If you received a notice from Equifax that your personal data has been hacked, you’ll want to read this first. On September 7th, the large credit reporting agency announced that its servers had been hacked and as many as 143 million customer records may have been exposed. That’s right, almost 50% of the entire U.S. population may have been exposed. This is a biggie big data fail. Or, as the company put it:
“The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed…….Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year. The website also provides additional information on steps consumers can take to protect their personal information.”
So, in effect, to make up for the hassles to which you may be subjected, Equifax is offering a free one-year trial membership to TrustedID’s Premier service. Should you take Equifax up on its offer? The answer is: Probably not. First, most monitoring services, like TrustedID, only have the capability to inform you of an identity theft after it occurs. A better alternative may be a security freeze which can prevent new account fraud before it happens. Monitoring does not actually stop the opening of new accounts. You will just find out about the fraudulent accounts sooner. Monitoring services may provide a false sense of security because there may be holes in coverage.
First off, it is possible (if not probable) that any email you receive from Equifax is actually a phishing (fake) email designed to steal your personal information. It will likely look something like this:
Please know that Equifax will be contacting you by snail mail (pursuant to the law) and not by email. So do not respond to any emails.
If you go to Equifax’ website thinking that you’ll learn whether your personal records are at risk, think again. Equifax won’t give you an answer to that very important question. Instead, they ask you to input your last name and partial SSN (against our recommendation), you’ll get a notice that looks like this:
This is just an invitation for you to open a membership with TrustedID — a credit monitoring service. Equifax never actually tells you whether your records are at risk. Essentially, they are using this news of a data breach to sign up AS MANY CONSUMERS AS POSSIBLE to this one-year deal, in the hopes that many of the consumers will automatically renew in future years. To borrow a nonlegal term: that’s slimy!
And it gets even worse. According to Bob Rankin, the Equifax website was not even registered to Equifax until the afternoon of September 10. Its implementation of TLS encryption is flawed, so connections to it may not be secure. It’s running on the free version of WordPress blogging software, which is entirely unsuitable for enterprise-grade secure applications. Those are just the highlights; there are so many security flaws in the site that OpenDNS, the Cisco-owned domain name service, blocked access to EquifaxSecurity2017.com and warned it was a potential phishing scam. Indeed, the site looks very much like something a phishing scammer would put together.
Moreover, TrustedID is not a top-of-the-line identity restoration company. Its service doesn’t rank even close to PrivacyGuard, LifeLock, IDShield, or ProtectMyID. In fact, the reason Equifax is offering this “deal” is because Equifax OWNS TrustedID. TrustedID’s services are somewhat limited. The company does not offer financial account monitoring or financial, criminal, or tax identity recovery. Additionally, it is unclear whether or not TrustedID provides social security number monitoring, preexisting condition assistance, or limited power of attorney. Nor does it provide its customers with antivirus software to protect information on their personal computers. Once that 1-year deal expires, you have to pay the relatively high amount of $29.95/month, you can cover up to two adults and four children living in the same household. You get your three-bureau credit report and scores annually, plus unlimited updates to your Equifax credit score whenever a change is reported to a credit bureau. However those who want to monitor all three of their credit scores on a regular basis, should consider looking elsewhere. Many other credit monitoring services offer far better services at half that monthly price. So, Equifax is doing little more than giving you a one-year test of its high-priced, substandard identity protection service.
Now, perhaps for the worst part of this debacle. It turns out that Equifax may make a bundle off of this hack. As reported by Fortune Magazine, Senator Elizabeth Warren, a knowledgeable consumer watchdog, accused recently retired Equifax CEO Smith of not only injuring Americans affected by the Equifax breach, but of profiting off their plight. After Smith conceded that the Equifax hack had increased the likelihood of fraud, the Senator used his own words against him: “So the breach of your system has actually created more business opportunities for you,” Warren said Wednesday at a hearing of the Senate banking committee.
