76 posts categorized "Credit Reporting Agencies" Feed

Bloomberg: Equifax Had A Data Breach In March, Too. More Questions Result

Equifax logo According to news reports, Equifax experienced another data breach earlier this year before the massive data breach it announced on September 7th where criminals gained unauthorized access to Equifax's systems and computers from May through then end of July, 2017. Bloomberg reported:

"Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation... Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said..."

Two major data breaches? What's happening? A news report by Bank Info Security may clarify things:

"... the Bloomberg story is "attempting to connect two separate cybersecurity events and suggesting the earlier event went unreported." Instead, Equifax says the breach described by Bloomberg was a "security incident involving a payroll-related service." The incident, which Equifax refers to as the "March event," was reported to customers, affected individuals and regulators, as well as covered by the media, it says. "Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related."

Equifax appears to refer a breach involving TALX its payroll, human resources, and tax services subsidiary formally known as Equifax Workforce Solutions. The Bank Info Security news report explained:

"In early March, Equifax began notifying individuals whose employers use TALX for payroll services that it had detected unauthorized access to its web-based portal. Employees use the TALX portal to access their W-2, which is the annual income reporting form that U.S. employees need to file their federal tax return. That's also a key document for fraudsters, because it puts them one step closer to being able to fraudulently file and claim a tax refund in someone else's name.

In the March attack, hackers had luck accessing TALX accounts by guessing registered users' personal questions, according to Equifax's breach notifications. By answering the questions correctly, fraudsters were able to reset a PIN needed to access an account. With the fresh PIN, they were able to obtain an electronic copy of victims' W-2. The unauthorized access incidents occurred between April 17, 2016, and March 29, 2017, Equifax says..."

It's frightening that the TALX breach went undetected for almost a year. Also, the Krebs On Security blog reported in May about the Equifax-TALX breach. However, the Bloomberg news report explored another hacking method criminals might have used in March:

"... one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter. This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.

According to the person and a Sept. 14 internal memo reviewed by Bloomberg, the gateway linked a test and development site used by the bank’s wealth management division to Equifax, allowing the two entities to share information digitally."

So, there was a breach in March. Was it the TALX hack, the hack via a bank, both, or something else? If the Bloomberg report is accurate, then the post-breach consequences listed probably apply:

"... will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading... New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity... the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that [March] investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July."

If true, then consumers are left with more questions: which bank(s)? What fixes have been implemented so this doesn't happen again? Why wasn't this disclosed sooner? How many consumers were affected? Exactly how did the hackers gain access? Was it the same or a different group of hackers? Which consumers' data elements were accessed/stolen?

The cynic in me wonders if Equifax executives are using its TALX breach as cover -- to avoid having to admit to another massive (and embarrassing) data breach.

Regardless of which news report is accurate, there are plenty of reasons for consumers to feel uneasy about Equifax's breach(es), data security protections, and breach notifications. Equifax is a custodian of extremely valuable and sensitive information about consumers. It makes money selling that information to potential lenders, and consumers have a right to have their questions answered fully.

Maybe the various investigations and inquiry by 31 states will provide answers for consumers. Or maybe Congress needs to hold hearings. It's been done before. What do you think?


31 States Sent Joint Letter Demanding Equifax Provide Free Services And Better Support For Consumers

On Friday, September 15, the attorneys general in several states sent a joint letter to Equifax as a result of the credit reporting agency's response to a massive data breach affecting about 143 million persons in the United States. The participating attorneys general are concerned about the impacts and costs to consumers. They want Equifax to respond better to the needs of consumers, extend the duration of the sign-up period for breach victims, and waive the fees of certain services. Perhaps most importantly, they are concerned about Equifax benefiting unjustly due to a situation it created.

The joint letter explained:

"... Chief among the issues causing confusion and concern are the inclusion of terms of service that required consumers to waive their rights, the offer of competing fee-based and free credit monitoring services by Equifax, and the charges consumers incur for a security freeze with other credit monitoring companies like Experian, TransUnion, and Innovis.

Initially, in order to enroll in the free credit monitoring that Equifax offered to all Americans, it appeared that Equifax attached certain conditions to the offer, including mandatory arbitration, among other things. The fact that Equifax’s own conduct created the need for these services demands that they be offered to consumers without tying the offer to complicated terms of service that may require them to forgo certain rights. It was not until after urging from our offices and public condemnation that Equifax withdrew these objectionable terms from its offer of free credit monitoring.

We remain concerned that Equifax continues to market its fee-based services to consumers affected by its data breach. Consumers who view Equifax’s homepage are offered both Equifax fee-based credit monitoring services, as well as its services offered at no cost. Again, at the urging of our offices and following criticism in the media, Equifax made its offer of free credit monitoring services more prominent so that it can be more easily found by consumers. Although these changes are an improvement over the site’s original offering, which presented a much less prominent link when compared to Equifax’s fee-based offering, they do not address all of our concerns.

We believe continuing to offer consumers a fee-based service in addition to Equifax’s free monitoring services will serve to only confuse consumers who are already struggling to make decisions on how to best protect themselves in the wake of this massive breach. We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims. Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair, particularly if consumers are not sure if their information was compromised.

Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families. If there is any substantial benefit consumers can obtain by purchasing the fee-based services over the free credit monitoring, then we strongly suggest that Equifax upgrade its free credit monitoring service to provide equivalent protection. On the other hand, if the services are equivalent, then we fail to understand why Equifax continues to offer its fee-based services to those affected by the breach if equivalent services are obtainable at no cost. Either way, we request that Equifax disable links to its fee-based services until the sign-up period for the free service has ended. Additionally, the cutoff date of November 21, 2017 for consumers to avail themselves of the free services provided appears to us to be rather short-sighted and we suggest that date be extended to at least January 31, 2018.

Our offices are also receiving complaints from proactive consumers who have requested a security freeze. Although Equifax is not charging consumers a fee for its own security freeze service, these consumers are furious that they have been forced to pay for a security freeze with other companies, such as Experian and TransUnion, when this privacy breach was no fault of their own. We agree with these consumers that it is indefensible that they be forced to pay fees to fully protect themselves from the fallout of Equifax’s data breach.

Accordingly, we believe Equifax should, at a minimum, be taking steps to reimburse consumers who incur fees to completely freeze their credit..."

The participating attorneys general are from Alabama, Arizona, Connecticut, Delaware, Georgia, Hawaii, Illinois, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, North Dakota, Oklahoma, Ohio, Oregon, South Carolina, South Dakota, Pennsylvania, Virginia, West Virginia, and the District of Columbia. Read the announcement by Christopher S. Porrino, the State of New Jersey Attorney General. A copy of the joint letter is also available here (Adobe PDF).


The Equifax Breach: Several Investigations Underway

The Office of the Attorney General (AG) for the State of Nevada announced yesterday an investigation into the Equifax data breach. About 143 million persons were affected. The announcement stated:

"The breach, which took place from mid-May through July of this year, neglected to keep important personal identifying information safe and allowed hackers to access names, Social Security numbers, birth dates, addresses and even some driver’s license numbers. As a result of this breach, approximately 209,000 individuals throughout the country are estimated to have had their credit card numbers stolen."

Nevada AG Adam Paul Laxalt said:

"As a part of my commitment to safeguard the identities and personal information of Nevadans, my office will be working diligently with other states to investigate the cause of the Equifax breach... I encourage Nevadans to contact Equifax to determine whether their data was compromised, and to consider taking additional steps to protect themselves."

The statement did not mention the other states the Nevada AG's Office is working with. Residents of Nevada should read the announcement which lists specific actions consumers in that state should take to protect themselves.

The Attorney General for the State of New York announced on September 8 both an investigation into the Equifax data breach and a consumer alert:

"Under New York law, businesses with New York customers are required to inform customers and the Attorney General’s Office about security breaches that have placed personal information in jeopardy. The Attorney General’s Office investigates data breaches to determine if customers were properly notified of the breach and if the entity had appropriate safeguards in place to protect customers’ data..."

The consumer alert portion of the announcement:

"1) Check your credit reports from Equifax, Experian, and TransUnion by visiting annualcreditreport.com. Accounts or activity that you do not recognize could indicate identity theft. This is a free service; 2) Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. It will not prevent a thief from using any of your existing accounts; 3) Monitor your existing credit card and bank accounts closely for unauthorized charges. Call the credit card company or bank immediately about any charges you do not recognize; and 4) Since Social Security numbers were affected, there is risk of tax fraud. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Consider filing your taxes early and pay close attention to correspondence from the IRS."

Annulacreditreport.com is the official site for free credit reports.  The U.S. Federal Trade Commission (FTC) issued new rules in 2010 which addressed consumer confusion in the marketplace about sites offering free credit reports. When using unofficial sites, some consumers found the "free" credit reports weren't truly free because they included expensive subscriptions to credit monitoring services.

On September 11, the New York AG's issued a warning about cyber attacks resulting from the Equifax breach:

"In addition to taking measures to protect their credit cards and bank accounts, New Yorkers should also think twice before clicking on any suspicious [e-mail] links claiming to be from Equifax or financial institutions... Hackers are resourceful criminals who are constantly looking to exploit any vulnerabilities... New Yorkers should be on the lookout for these possible attacks: a) Phishing emails that claim to be from Equifax where you can check if your data was compromised; b) Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information; c) Calls from scammers that claim they are from your bank or credit union..."

Also, the Los Angeles Times confirmed an investigation by the U.S. Federal Trade Commission (FTC):

"The FTC’s disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country."

