92 posts categorized "Credit Reporting Agencies" Feed

New York State Strengthens Its Data Breach Laws

To help its residents, the State of New York has improved its existing data breach law. Governor Andrew Cuomo signed two bills on July 25th:

"The Governor signed the Stop Hacks and Improve Electronic Data Security - or SHIELD - Act (S.5575B/A.5635), which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. The Governor also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency's system."

The Governor's announcement emphasized the importance of the state's laws keeping pace with rapid advances in technology. To address new technologies, the SHIELD Act will provide stronger protections by:

"1) Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers; 2) Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; 3) Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State; 4) Expanding the definition of a data breach to include unauthorized access to private information; and 5) Creating reasonable data security requirements tailored to the size of a business."

The full text of the SHIELD Act legislation is available here. The SHIELD Act will go into effect on March 21, 2020. The announcement also mentioned Equifax:

"In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers... the company's response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own. On July 22, 2019, Governor Cuomo, the State Department of Financial Services and State Attorney General James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach..."

So, it seems that Equifax's breach and data security failures factored into the new legislation. The announcement also explained the new Identity Theft Prevention and Mitigation Services (A.2374/S.3582) legislation:

This legislation establishes the minimal amount of long-term protections to consumers who are affected by a data breach from a credit reporting agency. It requires credit reporting agency that suffers a breach of information containing consumer social security numbers to provide five-year identity theft prevention services, and if applicable, identity theft mitigation services to affected customers. Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost. The bill... applies to any breach of the security of a consumer credit reporting agency that occurred no more than three years prior to the effective date of this act."

The A.2374/S.3582 bill will go into effect on September 23, 2019. The retroactive coverage of three years is good as it ensures credit reporting agencies with recent data breaches cannot escape responsibility.

Consumer reporting agencies enjoy a unique position as consumers cannot opt out of having their credit reports covered by Experian, Equifax, and TransUnion. Some people would call that corporate welfare. It would be great if consumers had the right to remove their credit reports from credit reporting agencies that practice poor data security with repeated data breaches. Consumers have that right with retail stores -- you can stop shopping at stores with poor data security and multiple data breaches.

In related news, JD Supra reported about proposed legislation:

"... New York City lawmakers have proposed a bill that would make it unlawful for a mobile app developer or telecommunications carrier to share a customer’s location data without an authorized purpose if the data was collected from the customer’s device within the city. The bill broadly defines the term “share” as making “location data available to another person, whether for a fee or otherwise,” suggesting that selling information is unlawful without an authorized purpose such as customer consent. The bill allows for a private right of action, including penalties for violations of $1,000 per violation, with a maximum penalty of $10,000 per day per person whose location data was unlawfully shared, as well as attorney’s fees."

To learn more, read about new data breach legislation in other states this year.


Equifax To Pay $575 Million To Settle Charges By U.S. Regulators About Massive 2017 Data Breach

U.S. Federal Trade Commission logo Yesterday, the U.S. Federal Trade Commission (FTC) announced a proposed settlement agreement with Equifax, a national credit reporting agency, which has agreed to pay $575 million to resolve charges about its massive data breach in 2017. That breach exposed the sensitive personal and financial information of about half of all citizens in the United States. The announcement stated:

"In its complaint, the FTC alleges that Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud..."

U.S. Consumer Financial Protection Bureau The global, proposed settlement agreement included the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. The FTC announcement described Equifax's data security failures (emphasis added):

"The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out... Equifax did not discover that its ACIS database was unpatched until July 2017... A company investigation revealed that multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information... The hackers targeted Social Security numbers, dates of birth, and other sensitive information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring, or identity theft prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates. Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures... the FTC also alleges that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text."

A truly staggering amount. The most sensitive personal and financial information, indeed. Terms of the proposed settlement:

"... Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide."

The settlement also requires Equifax implement a "comprehensive information security plan," and to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties. The comprehensive information security plan will: a) designate an employee to oversee the program; b) include annual assessment of security risks and safeguards; c) obtain "annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order;" d) monitor the effectiveness of security safeguards implemented; e) ensure service providers that access personal information stored by Equifax also implement adequate safeguards; and f) obtain third-party assessments every two years.

