Published By Janet Gershen-Siegel at September 12th, 2017
As the news continues to come out from the Equifax data breach, one thing is for certain in a sea of uncertainty – it will affect a lot of people. You may want to think about starting a credit freeze.
There are about 255 million adults in the United States, as of the date of updating this blog post (January 5, 2021). Equifax estimates their 2017 data breach affected some 143 million persons, although some of those people were citizens of the UK and Canada.
In addition, it is possible that a fraction of those affected are under the age of 18. But that figure is probably not too high. For example, consider that a 17-year-old girl might get her first gas card. But it’s highly, highly unlikely that a 5-year-old even knows what credit is.
Therefore, if we operate under the assumption that about 140 million of the affected people are American adults, then the breach is affecting over half of all of the adults in the United States. Hence the prudent assumption is that you are in that group.
Furthermore, the Equifax site itself seems unreliable. Security news and investigation website Krebs on Security reported that initially some people got different answers from the Equifax website (with respect to whether they were on the affected list of people or not) if they switched from a desktop to the mobile version of that site.
Still others did not get a yes or no answer at all. Instead, they just got an offer of credit monitoring. Plus many sites reported that you could enter random names and numbers and the site would return an answer.
The response felt haphazard and ill-thought out. And years later, it still looks that way.
Equifax had numerous issues with the breach, not the least of which had been its handling of the matter.
A few days after reporting on the breach, Equifax had fine print on its credit monitoring sign up page. It told concerned consumers that by clicking to get free credit monitoring for one year, they were also automatically forfeiting their rights to sue the company for damages sustained due to the breach. This understandably caused an outrage. So the company dialed it back, changing it to no waiver of a right to sue. There is a settlement, by the way.
And that was a good thing, too, virtually every judge out there dislikes a waiver of the right to sue (called a ‘covenant not to sue’) . Covenants not to sue get strict interpretations if they are okay at all. And they are more likely to be okay if the following conditions apply:
Neither circumstance applied here. The attempts at forcing forfeitures were hard to spot and the company did not spell out that anyone selecting the years’ worth of free credit monitoring was giving up anything or paying any sort of hidden charges, monetary or otherwise. Furthermore, the parties were not on an equal footing at all. Equifax presented the waiver as a ‘take it or leave it’ proposition.
Technology news provider Ars Technica found that the EquifaxSecurity2017 site was first a regular old WordPress blog, and did not have enterprise-level security. So that is something which should have been a given, considering the breach and the fact that the site was holding names and Social Security numbers. Plus the domain name isn’t even registered to Equifax – it’s registered to a company called Mark Monitor (this is still true in 2022). Krebs on Security said the first registration name on the site was Edelman PR. Therefore, it is safe to presume that the registration of this site changed hands. In less than three days.
Beyond the question of possible insider trading, Krebs on Security also said the company bought and registered the equihax.com domain on September 5, 2017 (two days before the public announcement of the breach by one Brandon Schondorfer (in 2022, this domain registration belongs to Mark Monitor—are you noticing a pattern yet). Now, why did they buy that domain?
This happens as a proactive measure when a company is about to announce bad news. For all of the companies which never claimed their company name + sucks.com, this can be a smart move. However, here the timing is suspect.
But the company was right about one thing–people used the equihax term– as a hashtag on Twitter. As you might expect, Twitter was not kind about this.
So even more people are considering starting a credit freeze, and for good reason.
It is becoming clear that putting a credit freeze on your account is the best way to go. A credit freeze means that every time someone (including you) wants to open up another credit account or get a loan, you need to use your PIN to temporarily unlock your account. Obviously, you don’t do an Equifax unfreeze for thieves.
Keep your PINs safe and secret, of course. You can take off the freeze permanently if you want to, and some of the services allow you to preemptively remove a freeze on a credit inquiry, which you might want to do if you’re buying a car or the like and know which company will be making the inquiry.
Credit freezes do not prevent identity theft, but they do make life harder for thieves. And with so many accounts to choose from, frustration and a slow down by your credit freezes might be enough for a thief to move onto the next of 143 million names on his or list.
Or not. According to the New York Times, possible uses for this data were not just getting credit cards fraudulently, but also people going to the emergency room and using your medical benefits, or thieves submitting a tax return for you on January 2 (and not out of the goodness of their hearts) to steal your refund.
Starting a credit freeze due to the Equifax breach is easy but it will take a bit of time. Plus all of these services were overwhelmed at the time. But it’s still a good idea to be patient.
Equifax (free): https://www.equifax.com/personal/credit-report-services/
Experian (site kept crashing in 2017 but I eventually got through): https://www.experian.com/freeze/center.html
TransUnion ($5 or free, depending on your state): https://www.transunion.com/credit-freeze
Innovis (not as big as the others but this is easy and you might as well. See: https://www.innovis.com/personal/securityFreeze
All of these steps were fast; the entire process, including printing forms (and even changing ink cartridges) took me maybe an hour and a half. In 2022, it’s no longer necessary to mail in your documentation to Innovis; you can do the process online now.
On February 10, 2020, the Boston Globe reported that Attorney General William Barr and the United States Justice Department were charging four members of China’s military on suspicion of the 2017 hack into Equifax.
The Attorney General noted there have been any number of data thefts by the Chinese military in recent years. These thefts have been of sensitive information such as identifying American intelligence officers. One use of Equifax’s financial data could be to find out if any intelligence officers have money issues – and would thereby be subject to bribery or blackmail.
Note: because all of that came before the pandemic in the US, it understandably took a back burner to both Covid-19 and the 2020 election.
With the Russian attack on Ukraine, it is pretty safe to assume that one of the battlegrounds will be cyberspace. Do yourself and your credit score a favor and lock down your credit reports and your passwords.
In 2022, with the benefit of a few years’ worth of hindsight, the biggest lesson is probably: be vigilant.