The news report cited comments by Peter Kaplan, the agency’s acting director of public affairs. So far, little is known which aspects of the breach the FTC is investigating.

No doubt, there is more news to come.


Equifax Data Breach: 11 Reasons Why It Is Worse Than You Think

Equifax logo Equifax, one of the three major credit reporting agencies, announced on September 7 a massive data breach where criminals accessed the company's computer systems. How bad is it? It is instructive to analyze the text of Equifax's breach announcement:

"... a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."

First, this is huge. Do the math 143 million persons is about 44 percent of the United States population of 325 million on July 4, 2017. So, almost half of the population was affected. Not good. But, there's more to this than size.

Second, the announcement stated "approximately." So, the true number could be lower or higher. The vagueness suggests that Equifax doesn't really know exactly how many consumers were affected. Not good. And, other details support this assumption that Equifax really doesn't know.

Third, the announcement stated "accessed." During the 10+ years I've written this blog, I've read dozens or hundreds of breach announcements. Many use this term. While the term may accurately describe what's Equifax knows, it also can be misleading. Criminals don't access companies' systems simply to window-shop or read files. They access systems to download and steal valuable information they can either use to make money, or resell to others. It's what online criminals do.

Fourth, the data elements accessed stolen allow criminals to do a lot of damage. That might include: a) obtain fraudulent loans or credit in breach victims' names; b) impersonate breach victims (it's called pretexting) to access online accounts; c) with online access withdraw money from victims' bank accounts; and much more. With online access, criminals can change passwords and take over victims' accounts effectively locking out victims.

Fifth, the breach investigation isn't finished:

"Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks."

The announcement didn't state when Equifax expected the investigation to be finished. Days? Weeks? Months? Not good.

Equifax hired an outside, independent technology firm to investigate its breach. That's what companies usually do during their post-breach response. This tiny bit of good news is quickly overshadowed by the bad. Without a completed breach investigation, Equifax can't really know whether the breach was caused by a technical systems problem, employee error, management oversight lapses, a sloppy or incompetent subcontractor, something else, or a combination of items. Only after a completed breach investigation can Equifax implement one or several fixes so this won't happen again. Not good.

Sixth, without knowing how criminals accessed their systems it is unlikely Equifax also can't know with certainty what data elements about consumers were stolen. More data elements could have been stolen, perhaps entire credit reports. Not good.

Seventh, it seems that Equifax's intrusion detection systems failed. Just look at the timeline. The breach started in mid-May and Equifax discovered it near the end of July. So, criminals had at least 2 full months to steal whatever they could find. Not good. Plus, after discovering the breach it would take Equifax another 5 weeks later to announce it. Why the delays? The breach announcement doesn't explain why. Not good.

Eighth, Equifax seems to take shortcuts with its breach notification:

"Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."

Setting up a website to convey breach updates to consumers is a good thing, but using the site to notify consumers about the breach is not good for two reasons: a) the site requires consumers to enter many of the same sensitive, valuable data elements criminals want to steal; and b) it forces consumers to trust that the breach site is secure, when we know that the breach investigation is incomplete. This is a breach notification failure.

In the 10+ years I've written this blog, trustworthy companies notify breach victims via postal mail. Why won't Equifax notify all breach victims directly via postal mail? It has consumers' residential addresses in its databases. (That is a benefit for its lending customers.) So, the lack of data is not an excuse. Plus, the credit reporting agency is willing to notify some consumers directly:

"In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

Rather than notify all breach victims directly, Equifax seems to want to take shortcuts. Maybe it is to save money, laziness, or poor decisions by its executives. The announcement doesn't explain why, so consumers are left to draw their own conclusions. Not good.

Ninth, technologists have questioned the security of Equifax's new breach site. Ars Technica reported:

"... the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details..."

Reportedly, the domain name registration problem was fixed on Sunday. Still, Equifax's post-breach response appears amateurish. Meanwhile, data security problems persisted in its main website. According to Ars Technica:

"... in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So, Equifax hasn't completed its breach investigation, doesn't know how its systems were hacked, has vulnerabilities in its main site, but wants consumers to trust that its breach site is secure. Not good.

Tenth, the Equifax announcement promoted its credit monitoring service (emphasis added):

"Equifax has established a dedicated website... to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year."

One year? Are Equifax executives serious? Stolen consumers' credentials don't magically lose value after one year. Criminals will use stolen credentials (e.g., name, address, Social Security Number, birth date, etc.) as long as they can. Criminals will resell stolen data to other criminals as long as the data has value. In my opinion, Equifax should provide complimentary lifetime credit monitoring indefinitely to all breach victims.

Why lifetime? Because the data elements accessed stolen have ongoing value. The cynical part of me wonders if some finance executives have done the math. As long as credit reporting agency executives believe that one year of free credit monitoring will appease breach victims, it's cheaper to pay that cost (plus a few out-of-court settlements), rather than implement more robust data security.

Eleventh, there is a history of questionable decisions by Equifax executives. In 2007, it paid a $2.7 million fine for violating federal credit laws. In 2009, it paid a $65,000 fine to the state of Indiana for violating the state's security freeze law. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations of improper list sales. Earlier this year, Equifax and TransUnion paid $23.1 million to settle allegations of deceptive advertising about credit scores.

This history provides some context to news reports that three Equifax executives sold about $1.8 million in stock after the breach was discovered and before the public breach announcement. Equifax stock fell about 13 percent after the breach announcement. The company said on Thursday that these executives didn't know about the intrusion when they sold shares. Even if true, the optics of this look absolutely terrible.

The whole sordid affair should be a reminder to consumers that we are the product. Credit reporting agencies' true customers are lenders - the companies that lend money and make loans to consumers. Equifax makes its money selling credit reports to lenders.

What to make of this? I see several considerations for consumers:

  1. Assume the worst. Every time you hear or read the word "accessed" by Equifax, replace it with "stolen." Then, make your data security decisions accordingly.
  2. If you don't trust the security of Equifax's breach site, then call the company instead via the hotline listed in the breach announcement (preferably using a landline phone) to see if you are affected.
  3. Carefully consider the advantages and disadvantages of Equifax's offer of free credit monitoring and identity theft protection. Equifax has been criticized for forcing arbitration on consumers who accept the free credit monitoring offer. In a September 11th update in its breach site, Equifax reversed course and said the arbitration clause and class-action waiver don't apply in this incident. Regardless, read the fine print before signing up. They may try to re-insert it later. If you don't know what it is, learn about arbitration. A variety of companies have inserted these clauses into their user agreements policies. You'll need to learn about arbitration anyway in order to make informed purchase decisions about other products and services.
  4. If you don't need credit, consider a Security Freeze to lock down your Equifax credit reports. Then, Equifax can't sell your credit report to lenders. You can do this at all three major credit reporting agencies. I did this several years ago after a data breach by a former employer. Know that a Security Freeze is not a cure-all, since it won't stop data breaches and it won't stop all forms of identity theft and fraud. To learn more, this blog has plenty of information about credit reporting agencies, credit monitoring services, fraud alerts for your credit reports, and security freezes.
  5. If you dislike Equifax's post-breach response, then contact your elected officials and demand that they pressure Equifax to do the right thing: a) notify all breach victims directly via postal mail; and b) implement better data security.
  6. Equifax's post-breach response makes me question whether the company is really up to the data security task -- it's responsibility -- to adequately protect consumers' sensitive information. All credit reporting agencies are high-value targets by criminals. If Equifax's executives didn't understand this before, they should now -- and take actions to demonstrate to consumers they realize the seriousness of the breach. Words are not enough.
  7. Consumers lack choices. Citizens cannot opt in nor opt out of the data collection by credit reporting agencies. (Consumers can opt out of pre-approved credit offers, but can't opt out of the data collection. There's a difference.) Also, the Equifax breach highlights the hypocrisy of pundits and politicians who object to the mandate within Obamacare (e.g., the Affordable Care Act) legislation -- some called it socialism -- while remaining remain silent about a similarly socialistic mandate with credit reporting.

While writing a post recently about misdeeds at Wells Fargo, I asked the question: "How much damage can one bank do?" Now, I find myself asking a similar question about Equifax: "How much damage can one company do?" Credit and lending are essential to the United States economy. In my opinion, all credit reporting agencies should have NSA-level data security for their networks and computer systems. The data they archive is that critical.

And: if you can't protect it, don't collect it. It's that simple.

As more issues emerge about this breach, I will address them in subsequent posts. What are your opinions of the Equifax breach? Did you lock down your credit reports with a Security Freeze?


The Top Complaints About Financial Services. One Complaint Type Grew 325 Percent

Logo for Consumer Financial Protection Bureau After encountering unresolved issues with financial services, many consumers file complaints with the Consumer Financial Protection Bureau (CFPB). After each complain, the CFP works hard to get each consumer a reply within 15 days. This process allows the CFPB to track which issues affect most consumers, and to identify emerging problems.

According to its April Monthly Complaint Report, debt collection issues generated the most complaints on average, and complaints about student loans grew the fastest:

"As of April 1, 2017, the CFPB has handled approximately 1,163,200 complaints, including approximately 28,000 complaints in March 2017... Student loan complaints showed the greatest percentage increase from January - March 2016 (773 complaints) to January - March 2017 (3,284 complaints), representing about a 325 percent increase. Part of this year-to-year increase can be attributed to the CFPB updating its student loan complaint form to accept complaints about Federal student loan servicing in late February 2016. The CFPB also initiated an enforcement action against a student loan servicer during this time period."