The CFPB also announced the proposed settlement on its website. CFPB Director Kathleen L. Kraninger said:

"Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority."

Kraninger also encouraged consumers affected by the breach to submit their claims to receive free credit monitoring or cash reimbursements. Equifax Chief Executive Officer Mark W. Begor said:

"This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company. The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data... We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program..."

Also, Equifax has set up a website about the settlement: www.equifaxbreachsettlement.com. However, the site says it won't be fully functional until after it receives the approved court order. So, it seems best for affected consumers to deal directly with the FTC.

And, several questions remain. The Identity Theft Resource Center (ITRC) discussed the proposed settlement:

"What victims will qualify for reimbursement? How will victims provide accurate evidence of their efforts and misfortunes? Is this fund only for victims who purchased identity theft services? What is the option for victims who did not have the resources then or now to purchase paid services or avail themselves of free services like those ITRC provides? If all victims filed claims and funds were distributed equally to all 148 million people, each would receive fewer than $3.00 in funds or cost of assistance. This does not accurately reflect the true value of the data that was compromised..."

Yep. More payments by Equifax may be required.

And, the ITRC article includes an important reminder. While the Equifax offer includes a long period of free credit monitoring services -- up to 10 versus the usual 2 years -- the risk to affected consumers never goes away:

"... identity theft has no expiration date. The threat of identity theft does not decrease as more time passes from the date of the breach."

This is why it is critical for companies to deploy the strongest data security measures possible. After data breaches, consumers bear the long-term risks.

Last, the FTC encourages Equifax employees who believe the company fails to comply with the settlement to contact the FTC at [email protected]. Affected consumers should contact the FTC directly at the website below:

F.T.C. instructions for consumers affected by Equifax breach


After Promises To Stop, Mobile Providers Continued Sales Of Location Data About Consumers. What You Can Do To Protect Your Privacy

Sadly, history repeats itself. First, the history: after getting caught selling consumers' real-time GPS location data without notice nor consumers' consent, in 2018 mobile providers promised to stop the practice. The Ars Technica blog reported in June, 2018:

"Verizon and AT&T have promised to stop selling their mobile customers' location information to third-party data brokers following a security problem that leaked the real-time location of US cell phone users. Senator Ron Wyden (D-Ore.) recently urged all four major carriers to stop the practice, and today he published responses he received from Verizon, AT&T, T-Mobile USA, and SprintWyden's statement praised Verizon for "taking quick action to protect its customers' privacy and security," but he criticized the other carriers for not making the same promise... AT&T changed its stance shortly after Wyden's statement... Senator Wyden recognized AT&T's change on Twitter and called on T-Mobile and Sprint to follow suit."

Kudos to Senator Wyden. The other mobile providers soon complied... sort of.

Second, some background: real-time location data is very valuable stuff. It indicates where you are as you (with your phone or other mobile devices) move about the physical world in your daily routine. No delays. No lag. Yes, there are appropriate uses for real-time GPS location data -- such as by law enforcement to quickly find a kidnapped person or child before further harm happens. But, do any and all advertisers need real-time location data about consumers? Data brokers? Others?

I think not. Domestic violence and stalking victims probably would not want their, nor their children's, real-time location data resold publicly. Most parents would not want their children's location data resold publicly. Most patients probably would not want their location data broadcast every time they visit their physician, specialist, rehab, or a hospital. Corporate executives, government officials, and attorneys conducting sensitive negotiations probably wouldn't want their location data collected and resold, either.

So, most consumers probably don't want their real-time location data resold publicly. Well, some of you make location-specific announcements via posts on social media. That's your choice, but I conclude that most people don't. Consumers want control over their location information so they can decide if, when, and with whom to share it. The mass collection and sales of consumers' real-time location data by mobile providers prevents choice -- and it violates persons' privacy.

