On its website , Rich Smith (Chairman and CEO) apologizes and offers free ID Theft Monitoring and Credit File monitoring for “All US Consumers”. It is commendable that he is out in the front and facing this challenge head on, but I must ask, “why did it take so long for Equifax to report the breach”? As many of us have learned in our career, “unlike wines, bad news does not get better with old age”. The massive data breach was reported on Sep 7, 2017; however, the actual breach “occurred from mid-May through July 2017”. This is troubling because in the time between the breach and disclosure, many US consumers could have become ID Theft victims.
143 million US consumers – stolen SSN, birthdates, addresses, and driver’s license numbers in some instances.
209,000 US consumers – stolen credit card numbers.
182,000 US consumers – dispute documents with personal identifying information.
Unauthorized access to “limited” personal information for “certain” UK and Canadian residents.
As a concerned consumer, I clicked on the bottom left link (potential impact) using the Chrome browser, and I was presented with a warning from Google Safe Browsing about “deceptive site ahead”.
In trying to understand the “deceptive site ahead” message, I came across this Ars Technical report that “the website which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.”
Due to the above issues with the website, Cult of Mac is recommending that we “not use the website that Equifax has set up determine if your data has been potentially accessed until it is more secure. Instead, it’s safer to assume that you probably have been impacted if you’re an Equifax customer in the U.S.”
Another concern that has been surfaced is that once you sign up for the TrustedID credit monitoring service, “the site’s terms of service seems to state that by agreeing to use this service, the user is waving his/her rights to bring a class action lawsuit against Equifax” as reported by Tech Crunch. The arbitration section is copied below for reference:
Except as otherwise expressly provided in this Agreement, all claims, disputes, or controversies raised by either You or TrustedID, Inc. arising from or relating to the subject matter of this Agreement or the Products (“Claim” or “Claims”) shall be finally settled by arbitration in the county (or parish) where you live or where You and TrustedID, Inc. otherwise agree using the English language in accordance with the Arbitration Rules and Procedures of JAMS then in effect, by one commercial arbitrator with substantial experience in resolving complex commercial contract disputes, who may or may not be selected from the appropriate list of JAMS arbitrators.
This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis.
ID Theft is highly disruptive and time consuming to resolve – it is something I would not even wish upon my worst enemy. Bankrate has an article about a “57-year-old New York City resident [who] is still struggling [in 2015]to have 11 fraudulent accounts — and the thousands of dollars owed on those accounts — removed from her credit reports [without success].”
My wife and I have personally experienced the horror in trying to clear up ID Theft issues due to the complex dispute and resolution process. We even had the IRS reject our tax return because a fraudster filed a tax return fraudulently using my wife’s SSN before we filed our joint return. Getting a live IRS person was impossible, and we had to resolve our case using “snail mail” to send notarized forms to the IRS. With all the technology available, how was it that the IRS accepted a “single status” fraudulent return with a “different address” when we have been filing “joint returns” since we got married?? We demanded to know what address was used, but the IRS would not release that information to us – to this day, we do not know what enforcement action was taken against the fraudulent filer. To add salt to the wound, the case resolution normally takes 120 – 180 days !
I highly recommend that ID Theft victims request to be placed in the IRS ID Protection PIN program to “annually receive a new, six-digit IP PIN that must be entered on the tax return”.
USA Today reports that “About 1 in every 16 U.S. adults was a victim of ID theft last year (6.15%)” with losses totaling $16 billion !
Moneyish published a great article on protecting yourself from the data breach. Here are the steps to take and/or consider:
Place fraud alerts on your credit reports (I highly recommend this)
Check your bank and credit card statements
Take internet subscription inventory
Make a habit of checking your accounts (as often as you check your social accounts)
Get IRS ID Protection PIN (note: I added this last one to the list)
**Update 9-11-2017 Another misstep that has since been corrected. Credit freeze PIN number assigned by Equifax is in the format MMDDYYHHMM (time stamp) generated from the date and time of when you requested your credit freeze “instead of random digits”. After this information was made public, Equifax announced that “all consumers placing a security freeze will be provided a randomly generated PIN”. If you requested a credit freeze from Equifax after the breach was announced (Sep 7-Sep 11), please call Equifax to request a random PIN number.**