Equifax Data Breach and ID Theft

equifax ceoOn its website , Rich Smith (Chairman and CEO) apologizes and offers free ID Theft Monitoring and Credit File monitoring for “All US Consumers”.  It is commendable that he is out in the front and facing this challenge head on, but I must ask, “why did it take so long for Equifax to report the breach”?  As many of us have learned in our career, “unlike wines, bad news does not get better with old age”.  The massive data breach was reported on Sep 7, 2017; however, the actual breach “occurred from mid-May through July 2017”.  This is troubling because in the time between the breach and disclosure, many US consumers could have become ID Theft victims.

143 million US consumers – stolen SSN, birthdates, addresses, and driver’s license numbers in some instances.

209,000 US consumers – stolen credit card numbers.

182,000 US consumers – dispute documents with personal identifying information.

Unauthorized access to “limited” personal information for “certain” UK and Canadian residents.

As a concerned consumer, I clicked on the bottom left link (potential impact) using the Chrome browser, and I was presented with a warning from Google Safe Browsing about “deceptive site ahead”.

equifax deceptive siteIn trying to understand the “deceptive site ahead” message, I came across this Ars Technical report that “the website which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.”

Due to the above issues with the website, Cult of Mac is recommending that we “not use the website that Equifax has set up determine if your data has been potentially accessed until it is more secure. Instead, it’s safer to assume that you probably have been impacted if you’re an Equifax customer in the U.S.”

Another concern that has been surfaced is that once you sign up for the TrustedID credit monitoring service, “the site’s terms of service seems to state that by agreeing to use this service, the user is waving his/her rights to bring a class action lawsuit against Equifax” as reported by Tech Crunch.  The arbitration section is copied below for reference:

**Update – Equifax updated its website to announce “NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident. **

Except as otherwise expressly provided in this Agreement, all claims, disputes, or controversies raised by either You or TrustedID, Inc. arising from or relating to the subject matter of this Agreement or the Products (“Claim” or “Claims”) shall be finally settled by arbitration in the county (or parish) where you live or where You and TrustedID, Inc. otherwise agree using the English language in accordance with the Arbitration Rules and Procedures of JAMS then in effect, by one commercial arbitrator with substantial experience in resolving complex commercial contract disputes, who may or may not be selected from the appropriate list of JAMS arbitrators.

This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis.

ID Theft is highly disruptive and time consuming to resolve – it is something I would not equifax price of stolen infoeven wish upon my worst enemy.  Bankrate has an article about a “57-year-old New York City resident [who] is still struggling [in 2015]to have 11 fraudulent accounts — and the thousands of dollars owed on those accounts — removed from her credit reports [without success].”

My wife and I have personally experienced the horror in trying to clear up ID Theft issues due to the complex dispute and resolution process.  We even had the IRS reject our tax return because a fraudster filed a tax return fraudulently using my wife’s SSN before we filed our joint return.  Getting a live IRS person was impossible, and we had to resolve our case using “snail mail” to send notarized forms to the IRS.  With all the technology available, how was it that the IRS accepted a “single status” fraudulent return with a “different address” when we have been filing “joint returns” since we got married??  We demanded to know what address was used, but the IRS would not release that information to us – to this day, we do not know what enforcement action was taken against the fraudulent filer.  To add salt to the wound, the case resolution normally takes 120 – 180 days !

I highly recommend that ID Theft victims request to be placed in the IRS ID Protection PIN program to “annually receive a new, six-digit IP PIN that must be entered on the tax return”.

USA Today reports that “About 1 in every 16 U.S. adults was a victim of ID theft last year (6.15%)” with losses totaling $16 billion !

Moneyish published a great article on protecting yourself from the data breach.  Here are the steps to take and/or consider:

Place fraud alerts on your credit reports (I highly recommend this)
Check your bank and credit card statements
Take internet subscription inventory
Make a habit of checking your accounts (as often as you check your social accounts)
Get IRS ID Protection PIN (note: I added this last one to the list)

**Update 9-11-2017  Another misstep that has since been corrected.  Credit freeze PIN number assigned by Equifax is in the format MMDDYYHHMM (time stamp) generated from the date and time of when you requested your credit freeze “instead of random digits”.  After this information was made public, Equifax announced that “all consumers placing a security freeze will be provided a randomly generated PIN”.  If you requested a credit freeze from Equifax after the breach was announced (Sep 7-Sep 11), please call Equifax to request a random PIN number.**

Other resources:

FTC Report ID Theft

Social Security Administration ID Theft

IRS Tax Payer’s Guide to ID Theft

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s