Third, fast forward seven months from 2018. TechCrunch reported on January 9th:

"... new reporting by Motherboard shows that while [reseller] LocationSmart faced the brunt of the criticism [in 2018], few focused on the other big player in the location-tracking business, Zumigo. A payment of $300 and a phone number was enough for a bounty hunter to track down the participating reporter by obtaining his location using Zumigo’s location data, which was continuing to pay for access from most of the carriers. Worse, Zumigo sold that data on — like LocationSmart did with Securus — to other companies, like Microbilt, a Georgia-based credit reporting company, which in turn sells that data on to other firms that want that data. In this case, it was a bail bond company, whose bounty hunter was paid by Motherboard to track down the reporter — with his permission."

"Everyone seemed to drop the ball. Microbilt said the bounty hunter shouldn’t have used the location data to track the Motherboard reporter. Zumigo said it didn’t mind location data ending up in the hands of the bounty hunter, but still cut Microbilt’s access. But nobody quite dropped the ball like the carriers, which said they would not to share location data again."

The TechCrunch article rightly held offending mobile providers accountable. Example: T-Mobile's chief executive tweeted last year:

Then, Legere tweeted last week:

The right way? In my view, real-time location never should have been collected and resold. Almost a year after reports first surfaced, T-Mobile is finally getting around to stopping the practice and terminating its relationships with location data resellers -- two months from now. Why not announce this slow wind-down last year when the issue first surfaced? "Emergency assistance" is the reason we are supposed to believe. Yeah, right.

The TechCrunch article rightly took AT&T and Verizon to task, too. Good. I strongly encourage everyone to read the entire TechCrunch article.

What can consumers make of this? There seem to be several takeaways:

  1. Transparency is needed, since corporate privacy policies don't list all (or often any) business partners. This lack of transparency provides an easy way for mobile providers to resume location data sales without notice to anyone and without consumers' consent,
  2. Corporate executives will say anything in tweets/social media. A healthy dose of skepticism by consumers and regulators is wise,
  3. Consumers can't trust mobile providers. They are happy to make money selling consumers' real-time location data, regardless of consumers' desires not for our data to be collected and sold,
  4. Data brokers and credit reporting agencies want consumers' location data,
  5. To ensure privacy, consumers also must take action: adjust the privacy settings on your phones to limit or deny mobile apps access to your location data. I did. It's not hard. Do it today, and
  6. Oversight is needed, since a) mobile providers have, at best, sloppy to minimal oversight and internal processes to prevent location data sales; and b) data brokers and others are readily available to enable and facilitate location data transactions.

I cannot over-emphasize #5 above. What issues or takeaways do you see? What are your opinions about real-time location data?


House Oversight Committee Report On The Equifax Data Breach. Did The Recommendations Go Far Enough?

On Monday, the U.S. House of Representatives Committee on Oversight and Government Reform released its report (Adobe PDF) on the massive Equifax data breach, where the most sensitive personal and payment information of more than 148 million consumers -- nearly half of the population -- was accessed and stolen. The report summary:

"In 2005, former Equifax Chief Executive Officer(CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks... Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable."

The report cited several failures by Equifax. First:

"On March 7, 2017, a critical vulnerability in the Apache Struts software was publicly disclosed. Equifax used Apache Struts to run certain applications on legacy operating systems. The following day, the Department of Homeland Security alerted Equifax to this critical vulnerability. Equifax’s Global Threate and Vulnerability Management (GTVM) team emailed this alert to over 400 people on March 9, instructing anyone who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a March 16 meeting about this vulnerability. Equifax, however, did not fully patch its systems. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal developed in the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not patch the Apache Struts software located within ACIS, leaving its systems and data exposed."

As bad as that is, it gets worse:

"On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over Equifax’s network. They found a file containing unencrypted credentials (usernames and passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The attackers were able to use these credentials to access 48 unrelated databases."

"Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times. The attackers transferred this data out of the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration because the device used to monitor ACIS network traffic had been inactive for 19 months due to an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and immediately noticed suspicious web traffic..."

Findings so far: 1) growth prioritized over security while archiving highly valuable data; 2) antiquated computer systems; 3) failed security patches; 4) unprotected user credentials; and 5) failed intrusion detection mechanism. Geez!

