2017-10-11 / Columns

What you can do to protect your credit in the wake of Equifax


The resignation of Equifax CEO Richard F. Smith was just the latest in a series of missteps by one of the world’s largest credit reporting agencies following the revelation that highly personal financial and identity data on more than 140 million Americans was compromised by hackers. The company kept the data breach secret for several months before disclosing it, and failed terribly in its crisis response efforts in multiple ways.

First, the firm disclosed that at least two senior executives exercised stock options after the breach was discovered but before the stock collapsed after the theft was revealed, earning them millions in profits.

Then, the company set up a website for consumers (who, by the way, are NOT Equifax’s customers, but their product) to see if their information was compromised. The crisis website was a failure on several levels. First, it was set up on a separate domain name that did not have a secure digital identity connected to Equifax, and it asked consumers to enter six digits of their Social Security numbers to determine if their information had been compromised.

Trusting a company with personal information on an insecure server after they already lost your personal information struck many observers as inappropriate.

It became worse when it was revealed by tech experts that you could enter pretty much any name and any random six digits and be assured that your information was indeed compromised. In a final indignity, another tech expert set up a site with a similar name to the Equifax breach site, and then managed to get Equifax to share the bogus site on its own social media platforms for several days, giving the firm one more black eye.

And of course, in the early stages of the breach disclosure, Equifax was offering people one year of credit monitoring, as long as they provided a credit card to be charged for renewal after one year—but of course the theft of their information is a permanent situation. The firm also expected people who signed up for the credit monitoring to sign an agreement waiving their right to sue Equifax. The company later issued a statement assuring people that the litigation waiver didn’t apply to this breach, but conspicuously did not remove the language from the online agreement.

The takeaway for consumers is to be vigilant about who has access to your credit information. Equifax and the other three credit reporting firms, TransUnion, Experian, and Innovus (the small one that most people don’t know), all have online processes where you can request a fraud alert on your credit report. That’s OK, but many experts have suggested that you simply request a permanent credit freeze on your account, which prevents third parties from accessing your credit information. If you don’t have an immediate need to apply for credit cards or loans, this is the most reliable solution.

Frankly, it would have been most logical for Equifax and the other agencies to simply freeze everyone’s credit report, and then invite people to unfreeze it. But that would cost them billions in revenue, because they can’t sell your data to their customers if the report is frozen.

So far, I’ve managed to freeze my credit on three of the four agencies. They give you a secret personal identification number that you use to “unfreeze” the report if you apply for credit, but this seems like a small inconvenience for the peace of mind of knowing that thieves can’t turn your data into a new identity.

Be sure to apply credit freezes to your spouse/partner’s accounts as well. Anyone with a Social Security number will have a report with these agencies.

In future columns, I’ll look at some of the subscription services that promise to monitor your identity and credit to prevent fraud. If you have any questions or experiences with data security that you’d like to share, email me at steve@compuschmooze.com. Follow @PodcastSteve on Twitter. 

Return to top