CFPB Monthly Compalint Report. April, 2017. Table 1. Click to view larger version

The top five categories of complaints about during March, 2017:

  1. Debt collection: 8,711
  2. Credit reporting: 5,498
  3. Mortgages: 3,965
  4. Credit cards: 2,522
  5. Bank account or service: 2,476

Also during March: debt collection complaints represented about 31 percent of complaints; debt collection, credit reporting and mortgage were the top three most-complained-about consumer financial products and services. Together, these three categories represented 65 percent of complaints during March.

The top five categories of complaints since the CFPB began:

  1. Debt collection: 316,810
  2. Mortgages: 272,153
  3. Credit reporting: 195,826
  4. Credit cards: 118,732
  5. Bank account or service: 115,055

The CFPB began accepting complaints for different products and services at different times:

There were regional differences in complaint volume:

"Montana (54 percent), Georgia (46 percent), and Wyoming (45 percent) experienced the greatest complaint volume percentage increase from January - March 2016 to January - March 2017. New Mexico (-20 percent), Iowa (-5 percent), and Kansas (-0.7 percent) experienced the greatest complaint volume percentage decrease... Of the five most populated states, Texas (35 percent) experienced the greatest complaint volume percentage increase and Florida (8 percent) experienced the least complaint volume percentage increase from January - March 2016 to January - March 2017."

The report also tracks complaints by company:

CFPB Monthly Complaint Report. April, 2017. Figure 1. Click to view larger version

The CFPB reported additional details about student loan complaints:

"Approximately 32,700 (or 74 percent) of all student loan complaints handled by the CFPB from July 21, 2011 through March 31, 2017 were sent by the CFPB to companies for review and response. The remaining complaints have been found to be incomplete (7 percent), referred to other regulatory agencies (19 percent), or are pending with the CFPB or the consumer (0.5 percent and 0.4 percent, respectively)... The most common issues identified by consumers are problems dealing with their lenders or servicers (64 percent) and being unable to repay their loans (33 percent)."

"Federal student loan borrowers reported that when contacting their loan servicers regarding financial distress, servicers provided them with information on hardship forbearance or deferment, instead of potentially more beneficial repayment options like income-driven repayment plans... loan borrowers complained of difficulty enrolling in income-driven repayment plans. Borrowers reported lost documentation, extended application processing times, and unclear guidance when seeking to switch from one income-driven repayment plan to another."

Federal student loan borrowers described their experiences when trying to obtain guidance in completing annual income recertification for their income-driven repayment plan. Borrowers reported receiving insufficient information from their servicers to meet recertification deadlines and lengthy processing times. Some federal student loan borrowers stated their payments were misapplied. Borrowers reported overpayments were not applied to specified accounts but rather applied to all accounts managed by the servicer. Additionally, some borrowers’ overpayments—intended to reduce principal balance—were credited to the account as an early payment, resulting in their ac count reflecting a paid ahead status..."

To read more, download the full "April 2017: CFPB Monthly Complaint Report: Vol. 22" (Adobe PDF).


2 Credit Reporting Agencies To Pay $23.1 Million To Settle Deceptive Advertising Charges

Last week, the Consumer Financial Protection Bureau (CFPB) announced the actions it had taken against two credit reporting agencies and their subsidiaries for deceptive advertising practices with credit scores and related subscription programs. The CFPB announcement explained:

"TransUnion, since at least July 2011, and Equifax, between July 2011 and March 2014, violated the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act by: 1) Deceiving consumers about the value of the credit scores they sold: In their advertising, TransUnion and Equifax falsely represented that the credit scores they marketed and provided to consumers were the same scores lenders typically use to make credit decisions. In fact, the scores sold by TransUnion and Equifax were not typically used by lenders to make those decisions; 2) Deceiving consumers into enrolling in subscription programs: In their advertising, TransUnion and Equifax falsely claimed that their credit scores and credit-related products were free or, in the case of TransUnion, cost only “$1.” In reality, consumers who signed up received a free trial of seven or 30 days, after which they were automatically enrolled in a subscription program. Unless they cancelled during the trial period, consumers were charged a recurring fee – usually $16 or more per month. This billing structure, known as a “negative option,” was not clearly and conspicuously disclosed to consumers."

Credit scores are numerical summaries designed to predict consumer repayment behavior and while using credit. Those numeric summaries attempt to indicate a consumer's credit worthiness based up like their bill-paying history: the number and type of credit accounts, the total amount of debt, if the credit accounts are maxed out, the age of that debt, whether bills are paid on time, collection activities by lenders to get paid, and the age of the consumer's accounts.

It is important for consumers to know that lenders rely in part on credit scores when deciding whether to extend credit to consumers and how much credit to extend. Plus, there are several branded credit scores in the marketplace. So, no single credit score is used by all lenders, and lenders may use one or more branded credit scores when making lending decisions. Also, the credit scores sold to consumers by TransUnion:

"... are based on a model from VantageScore Solutions, LLC. Although TransUnion has marketed VantageScores to lenders and other commercial users, VantageScores are not typically used for credit decisions."

Generally, the higher a credit score, the less risky that consumer is to lenders. The U.S. Federal Trade Commission (FTC) has a helpful site that explains credit scores and provides answers to common questions by consumers.

The CFPB actions require Equifax and TransUnion to pay fines totaling $5.5 million to the CFPB, and to pay more than $17.6 million in restitution to affected consumers.TransUnion's share of the fines is $3 million, and Equifax's share is $2.5 million. Other terms of the enforcement action:

"TransUnion and Equifax must clearly inform consumers about the nature of the scores they are selling to consumers... Before enrolling a consumer in any credit-related product with a negative option feature, TransUnion and Equifax must obtain the consumer’s consent. TransUnion and Equifax must give consumers a simple, easy-to-understand way to cancel the purchase of any credit-related product, and stop billing and collecting payments for any recurring charge when a consumer cancels."

"Negative option" is when a free trial automatically converts to a monthly paid subscription if the fails to cancel during the free trial period. Historically, the three major credit reporting agencies have offshore outsourced call center operations. So, it will be interesting to see how many of these jobs return to the United States given the policy positions of the incoming President and his administration. And, the industry has come under scrutiny for failing to fix errors in the credit reports they sell.

The industry has had some spectacular information security failures. A May 2016 breach at Equifax exposed the sensitive personal information of more than 430,000 employees of its Kroger supermarkets client. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations by the FTC about the improper sales of customer lists from January 2008 and to early 2010.

The CFPB began supervision of the credit reporting industry in 2012. CFPB Director Richard Cordray said about this recent enforcement action:

"TransUnion and Equifax deceived consumers about the usefulness of the credit scores they marketed, and lured consumers into expensive recurring payments with false promises... Credit scores are central to a consumer’s financial life and people deserve honest and accurate information about them."

Kudos to the CFPB for this enforcement action.


Facts About Debt Collection Scams And Other Consumer Complaints

Logo for Consumer Financial Protection Bureau The Consumer Financial Protection Bureau (CFPB) recently released a report about debt collection scams. The report is based upon more than 834,00 complaints filed by consumers nationally with the CFPB about financial products and services: checking and savings accounts, mortgages, credit cards, prepaid cards, consumer loans, student loans, money transfers, payday loans, debt settlement, credit repair, and credit reports. Complaints about debt collection scams accounted for 26 percent of all complaints.

The most frequent scam are attempts to collect money from consumers for debts they don't owe. This accounted for 38 percent of all debt-collection-scam complaints submitted. This included harassment:

"Consumers complained about receiving multiple calls weekly and sometimes daily from debt collectors. Consumers often complained that the collector continued to call even after being repeatedly told that the alleged debtor could not be contacted at the dialed number. Consumers also complained about debt collectors calling their places of employment... Consumers complained that they were not given enough information to verify whether or not they owed the debt that someone was attempting to collect. "

The two companies with the most complaints:

"... were Encore Capital Group and Portfolio Recovery Associates, Inc. Both companies, which are among the largest debt buyers in the country, averaged over 100 complaints submitted to the Bureau each month between October and December 2015. In 2015, the CFPB took enforcement actions against these two large debt buyers for using deceptive tactics to collect bad debts."

Compared to a year ago, debt collection complaints increased the most in Indiana (38 percent), Arizona (27 percent), and New Hampshire (26 percent) during December 2015 through February 2016. Debt collection complaints decreased the most in Maine (-34 percent), Wyoming (-26 percent), and North Dakota (-23 percent). And:

"Of the five most populated states, California (10 percent) experienced the greatest percentage increase and Illinois (-4 percent) experienced the greatest percentage decrease in debt collection complaints..."

The report lists 20 companies with the most debt-collection complaints during October through December 2015. The top five companies with with average monthly complaints about debt collection are Encore Capital Group (139.3), Portfolio Recovery Associates, Inc. (112.3), Enhanced recovery Company, LLC (65.7), Transworld Systems Inc. (63.7), and Citibank (54.7). This top-20 list also includes several banks: Synchrony Bank, Capital One, JPMorgan Chase, Bank of America, and Wells Fargo.

While the March Monthly Complaint Report by the CFPB focused upon debt collection complaints, it also provides plenty of detailed information about all categories of complaints. From December 2015 through February 2016, the CFPB received on average every month about 6,856 debt collection complaints, 4,211 mortgage complaints, 3,556 credit reporting complaints, 2,021 complaints about bank accounts or services, and 1,995 complaints about credit cards. Most categories showed increased complaint volumes compared to the same period a year ago. Only two categories showed a decline in average monthly complaints: credit reporting and payday loans. Debt collection complaints were up 6 percent.

