We’re guessing you’ve heard all about the giant data breach at Equifax, the credit reporting company.
It’s a doozy.
By any standards, it’s probably the most important hack we’ve ever seen, affecting, according to Equifax, some 143 million consumers. That’s well over half the population of the United States.
There was a lot of confusion when the news first came out. The company’s press release wasn’t exactly transparent, and it led to a lot of questions among consumer advocates.
Many of those questions remain, and we expect it will take some time before consumers get better answers.
We wanted to give you, dear readers, the best answers available today, so we turned to Bob Sullivan, a Jersey transplant and one of Bamboozled’s consumer heroes. Sullivan has written several books and he writes consumer columns — he’s our kinda guy.
Here’s some of what he had to say about the Equifax mess:
Bamboozled: How is this data breach different from others we’ve seen?
Bob Sullivan: It’s both the size of the hack and the “quality” of the data stolen. Sure, some hacks have been “bigger” – Yahoo lost a billion email addresses and passwords. But Social Security numbers are the keys to the ID kingdom, so this Equifax hack is probably the most important consumer data theft ever.
B: Equifax set up a website to help consumers, but critics say there’s a lot wrong with the site. What’s the deal?
BS: There’s a lot wrong with the site, though much of it has been fixed. First, the domain — equifaxsecurity2017.com — looked like an email phisher’s domain. Then, the terms and conditions on the site seemed to suggest users waived rights to sue the company. Initially, people who signed up for the firm’s “free” mea culpa offer were in danger of being auto-enrolled in a paid product after the free trial ended. In addition, users were supposed to enter some information and find out if they were among the victims, but entering “dummy” data returned positive results, suggesting the entire system wasn’t really working. Equifax has clarified its terms and says the data check tool is now working. I wouldn’t be so sure.
B: Critics say Equifax’s offer for free credit monitoring is tricky for consumers. Why?
BS: There were concerns about the class action waiver — the “ripoff clause” — and about the auto-enroll. Equifax has changed the terms on the site to say the waiver doesn’t apply to the data leak, but I still wouldn’t want to argue that point in front of a judge some day. Not sure how much I trust Equifax not to use this incident as an upsell, either. Finally, while ID theft protection can be helpful, it sure seems like a token gift given what happened.
B: Arbitration clauses hidden in fine print have been under fire for some time. Is it fair for consumers?
BS: No, it’s terribly unfair. There’s been a decade-long effort to ban class action waiver language in so called standard-form contracts – the usual fine print consumers face when they sign up for almost anything. It worked, and the Consumer Financial Protection Bureau is on the verge of banning these ripoff clauses. The bureau’s future is in doubt under the Trump administration, however, so stay tuned.
B: So should we sign up for the offer?
BS: I would wait a week or two and see if additional information emerges. There’s no harm in waiting, and that way, you’ll probably get some clarity about what’s really in the offer.
B: What steps should we take to protect ourselves?
BS: First, go get a copy of your credit report from one credit bureau at annualcreditreport.com and put a mark on your calendar to get another one in about three months.
Next: Watch your mail for anything suspicious; check all your bank accounts at least weekly for signs of fraud; listen closely when applying for a loan or a government benefit for any signs that someone else might be using your SSN. Also, get your annual SSN benefits statement online and look for anything unusual (you have to get it online now; it used to be mailed. Do that here.)
Finally, consider putting a security freeze on all your accounts. This is the most serious, but most proactive, step you can take in the wake of the hack. But take this step with great care. If you plan to shop for a car loan or a home loan any time soon, you probably shouldn’t do this. Security freezes lock credit report files so no one – not even you – can open a new credit account in your name. But note: Freezes generally cost money (rules vary by state), and they can be a hassle. When it comes time to get a mortgage or an auto loan, consumers sometimes don’t remember the procedure to “thaw” their reports. Others who move or experience other personal information changes, like marriage-related name changes, have reported similar frustrations. So if you go this route, store the associated PIN and other information about how to thaw your account very carefully.
Trans Union has a handy grid showing you the varying fee levels, by state and consumer criteria.
B: What about Equifax executives who reportedly sold company stock before Equifax went public with the news?
BS: It certainly looks bad. Were the trades somehow scheduled before the incident was discovered? Not officially, anyway, but that is a possible explanation. On the other hand, we’ve been told the executives didn’t know about the hack on the day the trades were made. What executive wouldn’t know about such a serious incident at their company?
B: Anything else you’d like to add?
BS: Just keep your eyes wide open. View any emails you get about this – from Equifax, or a potential hacker – with great skepticism.
To read more of what Sullivan has to say on this and other consumer topics, check out his website.