For one, Warren pointed out, 7.5 million people have signed up for the free year of credit monitoring that Equifax offered following the breach, but after that, they will have to pay Equifax $17 a month to continue the service. If just one million of those people opt to do so, it amounts to an additional $200 million in revenue for Equifax, Warren said. If they all do, Equifax stands to make more than $1.5 billion extra. What’s more, LifeLock, an identity theft protection company, has said that enrollments for its service have increased 10-fold since the Equifax breach, with more than 100,000 signing up within just the first week after the hack was disclosed. But LifeLock, whose protection plans cost up to $29.99 a month, buys its credit monitoring service from Equifax—meaning that Equifax is still getting a cut of those sales, Warren said. “You’ve got three different ways that Equifax is making money, millions of dollars, off its own screwup,” the Senator said at the hearing.
The third way Equifax may benefit, Warren explained, is through the products it sells to government agencies to help them with identity verification, something that could be all the more important if the breach leads to greater identity theft, as expected. For example, it was also revealed Wednesday that the IRS just signed a new $7.25 million contract with Equifax in September, after the breach was announced. In short, the Senator argued, Equifax has far more to gain from its data breach than it does to lose, with the average victim of a data breach receiving a payout of just $2 in restitution, she said. “Consumers will spend the rest of their lives worrying about identity theft,” Warren continued. “But Equifax will be just fine—heck, it could actually come out ahead.”
In fact, perhaps the best low-cost way of protecting yourself against a data hack is through a security freeze. A security freeze locks your credit files at the three credit reporting agencies (Equifax, Experian, and TransUnion) until you unlock your file with a password or PIN. The freeze stops new accounts from being established by imposters because potential creditors are not able to check your credit report or credit score, the standard procedure when financial accounts are opened. Any potential creditors’ requests for access to your credit files will be denied. However, a security freeze cannot stop misuse of your existing bank or credit accounts. You still must check the monthly statements on your current accounts for any erroneous charges or debits. Generally, you will pay no more than $30 for a lifetime of security freeze protection. In some circumstances (identity theft victims and senior citizens in some states), this protection may be free. Caveat: with a security freeze, your credit reports cannot be seen by prospective creditors, insurance companies, landlords, utilities, or for employment screening. However, you may lift the freeze when necessary to allow a company to check your credit report. It can be cumbersome for individuals who frequently apply for credit, are contemplating a new mortgage, or who plan to change jobs.
Another free option is using a fraud alert. You are entitled to place a free fraud alert on your credit reports even if you have not yet become a victim of identity theft. You can do this by phone, online, or in writing. A fraud alert places a “red flag” on your credit reports, alerting potential creditors to take extra precautions before extending credit. Typically, creditors will call you to verify your identity before issuing any credit.The fraud alert will last for 90 days, but may be renewed on the 91st day for another 90 days. You can continue to renew a fraud alert indefinitely An added benefit of a fraud alert is that it entitles you to free copies of your three credit reports each time the fraud alert is established. This is in addition to your right to your free annual credit reports. For more information, visit the official annual credit report website and read the Federal Trade Commission’s guide.
Some banks, credit unions, auto clubs, and other organizations offer free monitoring services with their credit cards or other services. Sometimes, they will use a free basic service as a marketing tool to “upsell” you to a fee-based premium service.Credit Karma offers free credit monitoring. Their service utilizes TransUnion, one of the three major credit reporting agencies. Credit Karma’s advertisers pay for the credit monitoring service. Consumers are not charged for the service and no credit card is required. You should be aware that the other two credit bureaus, Experian and Equifax, are not included in this service. (No endorsement implied.) You can also see both your TransUnion and Equifax credit reports and credit scores on this site at no charge. Credit Sesame also offers free credit monitoring. Their service utilizes Experian, one of the three major credit reporting agencies. Credit Sesame’s advertisers pay for the credit monitoring service. Consumers are not charged for the service and no credit card is required. You should be aware that the other two credit bureaus, TransUnion and Equifax, are not included in this service.
Our advice: Enrolling in an expensive credit monitoring service may actually increase your vulnerability to ID theft. The FTC is alleged in its complaint against Lifelock back in 2013 that it had failed (after five years!) to implement industry-standard security practices to protect the sensitive data that it collects from subscribers. It’s unlikely that Lifelock’s competitors do much better to protect customers’ data. We believe that is you received notice from Equifax about the data breach along with its offer of free ID-theft “protection,” turn it down. Do your own monitoring and be pro-active. Don’t give up your legal rights for a substandard and overpriced credit monitoring deal.