Compared to a year ago, average monthly complaint volume (all categories) increased in 40 states and decreased in 11 states. The top five states with the largest increases (all categories) included Connecticut (31 percent), Kansas (30 percent), Georgia (25 percent), Louisiana (25 percent), and Indiana (24 percent). The top five states with the largest decreases (all categories) included Hawaii (-25 percent), Maine (-19 percent), South Dakota (-14 percent), District of Columbia (-8 percent), and Idaho (-6 percent). Also:

"Of the five most populated states, New York (12 percent) experienced the greatest complaint volume percentage increase, and Texas (-8 percent) experienced the greatest complaint volume percentage decrease from December 2014 to February 2015 to December 2015 to February 2016."

The chart below lists the 10 companies with the most complaints (all categories) during October through December, 2015:

Companies with the most complaints. CFPB March 2016 Monthly Complaints Report. Click to view larger image

The "Other" category includes consumer loans, student loans, prepaid cards, payday loans, prepaid cards, money transfers, and more. During this three-month period, complaints about these companies totaled 46 percent of all complaints. Consumers submit complaints about the national big banks covering several categories. According to the CFPB March complaints report (links added):

"By average monthly complaint volume, Equifax (988), Experian (841), and TransUnion (810) were the most-complained-about companies for October - December 2015. Equifax experienced the greatest percentage increase in average monthly complaint volume (32 percent)... Ocwen experienced the greatest percentage decrease in average monthly complaint volume (-18 percent)... Empowerment Ventures (parent company of RushCard) debuted as the 10th most-complained-about company..."

To learn more about the CFPB, there are plenty of posts in this blog. Simply enter "CFPB" in the search box in the right column.


Experian Has Paid $20 Million (So Far) In Post Breach Costs

Experian logo Just before the Thanksgiving holiday, The National Law Review reported:

"Experian’s most recent earnings report shows that it has spent $20 million to date on its response to the September 2015 data breach that exposed the personal information of nearly 15 million wireless carrier customers. The exposed information included names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers – all information Experian uses to process credit checks as part of the customer registration process. The $20 million spent so far on notification and credit monitoring for affected individuals may only be just the beginning of Experian’s financial woes – the credit monitoring firm still has several pending class action lawsuits to manage as well as cooperating with the government’s investigations in to the matter."

Details about the September breach area available here.

Not good.As I wrote in October,Experian CEO Brian Cassin should resign. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (again) is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

If they can't protect it, don't collect it; and go do something else.


The CFPB Helps Consumers

The Consumer Financial Protection Bureau (CFPB) helps consumers in many ways. To learn more, read:


Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian

Medical Informatics Engineering logo One result of the Medical Informatics Engineering (MIE) data breach has been a class-action lawsuit filed against MIE. The Journal Gazette reported on July 31:

"James Young, a patient whose medical information was compromised, filed the paperwork Wednesday in U.S. District Court in Fort Wayne. The Indianapolis man is seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit... Young alleges that MIE failed "to take adequate and reasonable measures to ensure its data systems were protected," failed to stop the breach and failed to notify customers ina timely manner."

In a Sunday, August 2 article, the Fort Wayne, Indiana-based Journal Gazette described the wide range of companies that access consumers' medical records:

"A lot more people than you realize, including your employer, your bank, state and federal agencies, insurance companies, drug companies, marketers, medical transcribers and the public, if your health records are subpoenaed as part of a court case. All those entities can access your records without getting special permission from you, according to Patient Privacy Rights."

Austin, Texas-based Patient Privacy Rights is an education, privacy, and advocacy organization dedicated to helping consumers regain control over their personal health information.

The Journal Gazette news article was the first report I've read disclosing the total number of breach victims. Reportedly, MIE sent 3.1 million breach notices to affected consumers nationwide. Help Net Security reported a total of nearly 5.5 million consumers in the U.S. affected. That includes 1.5 million consumers affected in Indiana, and 3.9 million consumers in other states. Compromised or stolen data goes as far back as 1997. Reportedly, the Indiana Attorney General's office has begun an investigation.

The Journal Gazette news article also discussed some of the ways stolen medical information can be misused:

"An unethical provider could bill an insurance company or the federal government for health care that it never gave you. Any amount not covered would then be billed directly to you, which could affect your credit score... Then there’s the issue of using sensitive medical information for marketing – or even for blackmail. Let’s say someone was treated for AIDS, hepatitis C or a sexually transmitted disease. A company selling prescription drugs or other products might like to target that patient for advertising. But sending brochures or coupons in the mail could tip off others about the condition. Someone with those or similar medical conditions could face discrimination in hiring..."

Experian logoIn a separate case, a class-action was filed against the credit reporting service Experian. The Krebs On Security blog reported on July 21:

"The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves... The lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures— a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States... The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA)..."

I included information about both class-actions in a single blog post since both companies are of interest to consumers affected by MIE's data breach. MIE has offered breach victims two years of free credit monitoring services from Experian.


U.S. Supreme Court To Hear Arguments About Spokeo Lawsuit

While the country focuses on the U.S. Supreme Court as it considers arguments about whether the U.S. Constitution contains rights for gay and lesbian adults to enter into marriage contracts, there is another case before the Court that is arguably of equal, if not more, importance.

The current case is Spokeo v. Robins, U.S. Supreme Court, No. 13-1339. The U.S. Chamber of Commerce, Facebook, and Google have filed friend-of-the-court briefs to support Spokeo.com's position. Maybe you've heard about Spokeo.com, the people-finder website, or have even used it. This blog first reported about Spokeo.com back in 2010.

This is a Court case you'll want to follow. Why? Basically, the lawsuit is about who controls consumers' personal property: specifically, the profile information about consumers in various databases compiled by data brokers. Do individual consumers each control their profile data, or do the data brokers? You might say, the case is about whether we want accurate "bigdata" or not.

The plaintiff, Thomas Robbins a Virginia resident, originally filed a lawsuit in 2010 in California alleging the data collected and sold about him by Spokeo.com was incorrect, prevented him from finding a job, and as a result violated the Fair Credit Reporting Act (FCRA). The FCRA requires that consumers receive notice about their profile information and have the rights to view and correct their information collected by credit reporting agencies. Also, consumers have the right to lock down or prevent their credit reports from being sold by the three major credit reporting agencies: Experian, TransUnion, and Equifaz. Of course, in this case Spokeo.com claimed that it is not a credit reporting agency.

Robbins' suit was dismissed in 2011 by a lower court for lack of standing; that he hadn't proved harm. An Appeals Court reversed the lower court's decision in 2014. The U.S. Supreme Court will hear the case, and its decision will hopefully settle the matter.

University of Washington School of Law professor Anita Ramasastry analyzed the case:

"Spokeo attempts to immunize itself from FCRA violations by stating that it is not providing data for use in credit reporting. But as a recent lawsuit illustrates, Spokeo’s data is being used for such purposes, because the company may not have sufficient safety precautions... Robins’s lawsuit is not the first time that Spokeo has gotten into hot water. While it claims to be a site selling personal data for other uses (e.g., cultivating new clients, finding old friends, and evaluating prospects for business deals) it is skating on thin ice, as its data is also useful to landlords, employers, and even lenders, who may subscribe to the service as a way of doing additional background checks on people. These new types of data brokers are either unregulated, or claim that certain laws do not apply to them..."

Spokeo paid $800,000 in 2012 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by marketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

A 2012 survey found that most consumers are unaware about how data brokers operate. In her analysis, professor Ramasastry explained:

"[Spokeo] obtains information from dozens of sources including public records, marketing surveys, online maps, and social networks, the company says on its website. What is unclear from the company’s site is how it merges and melds data together to create a unique profile—so that data that may not be yours, or data that has an error in it, will not get wrongly compiled into your unique individual profile. In one of its blog posts, the company tells the public that “Spokeo is not a private investigator, but an information aggregator. This means that our machines do not have the human intelligence to decide which information is right, and which is wrong." This may be its assertion, but many people rely on Spokeo to serve as a sort of online detective and make decisions based on what they find in its records. Spokeo says in its Terms of Use that using the site to determine eligibility for employment, credit or other use under the FCRA is “explicitly prohibited.” "

Plus, consumers must pay to view their full profile at Spokeo.com. Professor Ramasastry concluded that the lawsuit (bold emphasis added):

"... illustrates the gray zone in which Spokeo has been operating. It is collecting data that is not traditionally the type of data that has been used for credit-reporting purposes. Employers, banks, insurers, and landlords have typically relied on financial history: how much debt a person has, whether he or she has paid their bills on time, whether he or she has a criminal record, etc. But Spokeo and other companies are compiling even more robust data sets, with new types of profiles that creditors and others will also find useful when making decisions, so Spokeo has a product that creditors want... And the underlying issue is this: when the information is used for a major life decision, such as whether someone might be hired or not, the person affected has no recourse, or ability to correct the errors."

It's not just Spokeo.com. Other data brokers operate in the same "gray zone." One example is the mugshot industry, where its data seems similarly error-filled. Mugshots from arrest records published don't seem to be updated based upon the results of court cases when charges are dropped or when defendants are found not guilty by a court. And, there are some print mugshot publications. Plus, the mugshot industry operates in an ethically questionable manner when it charges consumers with large take-down fees to have their mugshots removed (only to reappear in another site).

