Equifax Versus Pretty Much All of Us

Guess what?  You are scuuuuh-REWED!!!

Let’s set the record straight right up front. 143 million people had their personal information stolen in the Equifax breach. The entire US population is 324 million. It is estimated there are 125 million households in the United States. The odds of your information being safe and sound is about nil. Zip. Zero. Zilch.

 

And check out this little nugget of situational illumination.

It is actually much worse than you think. Out of the 324 million people living in the United States, how many of you do not have a credit history? Subtract that number and you quickly realize that anyone who has transacted any type of non-paper (read as ‘not foldin’ money’) financial business in the United States has probably had their information stolen.

How bad is this? Can we simply freeze our credit and reset our situation back to normal?

We don’t know exactly what has been stolen, but we can make a reasonable guess based on news reports. Let’s start by examining the information criminals have likely obtained in light of individual record content:

  • Name
  • Social Security Number
  • Birth Date
  • Address
  • Credit History
  • Driver’s License or Identification number (in some cases)
  • Possibly your primary or cell phone number

Now think about this…have you ever needed to call a bank but you did not have the account number? What about a credit card company? What about a cell phone carrier? Do you know how they verify you? Look at the above list. They probably ask you to verify your identity using that information.

What can attackers do with this type of information? Let’s examine the common actions that could be taken:

  • Open up new financial accounts (banks, credit cards, etc.)
  • Apply for new loans
  • Change your address

Sure, a credit freeze may help block some unauthorized activities. However, there are many things a credit freeze will not protect you from, such as:

  • Attackers could use social engineering to withdraw funds from your bank account
  • They could open new accounts in existing institutions where new credit checks are not performed
  • Replacing your cell phone SIM to get a cloned number to steal 2-factor authentication
  • The bad guys could initiate harassment directly to your home address

However, no need to panic. Equifax is offering free credit monitoring! They are completely confident that attackers will simply give up after a year or two because by then this will certainly all be over. By the way….the free credit monitoring is provisioned through…[CUE DRUMROLL]… AN Equifax service. I wonder what the turn-over rate will be? Surely quite a bit of customers will continue to pay Equifax after the free trial expires, won’t they?

Now then…seriously?!?!?!? Would you let an idiot that dropped your priceless Ming Dynasty vase also wash and wax your Bentley?

Even if we cut some serious slack and say that Equifax has the best of intentions, I am not sure how I could truly trust any company that lost my personal information to suddenly jump in to protect me.

Here’s a point to think about in terms of executive due diligence and direct responsibility…

This happened back in July. Equifax executives kept it quiet, giving criminals additional time to analyze and illegally use our information. This was not simply a case of them ‘sorting things out’. Keep in mind, this is strictly my opinion. You should have your own, based on facts. We are not a news site, and these editorials are really just a mad man and his personal, non-factual opinion.

In my opinion, this smells of negligent executive behavior in light of them knowing they allowed the complete compromise of personally identifiable information that was entrusted to them (granted I don’t know exactly what the legal definition of negligent behavior is, and I am not accusing anyone of doing anything illegal or unethical).

However, it seems like Equifax did nothing to notify the public when the breach occurred. Sure a investigation may have been taking place. However, now is the time to be fully transparent and also show us exactly what the investigation revealed.

We are talking five (5) months of complete silence after the event.

I am not accusing Equifax of any wrong doing. There is plenty of talk of some very serious class action lawsuits gaining momentum that will bring to light the details of what appears to be allegedly, irresponsible behavior.

Equifax fired the Chief Information Officer and Chief Security Officer, which seems to be indicative of making heads roll for the sake of showing a false and shallow display of concern. Keep this in mind…they were fired only after media noise got to a certain level. More than five months after the breach.

Equifax initially buried in their terms of service specific language that prohibited those deciding to enroll in the Equifax monitoring program to participate in class-action lawsuit!

Here is the relevant passage:

“AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.”

Right now I do not see any evidence that Equifax is taking this breech seriously. Nor do I see strong evidence that they need to be in the credit reporting business.

 

 

Let’s take a look at the actions of 3 top executives at Equifax: The Chief Financial Officer, The President of Information Solutions, and The President of Workforce Solutions. All 3 of these individuals sold stock on August 1st, 2017.

That is the Tuesday after the Saturday on which this breach was discovered.

The Equifax executives are claiming they were not aware of the breach when they sold the stock.

Now seriously… these individuals were NOT aware of the breach on the Tuesday after the Saturday when the breach was discovered? The President of Information Solutions was not aware of the breach?

I personally have a very hard time believing these individuals were not aware of the breach shortly after it was discovered. Another possibility… maybe they knew about the breach, and were okay with what appears to me, in my opinion, as insider trading, possibly screwing over the stock purchasers so they did not personally suffer.

Once again, I am not accusing anyone of any wrong doing or implying anything inappropriate or unethical took place.

SO…WHAT TO DO

Step 1: Use a credit monitoring service.

What would I do to protect my credit? Try using a reputable credit monitoring system. There are dozens of good companies, including LifeLock, PrivacyGuard, IdentityGuard and many more.

Step 2: Freeze your credit.

This is one of the most effective and also one of the most difficult things to do. Essentially your credit is locked. You cannot apply for new credit, and credit inquiries from 3rd parties cannot be performed. You are assigned a PIN number and must use that if you want to unlock your credit freeze, or temporally lift it. There is one more catch. It costs money every time you freeze or unfreeze your credit. In other words, if you are going to freeze it, you should plan on keeping it frozen for a bit. Or don’t, and possibly make it rain up in their coffers.

Optional Alternative: You can also set up credit fraud alerts instead of freezing your credit. That means that when you apply for credit you get a phone call every time you apply for credit and you have to authorize it.

Step 3: Identify restoration service.

I would also recommend that you consider Zander Identity Theft Insurance. Unlike credit monitoring services, Zander is full identity restoration. The time and pain with identity theft is dealing with all government agencies, financial institutions, and other places to restore your good name. The specialist at Zander claim to do exactly this.

Step 4: Use good cyber security hygiene.

This is the common sense stuff. Consider:

  • Using random usernames and passwords coupled with multi-authentication for your financial institutions.
  • Not using unencrypted, open WiFi access points
  • Monitoring your credit and personal info

 

IN SUMMARY 

Unfortunately, we won’t really realize the full impact of the data breach for a few years. The US is lacking in privacy laws; some think to better enable business, other think it enables government collection of personal information. Regardless, it is extremely unfortunate that we don’t have better regulatory oversight and stronger cyber security laws, with sturdy standards of enforcement. This is particularly true when it comes to companies handling our most valuable data, such as credit reporting agencies. Such as Equifax.