves were rifling through the company's data base starting in May and were apparently either first noticed or their access was cut off in July, the public was not informed until last Thursday. That is a long time to allow those who now have the data the freedom to make mischief with it.
The LA Times' Michael Hiltzik says this wasn't the largest case of data theft in history, Yahoo's breach involving a half-million consumers gets that honor, but there are elements, in addition to the breadth of the data and the delay involved, that make is much worse than the usual, including "the signal it sends that firms like Equifax are much more concerned about collecting personal information than protecting it."
Hiltzik claims "Equifax already is trying to take advantage of the victims of its own breach," and CNBC's Sharon Profis reports that, for now, "Equifax doesn't explicitly tell you if you were a victim, and in 99.99 percent of cases (yes, literally), it won't notify you by direct mail," To check to see if their information was compromised, a consumer must visit a new website and enter their last time and the last six digits of their Social Security number.
Hiltzik says the Equifax site also invites users to sign up for its Equifax's "TrustedID Premier" credit monitoring service which it is offering free for a year to the victims. But, he says, "Not only is that woefully inadequate, since hackers can exploit stolen personal data for many years, but it gives Equifax a lucrative database of possible customers to be sold continuing subscriptions for the service after the year is expired - at a price currently set at $19.95 a month. In fact, he says, enrollment in the service typically requires customers to provide Equifax with a credit card number, which the firm uses to automatically bill them after the free trial is over."
He also points out that the TrustedID terms of services requires those enrolling to waive their right to sue Equifax and prevents them from filing or joining a class action suit. If there is any dispute they must enter arbitration as an individual.
We noted on Saturday that Equifax had started running television ads for what it calls its "Dark Web Scan." Too access the service a consumer must provide a valid email address and agree to allow the company to use it for marketing purposes. The terms of service also include an arbitration clause.
Bloomberg reports that within days of the discovery of the breach and long before it was publicly disclosed, three of the company's executives sold company stock, collecting $1.8 million from the sales, which weren't part of any prearranged option-exercise programs. Equifax maintains the executives involved were not aware at that time of the breach. However, Hiltzik points out that one of the sellers was John Gamble, the firm's CFO.
Profis says, in the absence of information to the contrary, consumers should presume their data has been hacked and take appropriate action. People who don't regularly monitor their credit reports should begin doing so. Everyone is entitled by law to one free report a year from each of the three major credit bureaus and these can be accessed here. It is also possible to freeze individual accounts so no new credit can be authorized without permission. This does require the consumer to remove the freeze when they anticipate applying for any new accounts.