What can consumers conclude about all of this? Four things:

  1. The data compiled by many data brokers has errors, whether they admit it or not. Consumers don't know how accurate (or inaccurate) the data compilation processes are. This can affect you. That data brokers' databases have errors should not be a surprise since errors by credit reporting agencies are well documented. the two perform similar functions.
  2. What consumers share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites will sell your information to data brokers, and your profile data will find its way into sites like Spokeo.com.
  3. What gets decided in this case probably will have ripple impacts upon the whole Internet of things (ioT) industry, as the Internet-connected devices installed in "smart homes" collect even more information about consumers' habits, movements, purchases, utilities, and product usage.
  4. There are rarely-discussed ethical issues. Is it right for data brokers to sell information about consumers they know isn't correct, and pretend that it is? Is it right for data brokers to charge consumers a fee to see their own profile data? After all, without consumers data brokers like Spokeo wouldn't have anything to sell. Is it right for creditors and employers to sue data brokers' sites with incorrect information?

My opinion: if it walks like a duck, quacks like a duck, and smells like a duck, then it probably is a duck. Spokeo claims it's not a credit reporting agency, but it surely operates like one. The FTC case highlighted the company's operations with procedures that may not prevent creditors from performing FCRA applications. Think of it this way: to find somebody online, you can simply search Facebook, one of the major search engines, or a white-page telephone site. So, the data compiled by Spokeo seems intended for more advanced purposes beyond finding people. Spokeo can't and shouldn't have it both ways: enjoy the benefits and revenues without complying with the FCRA requirements.

At some point, one has to hold companies accountable for selling error-filled information. If not, then you have chaos. What are your opinions?


Massachusetts And Several States Attorney Generals Investigate Breach At Experian

I apologize to readers. I am almost caught up with blog posts after the DDoS attack last week against Typepad, the blogging service I use.

Last week, the Office of the Attorney General of Massachusetts announced an investigation, along with several other states' attorney generals, of the Experian credit reporting agency after criminals were able to obtain consumers' sensitive financial data. The statement said:

"On March 3, Hieu Ngo, a Vietnamese national, pleaded guilty to federal charges in New Hampshire federal court involving his operation of a website that offered his clients access to sensitive personal information for more than 200 million U.S. citizens, including social security numbers, which could be used to commit identity theft or financial fraud... Ngo gained access to the personal information when he obtained an account with a U.S. company known as Court Ventures by posing as a private investigator from Singapore. Due to a reciprocal data sharing agreement between Court Ventures and U.S. Info Search, LLC of Columbus, Ohio, Ngo’s account allowed him access to a database that allegedly contained names, addresses, dates of births, and social security numbers of more than 200 million U.S. citizens."

Ngo may have already resold stolen credit reports, since about 1,300 persons accessed his online account:

"For at least an 18-month period, more than 3.1 million queries were made to the database using Ngo’s account. According to Experian, it purchased Court Ventures’ assets in March 2012, and continued to honor Ngo as a customer until December 2012."

Experian and Court Ventures have sued each other about indemnification: who will pay the costs for this breach. Regardless of who pays in the end, it is bad. Very bad. With 200 million consumers affected, the breach will victimize consumers in most, if not all, states. Massachusetts AG Martha Coakley said:

"We are especially concerned about allegations that the companies may have known of this incident for over a year, while not reporting it so consumer could protect themselves. We will actively investigate this matter and in the meantime, we remind consumers to take proactive steps to protect their personal information.”

The Massachusetts Attorney General advised consumers:

  1. Order copies of your credit reports from the three major credit-reporting agencies (e.g., Experian, Equifax, and TransUnion) and review them for fraudulent entries.
  2. If you notice fraudulent entries on your credit reports, place a Fraud Alert on them.
  3. Review your credit card and debit card statements for fraudulent entries.
  4. Contact the fraud departments at your bank or card issuer to report fraudulent charges.
  5. File a police report with local police if you are a victim of fraud.
  6. Consider placing a Security Freeze on your credit reports for stronger protection.

Consumers that don't have a credit monitoring service can visit AnnualCreditReport.com to order their free credit report once each year from the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion). Consumers that experience fraud can also submit complaints to the Federal Trade Commission, which tracks fraud affecting consumers.

Consumers who experience problems (e.g., poor customer service, failure to fix fraudulent charges you reported, etc.) with a credit reporting agency, can submit complaints to the Consumer Financial Protection Bureau, (CFPB). At the CFPB site, click on "the Submit A Complaint" link. The CFPB began overseeing credit reporting agencies in 2012.

Expect to hear more news about this breach investigation.


The Words Organizations Use In Their Data Breach Notices

What words do organizations use frequently in breach notification letters and announcements? To better understand this, I used the Wordle tool to create word clouds from several actual, high-profile breach notifications during the past six months. The tool gives more prominence to words that appear more frequently.

Some breach notices were blog posts, some were press releases, some were web pages in a small website specifically about that data breach, and others were letters shared with state agencies, as required by law in some states. I wanted to see what words were frequently used and any variations.

A word cloud from the February 2013 breach notice by Twitter:

Word cloud for the Twitter.com breach notice

 

A word cloud from the February 2013 breach notice by GE Capital Retail Bank (Adobe PDF):

Word cloud for the GE Capital Retail bank breach notice

A word cloud from the February 2013 breach notice by Walgreens drug stores (Adobe PDF):

Word cloud for the Walgreens breach notice

A word cloud from the January 2013 breach announcement by the Experian credit reporting agency (Adobe PDF):

Word cloud for the Experian breach notice

A word cloud from the January 2013 breach announcement by Zaxby's restaurants:

Word cloud for the Zaxbys breach notice

A word cloud from the November 2012 breach notice by Pinnacle Foods:

Word cloud for the Pinnacle Foods Group breach notice

A word cloud from the November 2012 breach notice by Nationwide Insurance:

Word cloud of the Nationwide Insurance breach notice

Clearly, there is a lot of variety. Some words (e.g., information, report, credit, security) appear frequently within and across breach notices. Some breach notices feature the company name prominently while others don't. While the words may vary, basic information about the breach is presented pretty consistently: organization name, relevant dates, the types of individuals affected (e.g., members, employees, students), and what that organization calls the notice.

A lot of this is mandated by state breach notification laws. Depending upon local laws, the notification may be sent to affected individuals, a public notice, or both.

The content that varies seems to be the amount of detail disclosed about he cause of the data breach, and the resources for breach victims. The resources vary based on the type of data stolen. For example, when consumers' Social Security numbers have been stolen. the notices frequently mention the major credit reporting agencies. This is what I have seen frequently in both breach notices I have received and others I have read.

An exception seems to be the GE notice which only mentions a single credit reporting agency. Sometimes, the resources to help breach victims are in a separate document or website page. So, this will affect the words used in the actual breach notice.

Sadly, the credit reporting agencies experience data breaches, too. Since they specialize in information about individuals, you might think that they don't experience data breaches, but they do. The FTC has studied the accuracy of credit reports, and many people feel that credit reporting agencies should do a lot more to fix the errors in their consumer credit reports.

What do you think of data breach notices? How many breach notices have you received?


FTC Studies The Accuracy Of Consumer Credit Reports. Plenty Of Errors To Be Fixed By Credit Reporting Agencies

The blog post on Monday discussed the 60 Minutes report about the failures in the dispute process at credit reporting agencies to fix mistakes in consumers' credit reports. Today's post discusses the recent U.S. Federal Trade Commission (FTC) survey, which prompted that news report.

The FTC survey analyzed the accuracy and completeness of consumer credit reports. This was the agency's fifth such report. Section 319 of the 2003 FACT Act requires the FTC to conduct a study of the accuracy and completeness of consumer credit reports.

Major findings from this FTC study:

  1. 26% of consumers (262 of 1,001 participants) identified errors on their credit reports that might affect their credit scores. 19% of credit reports (572 of 2,968 reports) had an alleged error reported by participants
  2. 20% of consumers had an error that was corrected by a credit reporting agency (CRA) after it was disputed, on at least one of their three credit reports
  3. Of the 572 credit reports where an error was submitted, 399 reports (70%) were modified by a credit reporting agency, and 211 (36%) had a credit score changed. Those same 211 credit reports are 7.1% of all credit reports in the study
  4. Of the 262 consumers who identified alleged inaccuracies in their credit reports and filed disputes, 206 consumers (80%) had a modification made by a credit reporting agency to their credit report in response to the dispute. Of these, 129 consumers (12.9% of all 1,001 participants) experienced a change in credit score following the dispute process
  5. Slightly more than 10% of consumers saw a change in their credit score after the credit reporting agencies fixed errors on their credit reports
  6. Approximately 5% of consumers had a maximum credit score change of more than 25 points, while 0.4% of consumers had a maximum score change of more than 100 points

If you skimmed or quickly read the high-level findings or the FTC press release, then you might assume that there is no problem -- and you would be wrong for a several reasons. First, that 20% of consumers found an error in at least one of their credit reports means that about could be as many as 40 million people (20% of the 200 million Americans with credit reports) have at least one error in one of their three credit reports with Experiran, Equifax, or TransUnion. That seems to be a huge error rate.

Second, this error rate is based on a percentage of consumers. Some credit reports had multiple errors in them. So, a more accurate error rate would be based on the number of credit reports with errors compared to the total number of credit reports. Or, an even better error rate would be the average number of errors in a credit report. Third, the report doesn't seems to measure the percentage of error items that credit reporting agencies don't fix which they should have fixed (that's another type of error).

