Get 'Mugged' On Facebook
Data Breach Affects 5,000 Liberty Bay Credit Union Customers

Consequences of the Heartland Data Breach (Part Two)

In Part One of this story, we met Janet after fraudsters had attempted to submit charges to her Visa credit card. Janet's story continues with some unexpected twists, which we all can learn from.

After Visa -- and not her credit union -- had notified Janet of some fraudulent charges, Janet followed my advice and notified Visa in writing (e.g., a letter via Postal Mail with a Return Receipt) that the charges were indeed bogus. Visa removed the bogus charges.

Janet was curious why her credit union had not notified her about the fraudulent credit card charges, since the credit union issued her Visa credit card. Her credit union indicated that her situation was not a result of the Heartland Payment Systems data breach, since her credit card number wasn't on the list of compromised card numbers the credit union received.

This seemed odd to me since Visa's arrangement with Heartland is well documented in the news media. Thinking that here situation was resolved, Janet was surprised to receive via postal mail a letter from Experian notifying her of an attempted address-change request. Somebody was attempting to change Janet's address on her Experian credit report. This was a troubling surprise for several reasons:

  • Janet had not submitted an address to change to Experian or to any other credit reporting agencies
  • Janet has a Security Freeze on her credit reports at the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion) to prevent unauthorized access. An attempted address change by a fraudster is clearly an unauthorized access.
  • In its letter, Experian also said that it had sent a notice of this attempted address change to both the new address and to Janet's current address

Janet is puzzled why Experian would send a letter to the new address when she alread has in place a Security Freeze prventing access to her Experian credit report. Next, Janet did what anyone would do: she called Experian's customer service number to talk with a representative. Janet did not want to just send a letter to Experian. She wanted faster action, since identity thieves were trying to access her sensitive personal data.

Sadly, Janet has been unable to talk with a human representative at Experian. When calling the Customer Serivce number, she gets stuck in an endless series of menus to phone messages, with no way to talk to a human customer service representative. Same results with Experian's web site.

Janet followed my advice and filed a police report with local law enforcement. After filing the report, the detective involved has also been unable to contact a human representative at Experian.

Janet asked me what she should do next, since she is leaving for vacation for 10 days. I said that while she is on vacation, I will try to contact the President or CEO of Experian to see what type of response I could get for her. Janet is also contacting her local Congressional Representative.

Janet should be able to talk with a human representative from Experian, especially during a time when identity thieves are attempting to access her Experian credit reports. Janet's experience so far seems to indicate a customer service melt-down at Experian.

This story is far from over. If you want to learn what happens, sign up for either e-mail or RSS updates from I've Been Mugged. As I learn more, I will post it in this blog.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Rachel J

You can reach a live person at Experian if you have a report.

Dial 800-493-1058
say "yes"
enter credit report #
enter SSN
say "yes"
say "agent" then "yes" to the prompts after that

matt @ Thrive

There is absolutely no true substitute for good customer service. Leaving Experian out of the mix (they had to settle with the FTC for their predatory practices on FreeCreditReport.com) and just looking at consumer response as a whole, financial companies have to be held to a higher standard than they currently are. While I appreciate Rachel posting how to get to an agent, it shouldn't be that hard - simply saying "Agent" in any automated system should automatically take you immediately to a human person with the appropriate knowledge and training to help you.

At Thrive, the phone sits on my desk. When it rings, I pick it up, even if it is one in the morning. Indeed, the whole reason I dropped by to read tonight's article was that it is 1am, a user just called for help, and mentioned that he had read my comments here on another article and that today's article was worth a read. I'm not saying that every company should have their Lead Scientist in the office past midnight, but I do believe that there are some basic tenets of customer service that all companies should follow. Being able to reach a live person is just one.

I'd actually be interested in a seeing your thoughts on this, George, and the community's as well. If there were a "consumer" bill of rights for sites in the financial space, what do you think it should look like? What are standards that every company should be held to? I genuinely think that if consumers came together to help create some reasonable standards, there are companies that would come together to get behind them.

We've been working on the Thrive Bill Of Rights for some time...I wonder how we'd compare.

Thoughts?

George

Matt and everyone:

Back in March, I wrote about the "Bill of Rights" document developed jointly by the Santa Fe Group and ID Experts. You can read that post here:

http://ivebeenmugged.typepad.com/my_weblog/2009/03/santa-fe-group.html

That "Bill of Rights" document is a draft and I believe that the items Matt mentioned above should be added to it. If needed, I have some contacts at ID Experts.

