I've Been Mugged Blog

After IBM informed me that IBM had lost data tapes with my personal data, one of the first things I did was contact the three credit bureaus in the USA. These thieves didn't have to do any dumpster-diving, or break into my snail-mail-box, or hack into IBM's computers, since the data tapes fell off the back of the truck.

A Credit Bureau is a company that compiles and distributes credit and personal information about consumers to creditors. This credit information may include payment habits, the number of (existing and prior) credit accounts, the balance for those accounts, and the length and place of employment. There are three credit bureaus in the USA: Equifax, Experian, and TransUnion. The Identity Theft Victims Guide lists the phone number, mailing address, and web site for all three credit bureaus.

Creditors are the companies that loan money or sell goods "on credit" to consumers. A variety of companies contact a credit bureau for the credit data of a consumer applicant. For example, when you apply for a loan (with a bank, auto company, or finance company) or apply for a wireless phone plan, that company (or bank) will contact a credit bureau to learn more about your habits with money. The company's goal is to learn enough to decide if you are a good credit risk or not. Consumers deemed a good credit risk receive the loan and pay less for the same goods; typically a lower interest rate. Consumers deemed a poor credit risk won't get the loan, or if they do will pay a higher interest rate.

One scam is when identity thieves pretend to be somebody else to apply for a loan, mortgage, or buy a large dollar-value item. The thief uses the identity victim's good credit and, of course, doesn't pay off the loan or pay for the product. Then, the creditor seeks the identity theft victim to pay for the loan or purchase that the victim never made. So, anything that makes it difficult (or impossible) for identity thieves to access credit information is a good thing.

One tool to make it difficult is a Fraud Alert. A Fraud Alert is a "flag" or indicator on a consumer's credit file that the individual may be a victim of identity theft. The Fraud Alert requires the creditor to contact the consumer via phone before issuing credit.

Consumers have a choice of a fraud alert for 90 days (my choice) or seven years. At the end of the period, the consumer can extend the alert by contacting the credit bureaus.

To place a Fraud Alert on your credit file, you simply contact any one or all three credit bureaus. (I left nothing to chance and contacted all three by phone.) Each credit bureau will inform the others of your Fraud Alert request. All credit bureaus will send a written confirmation of your Fraud Alert. The Equifax confirmation included this:

If you are a victim of fraud, the first step in protecting your credit information is to add a fraud alert to each of the credit files maintained by the three national credit reporting agencies. Adding a fraud alert may aid in the prevention of further fraudulent activity. We were successful in adding an alert to your Equifax credit file.

The TransUnion confirmation included this:

"We have received a request and added to your credit report an initial Fraud Alert. The alert will remain on your file for 90 days, as specified by the expiration at the end of the statement, and will be provided to anyone who receives a copy of your credit report. The alert will inform all credit grantors to take precautionary measures to verify the identity of the applicant before extending credit."

The confirmation also stated:

"As TransUnion is a credit-reporting agency, your credit report may be released to credit grantors who are active members of our agency. In order for the credit grantor to view the Initial Fraud Alert on your file, the credit grantor must first access your credit report."

As I read all three confirmations, I began to understand that the system is tilted to allow all three national credit bureaus to continue to distribute my credit file with my fraud alert appended. A careless credit bureau could still pass personal data to a thief pretending to be a valid creditor, and the identity thief could still take advantage of my (and your) good credit. This has happened to one data aggregator! See any news story about ChoicePoint at C/Net or PRC or InfoWorld or Consumer Affairs.

Definitely not a bullet-proof system. I felt a slightly better. Not great, but slightly better. A little protection, but not bullet-proof. I like bullet-proof.

This is one reason why I believe that the U.S. commerce system is tilted away from consumers and towards companies - to facilitate profit-making and lending credit. By sharing consumers' credit information, companies can make more money, but both the companies and the consumers incur risk. If I am going to participate in a system where I incur risk, I want rewards for my risk. Conversely, if companies want to benefit from sharing my personal data, then they'd better adequately protect my personal data. If they can't protect it, don't use my personal data and delete it!

If you feel this way (or not), I'd love to hear from you and why. In my opinion, the system needs to be balanced between companies and consumers, with stronger protections for consumers who typically have less resources than a corporation.

The TransUnion confirmation also stated:

"Under federal law, you are entitled to request a free copy of your credit report within the next 12 months."

This was good news at a time when I was receiving plenty of bad news. It's always good to get something for free... especially when you need it.

Next entry: IBM's offer