Fourth, that 20% error rate is the number of consumers who reported errors and the credit reporting agencies fixed them. (Explanation below.) A much higher rate of consumers reported errors: 26%. It seems that the real error rate is far higher.

I waded through the 370-page FTC report because credit reports are critical documents. Consumers need them to be accurate do business with lenders, and lenders use these documents constantly. Plus, credit reports contain a lot of important, sensitive, personal information about you, your lifestyle, and the purchases you've made:

"... (1) Identifying information including name, address, birth date, SSN, and previous/alternate names and addresses; (2) Credit account information including information about current and past credit accounts such as mortgages, car loans, credit cards, and installment payments; (3) Public records such as bankruptcies, foreclosures, civil judgments, and tax liens; (4) Collection accounts, which include unpaid debts (such as medical bills) that have been turned over to collection agencies; and (5) Inquiries (subscriber requests to access a consumer credit report)."

When you apply for credit or when a potential lender requests to view your credit report to make a lending decision, a "hard inquiry" results. Too many "hard" inquiries and your credit score can go down. The study identified different types of errors (bold emphasis added):

"... we define a ‘potential error’ as an alleged inaccuracy identified by the participants with the help of the study associate... Lenders often use the credit score associated with a credit report to assess the credit risk of a particular consumer. Therefore, we define a ‘potentially material error’ as an alleged inaccuracy in information that is commonly used to generate credit scores. Information used to generate credit scores include the number of collections accounts, the number of inquiries (hard pulls on a credit file), the number of negative items such as late or missed payments, and other factors. An alleged error is considered potentially material prior to the dispute process simply by its nature as an item used to generate credit scores... We define a ‘confirmed material error’ in several ways, though all rely on a confirmed error being determined as a result of the FCRA dispute process..."

If you are reading this closely, then you realize that credit reports contain errors both in the information used to calculate consumers' credit scores, and in the information not used to calculate credit scores:

"Errors in header information (current/previous address, age, or employment) are not considered in determining a FICO credit score and thus are not defined as material in the context of this study."

In my opinion, this distinction does a disservice to consumers. It tolerates a certain level of sloppiness; that it is okay for credit reporting agencies to get their credit reports mostly correct. Header information elements are no less important than other credit report elements. These header elements could be used to match credit reports for a person with input submitted by lenders and/or within dispute investigations. Second, a credit report is such an important document that it needs to be correct. Period. Credit reports are important because:

Errors are errors. Period. They all are important. Fix them all. Decades ago and early in my business career, I learned an important lesson about producing a quality product or service:

"Why spend all this time finding and fixing and fighting when you could prevent the incident in the first place?... It is much less expensive to prevent errors than to rework, scrap, or service them... It is always cheaper to do the job right the first time."

Either the credit reporting agencies haven't learned these lessons about quality, or they intentionally choose not to pursue a goal of zero defects.

To the good, the FTC study looked at error rates among header information from credit reports:

"In cases where a participant identified only an error in header information, the participant was instructed to dispute the error directly with FICO and the participant’s credit report was not redrawn. For the individuals with material errors and header information errors, the outcome for the header information disputes is known. The third most common alleged inaccuracies occur in the data on header information (154 alleged errors on 127 reports, comprising 4.3% of the sample). Note this represents a lower bound of the frequency of header information errors, as reports with errors only in header information are not included. The modification rate for header information is higher than that of other alleged material error types (99 modifications, comprising 64.3% of the disputed header information items)."

In other words, in this study 127 credit reports had 154 alleged errors in the header information, or 1.2 errors on average per credit report. The credit reporting agencies fixed 99 of these 154 alleged errors -- what I would calculate as a 64.3% correction rate for header items. Still, this is still a best-case correction rate, because the above excluded instances where the only error reported by the consumer was in the header information.

The study found that the main types of confirmed material errors (that could affect a consumer's credit score) that were fixed by credit reporting agencies were:

"... errors in the tradeline (consumer accounts) or collections information. The most common alleged inaccuracies occur in the data on tradelines (708 alleged errors on 409 reports, comprising 13.8% of the sample) or collections accounts (502 alleged errors on 223 reports, comprising 7.5% of the sample). The most commonly modified errors are tradeline information errors (395 modifications) and collections information errors (267 modifications)."

The supporting details:

Error Type # of Alleged Errors Items Modified #(%) # Reports with Alleged Errors Avg. # Alleged Errors / Report Reports with Errors Modified #(%)
Collections 502 267 (53.2%)
223 2.3 146 (4.9%)
Duplicate Entries 65
30 (46.2%) 39 1.7 27 (0.9%)
Header Information 154
99 (64.3%)
127 1.2 90 (3.0%)
Inquiries 88 48 (54.5%)
48 1.8 34 (1.1%)
Derogatory Public Records 44 25 (56.8%) 35 1.3 20 (0.7%)
Tradeline Information 708 395 (55.8%) 409 1.7 267 (9.0%)
Total 1,561 864 (55.3%) -- -- --

Note: the report did not provide totals. I calculated that row. Overall, slightly more than half (55.3%) of error items reported by consumers are fixed -- and this chart includes only the material errors that could affect a consumer's credit score. What I found interesting: regardless of the error type, there is consistently more than one error per credit report.

The following chart highlights how often credit reporting agencies co-mingle your information with other persons' information:

Error Type # of Alleged Errors # Items "Not Mine" Alleged Items "Not Mine" Corrected #(%) # Reports With This Alleged Error # Reports With "Not Mine" Alleged Reports With "Not Mine" Corrected #(%)
Collections 502 413 209 (50.6%) 224 190 116 (61.1%)
Inquiries 88 88 48 (53.9%) 48 48 33 (68.8%)
Tradeline Information 708 246 133 (54.1%) 409 144 81 (56.3%)
Total 1,561 747 390 (52.2%) -- -- --

Again, the report did not calculate the total row. I did. As you can see, credit reporting agencies fixed slightly more than half of errors consumers reported as not theirs. How the researchers calculated the effects on consumers' credit scores from credit report errors:

"After the disputes were filed and completed, the study associate drew new credit reports for the consumer and analyzed whether there were changes to the report in response to the dispute. If there were no changes to the report, the original FICO score is relevant for our calculations and if all the alleged inaccurate items were modified by the CRA, the provisional FICO rescore is the relevant credit score. If only some of the disputed items were changed, the modified report was sent to a FICO analyst for a second rescoring to assess the impact of the modifications. The relevant FICO score at the conclusion of the dispute and rescoring process is then compared to the original FICO score to determine how the credit report inaccuracies affected the consumer credit score."

The reports shared a brief explanation of why credit reporting agencies don't fix errors as consumers who reported errors expect:

"... There are a number of reasons, however, why a CRA may make changes to a credit report that differ from the consumer’s instructions. For example, a consumer may dispute an account balance and instruct the CRA to change the balance to a specific amount (i.e., the consumer alleges what is incorrect and what action by the CRA would set it right). If the CRA cannot confirm the existence of the account with the data furnisher, the account is removed from the consumer’s credit report; in this case the outcome is not what the consumer requested. In addition, a consumer may dispute multiple items on a credit report as inaccurate and the CRA may only modify a subset of the disputed items, thus suggesting that the consumer was correct regarding some of the inaccuracies on the report but not all."

The report shared a brief explanation of why credit reporting agencies may not fix at all any errors reported by consumers:

"... there are some consumers who file disputes and yet the CRA makes no modification to their report. For the purpose of the analysis within this report, these consumers are not defined as having a confirmed material error. It is important to note that these consumers with alleged potentially material errors that are not confirmed through the FCRA dispute process may still have inaccurate items on their credit reports; however, we are unable to verify the inaccuracy within the design of this study..."

So, the 20% error rate (percentage of consumers who reported errors and credit reporting agencies fixed them) in the study is probably the best-case scenario; and the real-world error rate is higher. How? If an error discovered and reported by a consumer cannot be verified via the FCRA dispute process, then the credit reporting agencies does nothing and that error remains in the consumers' credit reports. The 60 Minutes show documented real-world examples where consumers fully documented errors in their credit reports; which the credit reporting agencies proceeded to ignore (sometimes setting a lawsuit later out of court).

This best-case error rate problem is also backed by the research methodology. The research team included members from the University of Missouri, St. Louis (UMSL), the University of Arizona, and the Fair Isaac Corporation (FICO). The research methodology included consumers selected at random:

"... from the population of interest (consumers with credit histories at the three national CRAs). Ultimately, 1,001 study participants reviewed 2,968 credit reports (roughly three per participant) with a study associate who helped them identify potential errors. Study participants were encouraged to use the Fair Credit Reporting Act (“FCRA”) dispute process to challenge potential errors that might have a material effect on the participant’s credit standing (i.e., potentially change the credit score associated with that credit report). When a consumer identified and disputed an error on a credit report, the study associate informed FICO of the disputed items, and FICO generated a provisional FICO score for the report under the assumption that all consumer allegations were correct. After the completion of the FCRA dispute process, study participants were provided with new credit reports and credit scores. Using the provisional FICO score, the new credit reports and credit scores, and the original credit reports and credit scores, we are able to determine the impact on the consumer’s credit score..."