George
Editor
http://ivebeenmugged.typepad.com

Bill Garner

This is a perfect example of the problems of being a victim of IDT. It is tough for an individual to fix and you are on your own. This example is not an exception; it is all to common:(

Jeff

Do you have any further updates on Janet's situation? My wife just received a letter from Experian regarding an address change that sounds just like this, though she had not had any previous attempts at ID theft or fraudulent credit card use. She also had credit freezes on her files. As of this point, we are awaiting her credit report from Experian (by mail) so that we can speak to a person and she has placed fraud alerts on Equifax and Transunion. She received an "unable to process" notice when attempting to place the alert with Experian. This has me very uneasy.

Bill

I also have gotten a name/address/SSN change letter, and also got the "unable to process" notice on the web site. Very puzzling.

I just refinanced my mortgage. Would Experian regard this as an address change?

George

Bill: I don't know if Experian would treat this as an address change. You might ask them and see what they say. Let us know.

Jeff: Janet's situation is still underway. When an update is available, I will report it. Just know that this is high on my priority list for many reasons. I too have a Security Freeze in place, and I thought that Security Freezes would prevent fraudulent address changes by identity thieves.

George
Editor
http://ivebeenmugged.typepad.com

Dan

My son just received a name/address changed letter from Experian. He put a security freeze on his account almost exactly 1 year ago. He's in the process of getting a credit report from them to see what, if anything, actually changed. I will report here what he finds out, as it may be useful information to others who have inexplicably received these letters.

George

Dan:

Thanks for sharing your experience. I know that I've Been Mugged readers are interested in hearing more, especially about Experian customer service's responsiveness. A common and expected practice: you son's existing creditors will report any balances or changes to the credit bureaus. If one of those existing creditors report a bogus (or accidental or incorrect) address change, it could trigger the address change notice.

George
Editor
http://ivebeenmugged.typepad.com

Susan Lardie

I hope that you can help me. In the three years since my divorce,according to my credit report, my address has been changed 5 times...without my knowledge! Each change has been to a place where my ex has been. No address notifications of any kind were sent to me. All of these changes show up on Experian. I've been at the same address for 15 years...how do I prove it? Social Security gets their info from the IRS, the IRS from the USPS, USPS from whoever fills out the form! Thanks, Susan

George

Susan:

Sorry to hear of your troubles. It seems likely that you are not getting all of your mail. If I were in your situation, this is what I'd do:

1) Write to Experian (via postal mail) and inform them of the fraudulent entries and your correct address
2) File a Fraud Alert on all 3 of your major credit reports; Experian, TransUnion, and Equifax (there are posts in this blog about how to do that)
3) Consider a Security Freeze on your credit reports for stronger protection than a Fraud Alert (there is a post in this blog that compares the two options)
4) File a police report. Attach copies of your Experian credit report and your corrective letter to Experian about the fraudulent entries
5) Write to the postmaster at both your local post office and to the postmaster at the post offices where your mail was diverted to. Inform them of the problem and ask for them to investigate
6) If you have the resources, hire a private investigator to film/record who picks up the mail at the bogus address
7) Change passwords on your bank accounts
8) Make sure your mail from all bank accounts, pensions, and 401-k retirement funds is going to your correct address.

Document everything in writing and send letters via certified U.S. Postal Mail with a return receipt. It may be a stalker, identity criminal, or both. As you learn more, take appropriate legal action to protect yourself and your bank accounts. Good luck and let us know what happens.

George
Editor
http://ivebeenmugged.typepad.com

theidtheftguy

The sad truth is that you can’t. Your information resides in thousands of databases nationwide and your information is only as secure as the database it’s in. We’re talking about billions of data points, including Social Security, Driver’s License, Motor Vehicle, Criminal, Civil, Legal, Licensing, Financial, Medical, Marketing, Consumer- there is no way that you and I as individuals can keep up with this information.
It seems like every week there’s a new story about a security breach in which people’s personal information has been compromised. Data breaches increased 47% between 2007 and 2008, reaching 656 breaches in 2008 alone. MILLIONS of identities have been compromised in these breaches!
That means (though you may not know it yet) you could already be a victim of Identity Theft, nice, huh?

Credit Repair Services

what do you think it should look like? What are standards that every company should be held to?

Credit Repair Services

"Agent" in any automated system should automatically take you immediately to a human person with the appropriate knowledge and training to help you...its good thing that there's someone out there who's willing to assist..

The comments to this entry are closed.