Descriptive information of the study participants:

FICO Credit ScoreAgeEducationRace
589 and below: 18.2%
590 - 679: 20.2%
680 - 749: 21.0%
750 - 789: 19.5%
790 and above: 21.2%
18 - 30: 21%
31 - 40: 20%
41 - 50: 15%
51 - 60: 21%
61 and older: 22%
HS diploma or less: 12%
Some college: 31%
College degree: 30%
Graduate study: 26%
White: 78%
Black: 12%
Other: 9%

The study never looked at credit report accuracy in the regional and smaller credit reporting agencies. So, there are more than three credit reports per person on average, when you include those smaller and regional agencies. More credit reports and probably more errors.

What do I think of this study by the FTC? It highlights several important concepts:

  • How you define an "error" matters. In the study, a conservative definition yielded a 9.7% error rate (defined as the as the percentage of consumers) while a more expansive definition yielded a 21% error rate.
  • How you define an "error" matters. The study calculated the much-publicized error rate based on the percentage of consumers who reported errors. To me, a better method is to calculate the error rate based on the percentage of credit reports with errors. This lets you proceed to the next level to calculate which which credit reporting agency has the higher (or lower) error rate.
  • How you label an "error" matters. While caclulating the percentage of credit reports with errors fixed and/or the percentage of error items fixed by credit reporting agencies, what you label these is important. The study used what I consider to be clumsey labels:  "Percent of All Reports Examined With This Error Modified" and "Percent of Items With Any Allegation of this Type Modified," respectively. Let's call them what they really are: "Report Correction Rate" "Report Item Correction Rate," respectively. Then, we can examine which credit reporting agency does a better job of fixing credit reports. Sadly, the study did not provide this level of detail.
  • How you define "investigation" matters: this includes both the FCRA dispute process and what credit reporting agencies actually do (or don't do) to investigate error disputes reported by consumers. The 60 Minutes report mentioned low-wage staff in other countries simply assign code numbers to error reports without performing a substantial, comprehensive investigation -- which most consumers probably expect.
  • Which brand of credit score matters: this study used FICO credit scores, while many credit reporting agencies and other retailers sell different brands of credit scores to consumers
  • Where you place the "responsibility" matters. The study is consistent with general practice -- for better or worse -- that places the responsibility for finding and reporting errors with consumers. Why aren't the credit reporting agencies held responsible for finding, reporting and fixing errors on their own? Would they find the same errors that consumers found? Or more? Or fewer?

This FTC study is half a loaf at best. Why?

First, it didn't analyze the real problem of actual errors already reported by consumers that were never fixed -- what I call the correction rate. A better study would investigate both error rates and correction rates, by perhaps using an independent third-party to analyze the dispute process and the supporting documents submitted by consumers to credit reporting agencies. This would get at the true heart of the matter: how accurate credit reporting agencies are (or are not) with using the documentation consumers provide. In other words, lets better understand the errors that weren't fixed which should have been fixed by credit reporting agencies.

Second, it is better to define error rates not as a percentage of consumers, but instead based on either the number of credit reports with errors, or the average number of error items in a credit report. Each consumer has at least three credit reports -- one with each of the three major credit reporting agencies: Experian, Equifax, and TransUnion. Some consumers have more credit reports with the smaller, regional credit reporting agencies.

Third, the study perpetuates a current bias that distinguishes between errors used to make credit score decision and errors not used in this calculation. Errors are errors. Period. Credit reports are so important, that they need to be correct. Fourth, the study ignored the smaller and regional credit reporting agencies.

Fourth, the study methodology had 100% of participants review their credit reports. In the real-world, far fewer consumers check their credit reports for accuracy. In its report, the FTC said:

"... In 1992, the Associated Credit Bureaus (later Consumer Data Industry Association, or “CDIA”) commissioned Arthur Andersen & Company to perform a study about credit report accuracy. Using credit applicants who had been denied credit, the Andersen Study found that only 8% requested a copy of their report and 2% of those denied credit disputed information contained in their report. Following the dispute, 3% of the people who received copies of their report had the original decision to deny credit reversed...."

While the report cites other studies, the important point is this: if only 8% or consumers request copies of their credit reports, then it makes sense to pursue ways to engage more consumers with checking their credit reports for accuracy. Business as usual means a lot of errors go unreported and undiscovered. In a truly open market with credit reports, each credit reporting agency would tout its accuracy levels; unlike the current mess. The FTC needs to make it real for consumers by explaining the real-world costs of inaccurate credit reports with real examples of denied credit and loans with higher interest rates.

Fifth, I found the language in the report and study methodology needlessly confusing. It could have been simplified with clearer labels, such as:

  • Consumer Dispute Rate: the percentage of consumers that submitted error reports
  • Credit Report Dispute Rate: the percentage of credit reports with at least one error reported by consumers
  • Credit Report Average Item Dispute Rate: the average number of error items per credit report submitted by consumers
  • Gross Credit Report Correction Rate: the percentage of credit reports with (all or some) error items fixed by credit reporting agencies
  • Net Credit Report Correction Rate: the percentage of error items in credit reports where all items are fixed by credit reporting agencies
  • Gross Item Correction Rate: the average number of error items fixed (all or partial) per credit report
  • Net Item Correction Rate: the average number of error items where all items are fixed per credit report

What is your opinion of credit reporting agencies? Of their dispute process? Of the FTC study? Share you thoughts below.

Download the 2013 FTC FACTA report (Adobe PDF, 20.8 Mbytes).


60 Minutes: Dispute Processes At Credit Reporting Agencies Fail To Fix Errors in Consumers' Credit Reports

Recently, the 60 Minutes television news magazine reported about the credit reporting industry. The report focused on problems with the dispute process: failures by the largest three credit reporting agencies to correct errors reported by consumers on their credit reports.

Basically, one out of every five Americans has an error on their credit report. That is a massive amount of credit reports with errors, since the companies archive credit reports for about 200 million Americans and since each person has at least three credit reports (e.g., one report each at Equifax, Experian, and TransUnion, plus regional credit reporting agencies). That is an unacceptably high error rate.

Few other businesses would remain operating with such a high error rate. Think of it this way: if one out of every five airplane passenger was killed or injured during a crash, then that airline would be out of business. At a minimum, the public wold demand changes and accountability. If one out of every five credit card purchases were incorrect or lost, that bank would be out of business. And, consumers would demand changes and accountability. But somehow, credit reporting agencies remain in business despite high error rates. If you made an error in one out of five projects at your job, your employer would likely suspend or fire you.

If you are unfamiliar with what credit reporting agencies do, here's what you need to know. The banks and lenders you already have loans or credit accounts with, provide your history to the credit reporting agencies about your loans, payments you've made (or failed to make), outstanding loan balances, and the associated dates. When a loan is paid off, your credit report should indicate that. Like social networking websites, you are the product since credit reporting agencies make money by selling your credit reports to potential lenders (e.g., banks, retail stores, phone companies, educational loan companies), both when you apply for credit and when potential lenders request credit reports in order to send out offers via e-mail or snail mail.

Credit reporting agencies also make money by selling to consumers both credit scores and credit monitoring services, whose monthly fees can be as high as $18. 60 Minutes reported that these credit monitoring services don't provide consumers with the exact same credit reports that the credit reporting agencies sell to potential lenders. I'd like to hear more about that.

Your credit report is the basis of future lending decisions made by potential lenders. A bad or inaccurate report will affect and lower your credit score, the overall number used to indicate your credit worthiness. A low credit score can cost you money: denied credit applications, or approved loans but with a far higher interest rate. Bad reports can include valid late or non-payments on your loans. The errors in credit reports can include another person's data co-mingled with yours (obviously, that should never happen), a dead person's data co-mingled with yours, or a credit report that doesn't accurately reflect a loan you truly paid off on time and/or in full.

The $4 billion credit reporting industry is dominated by three huge companies: Equifax, Experian, and TransUnion. What 60 Minutes didn't mention is that credit reporting agencies regularly do business with data brokers, such as Acxiom, to buy and sell your personal information. Credit reporting agencies experience data breaches, just like other companies.

The reality is that information in your credit report is transmitted around the globe, since much of the credit report maintenance and customer service operations are outsourced to firms in other countries (e.g., Argentina, Brazil, Canada, Chili, Costa Rica, El Salvadore, Honduras, India, Ireland, Jamaica, Peru, Portugal, Spain, United Kingdom, Uruguay). The work is often performed by low-wage workers. Readers of this blog are already know this, since this blog reported a 4-part series in 2008 about offshore outsourcing within the industry. The 60 Minutes reporter interviewed several former credit reporting agency workers in Chile, who admitted that they really didn't have any way to investigate errors, and were directed to simply assign number codes to error disputes submitted by consumers, and then rubber-stamp inputs from lenders; regardless of whether that input was correct or incorrect.

If this makes you mad, it should. The 60 Minutes report included concerns by the Attorney General for the state of Ohio, Mike DeWine. He is concerned that the credit reporting agencies don't fix mistakes in consumers' credit report, that the high error rates are the industry's fault (and not the banks'), and that the industry violates the Fair Credit Reporting Act (FCRA). While the industry claims that it adequately protects the credit reports of children, DeWine's office has taken action to check the accuracy of the credit reports of youth in the state's foster care system.

60 Minutes reported that some consumers have sued credit reporting agencies to get a resolution and errors fixed. Consumers shouldn't have to go to that extreme to resolve errors in their credit reports. Perhaps, some enterprising class-action attorney will take up the challenge.

You can watch the report below. After watching it, report any credit problems you have had to the CFPB. You should also contact your elected officials and demand action:

Want to learn more? Read:


10 Tips For Consumers To Stay Safe During 2013

The Better Business Bureau (BBB) has released its list for 2013 of tips for consumers to stay safe during 2013. The list includes items you can use both online and in the physical world to protect your money and your identity information:

"1. Do your research. Whether it's a business you're looking to hire or a product you're looking to buy, take the time to do your research. Check out a business at bbb.org to see its BBB Business Review. For product information, go to the Consumer Product Safety Commission.

2. Keep your computer safe. Install anti-virus software on your computer and regularly check for software and operating system updates. Don't open attachments or click on links in emails unless the email has been scanned for viruses or is from someone you know or trust.

3. Get it in writing. Don't just take a business's word for it. Get every verbal agreement in writing to limit miscommunication and misunderstandings."

Tip #1 applies especially to prepaid cards. I would modify tip #2 to also include your mobile devices, smart phones and tablets, since they are computers too. Some more tips:

"5. Protect your identity. Always shred paper documents that include sensitive financial data and dispose of computers, cell phones and digital data safely. Safely store all personal documents, such as your Social Security card, and look up your credit score at least once a year. Check your credit and debit card statements frequently.

6. Shop on trustworthy websites. Online shopping has increasingly become more popular, so before you provide any personal or banking information over the web, make sure you're using a trusted site. Look for the "s" in https:// in the URL for a secure site."

Read the entire list at the Boston BBB website.


Infographic: How Credit Reporting Agencies Get Your Information For Their Credit Reports

The infographic below is from the folks at Credit Sesame:

Inforgraphic: how information ends up on your credit file

You may also find the following articles of interest:


Data Breach Raises Questions About Whether Credit Reporting Agencies Can Adequately Protect Consumer Data

Experian logo If you haven't read it, there is a good news story at Bloomberg about a recent data breach that affected not only the credit union but a broader number consumers not affiliated with the credit union. The breach highlighs the fact that Identity criminals are smart and persisntent.

In this breach incident, they targeted Abilene Telco Federal Credit Union and stole the credit union's ID and passwords to its Experian account. Those stolen credentials allowed the thieves to access and steal 847 consumers' credit reports. The breach highlighted the fact that instead of attacking the credit reporting agencies directly, identity criminals target the companies and lenders (e.g., banks, credit unions, auto dealers) that often buy consumer credit reports.

In the United States, the three major credit reporting agencies are Experian, Equifax, and TransUnion. However, there are many regional and local credit reporting agencies. All credit reporting agencies make money by selling credit reports to potential lenders: banks, credit unions, auto dealers, clothing stores, and similar retailers that provide credit to consumers. However, the big-three credit unions also make money by operating credit monitoring services both for consumers and for client companies' post-breach response.

Bloomberg reported that this approach by identity thieves:

"... has netted more than 17,000 credit reports taken from the agencies since 2006... The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate... Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports..."

You can learn about those breaches in this blog. If a credit reporting company can't adequately protect consumers' sensitive personal information, then they don't deserve to be in business. It's that simple. And:

  • Client companies like the Abilene Telco Federal Credit Union, that allegedly fail to adequately protect sensitive data, should pay some (or all) of the post-breach management costs for all affected consumers
  • Credit reporting agencies should include mandatory, yearly data security training for their client users

What's your opinion?


Equifax And Its Customers To Pay $1.6 Million In FTC Settlement About Alleged Improper List Sales

This morning, the U.S. Federal Trade Commission (FTC) announced that Equifax Information Services LLC., the credit reporting agency, and some of its customers, had agreed to pay $1.6 million to settle allegations about the improper sales of customer lists between January 2008 and early 2010. In a lawsuit (Adobe PDF) filed in U.S. Distrcit Court in Southern California, the FTC alleged that the sales of customer lists violated the Fair Credit Reporting Act (FCRA):

"Defendants buy and sell “prescreened lists,” which are lists of consumers that meet certain pre-selected credit criteria. For example, in this case, Defendants bought and sold “prescreened lists” of consumers who were, among other things, 30, 60, or 90 days late on their mortgage payments... Information such as whether a consumer is 30, 60, or 90 days late on their mortgage bears on, among other things, a consumer’s credit worthiness and credit standing and is used or expected to be used as a factor in determining a consumer’s eligibility for credit. Section 604(f) of the FCRA, 15 U.S.C. §1681b(f), prohibits persons from using or obtaining consumer reports in the absence of a “permissible purpose.” In addition, Section 607(e) of the FCRA, 15 U.S.C. § 1681e(e), requires persons who procure consumer reports for resale to establish and comply with reasonable procedures designed to ensure that the consumer reports are only resold for a permissible purpose. The only permissible purpose for using a prescreened list is to make a firm offer of credit or insurance..."

The following companies and individuals were named as defendants in the complaint:

  • Equifax Information Services
  • Direct Lending Source, Inc., based in Key Largo, Florida
  • Bailey & Associates Advertising, Inc., based in Florida and with in El Paso, Texas and San Diego, California
    Virtual Lending Source, LLC, based in San Diego, California
  • Robert M. Bailey, Jr., the Executive Vice President of Direct Lending, Bailey & Associates, and Virtual Lending
  • Linda Giordano, President of Direct Lending, Bailey & Associates, and Virtual Lending and an owner of Bailey & Associates and Virtual Lending

Terms of the settlements require Equifax to pay $393,000 for alleged inadequate procedures that led to the sale of lists of consumer information to companies that it should not have sold the information to. According to the FTC, Equifax sold more than 17,000 prescreened lists of consumers to companies including Direct Lending Source, Inc., which subsequently resold some lists to third parties, who used their data to pitch loan modification and debt relief services to people in financial distress. Direct Lending Source will pay a $1.2 million civil penalty,and will be barred from using or selling prescreened lists.


CFPB Begins Supervision Of Credit Reporting Industry

At a July 15, 2012 Credit reporting Field Hearing in Detroit, Richard Cordray, Director of the Consumer Financial Protection Bureau (CFPB), explained the bureau's role in overseeing the credit reporting industry. Some highlights from Mr. Cordray's speech:

"After the financial crisis and extreme credit crunch of 2007-2008, tens of millions of Americans are now being pursued by debt collectors. Many people’s credit ratings have taken a hit and... They are blocked from obtaining access to the credit that is often so essential to meaningful opportunity – to get an education, start a business, or buy a house. We understand these realities at the Consumer Financial Protection Bureau because we hear about them from consumers every day. We also believe it is important to get out of Washington and listen directly to consumers by meeting them face to face. So we are glad to be with you today..."

About the CFPB's oversight role:

"Today, the Consumer Bureau is issuing a new regulation to expand our supervision program to oversee these credit reporting companies. The authority to supervise firms is the authority to conduct on-site examinations of whether and how they are complying with the law... we will be supervising the credit reporting companies that are the larger participants in this marketplace. These companies have never before been subject to a federal supervision program. Starting this September, we will be monitoring and examining them just as we monitor and examine the big banks... Up to this point, no single federal government agency could access all the information necessary to generate a complete picture of what was happening inside these companies..."

The credit reporting industry is huge, as the three largest credit reporting agencies (Experian, Equifax, and TransUnion) maintain credit reports for about 200 million people in the USA. Those reports contain inputs from about 10,000 information providers: lenders and companies that make loans to individuals.The industry sells about 3 billion credit reports every year to potential lenders. What consumers may not know:

"A credit report contains information about the consumer’s transactions – including loans that a consumer has paid on time, has paid late, has not paid, or has paid off, along with current amounts and sources of debt. The credit reporting companies also collect and report on information about consumers’ finances available from public records, including civil judgments, liens, and bankruptcies from thousands of federal, state, and local courts and public offices. The information contained in consumers’ credit reports is used to derive their credit scores... Credit scores translate this great mass of information into a single number that indicates, in shorthand, a consumer’s expected likelihood of repaying a loan... But credit reports are also used in a wide range of other types of decision-making – including determinations about eligibility for rental housing, what deposits are required for utility or telephone service, and premiums for auto and homeowners’ insurance. Credit reports are even sometimes used to determine eligibility for a job. Banks, landlords, cell phone providers, and all kinds of other companies rely on the accuracy of this information..."

The CFPB will focus on three areas:

"First, our oversight of the credit reporting companies will help us make sure that the information provided to them is itself reliable. Lenders and others who furnish information to the credit reporting companies are legally required to have policies in place about the accuracy and integrity of the information they report – which includes identifying consumers accurately, correctly recounting their actual payment history, and keeping their information and record-keeping in order. Otherwise, their sloppy work becomes the true source of harm to the consumer’s overall creditworthiness... Second, given the number of complaints we have already heard from consumers, and the findings reached in some (but not all) reports on the subject, we want and need to know more about the accuracy of how the credit reporting companies assemble and maintain the information contained in consumer credit reports. Accuracy is critical for consumers and for markets... because of the increasingly significant role these reports are taking on in our financial lives, the collateral consequences of mistakes can greatly harm consumers... Third, we are keenly interested in understanding more about the problems and frustrations that consumers tell us they encounter in trying to resolve disputes about the information contained in their credit reports. Some errors may be unavoidable even in the best of systems. But when consumers find what they perceive to be erroneous information in their credit reports, they should not be burdened by unreasonably laborious processes to get errors removed from their files..."

During the last five years, I've written plenty about credit reporting agencies including fraud alerts, security freezes, data breaches, violations, offshore outsourcing, consumer satisfaction surveys, reviews of credit monitoring services offered by credit reporting agencies, and several industries that historically haven't used but now want access to the information in consumers' credit reports. It was good to read Director Cordray's remarks.