Only after updating its expired security certificate did Equifax notice the intrusion. After that, you'd think that Equifax would have implemented a strong post-breach response. You'd be wrong. More failures:

"When Equifax informed the public of the breach on September 7, the company was unprepared to support the large number of affected consumers. The dedicated breach website and call centers were immediately overwhelmed, and consumers were not able to obtain timely information about whether they were affected and how they could obtain identity protection services."

"Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. "Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custom-built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging..."

Findings so far: 6) inadequate post-breach response; and 7) complicated IT structure making updates difficult. Geez!

The report listed the executives who retired and/or were fired. That's a small start for a company archiving the most sensitive personal and payment information of all USA citizens. The report included seven recommendations:

"1: Empower Consumers through Transparency. Consumer reporting agencies (CRAs) should provide more transparency to consumers on what data is collected and how it is used. A large amount of the public’s concern after Equifax’s data breach announcement stemmed from the lack of knowledge regarding the extensive data CRAs hold on individuals. CRAs must invest in and deploy additional tools to empower consumers to better control their own data..."

"2: Review Sufficiency of FTC Oversight and Enforcement Authorities. Currently, the FTC uses statutory authority under Section 5 of the Federal Trade Commission Act to hold businesses accountable for making false or misleading claims about their data security or failing to employ reasonable security measures. Additional oversight authorities and enforcement tools may be needed to enable the FTC to effectively monitor CRA data security practices..."

"3: Review Effectiveness of Identity Monitoring and Protection Services Offered to Breach Victims. The General Accounting Office (GAO) should examine the effectiveness of current identity monitoring and protection services and provide recommendations to Congress. In particular, GAO should review the length of time that credit monitoring and protection services are needed after a data breach to mitigate identity theft risks. Equifax offered free credit monitoring and protection services for one year to any consumer who requested it... This GAO study would help clarify the value of credit monitoring services and the length of time such services should be maintained. The GAO study should examine alternatives to credit monitoring services and identify addit ional or complimentary services..."

"4: Increase Transparency of Cyber Risk in Private Sector. Federal agencies and the private sector should work together to increase transparency of a company’s cybersecurity risks and steps taken to mitigate such risks. One example of how a private entity can increase transparency related to the company’s cyber risk is by making disclosures in its Securities and Exchange Commission (SEC) filings. In 2011, the SEC developed guidance to assist companies in disclosing cybersecurity risks and incidents. According to the SEC guidance, if cybersecurity risks or incidents are “sufficiently material to investors” a private company may be required to disclose the information... Equifax did not disclose any cybersecurity risks or cybers ecurity incidents in its SEC filings prior to the 2017 data breach..."

"5: Hold Federal Contractors Accountable for Cybersecurity with Clear Requirements. The Equifax data breach and federal customers’ use of Equifax identity validation services highlight the need for the federal government to be vigilant in mitigating cybersecurity risk in federal acquisition. The Office of Management and Budget (OMB) should continue efforts to develop a clear set of requirements for federal contractors to address increasing cybersecurity risks, particularly as it relates to handling of PII. There should be a government-wide framework of cybersecurity and data security risk-based requirements. In 2016, the Committee urged OMB to focus on improving and updating cybersecurity requirements for federal acquisition... The Committee again urges OMB to expedite development of a long-promised cybersecurity acquisition memorandum to provide guidance to federal agencies and acquisition professionals..."

"6: Reduce Use of Social Security Numbers as Personal Identifiers. The executive branch should work with the private sector to reduce reliance on Social Security numbers. Social Security numbers are widely used by the public and private sector to both identify and authenticate individuals. Authenticators are only useful if they are kept confidential. Attackers stole the Social Security numbers of an estimated 145 million consumers from Equifax. As a result of this breach, nearly half of the country’s Social Security numbers are no longer confidential. To better protect consumers from identity theft, OMB and other relevant federal agencies should pursue emerging technology solutions as an alternative to Social Security number use."

"7: Implement Modernized IT Solutions. Companies storing sensitive consumer data should transition away from legacy IT and implement modern IT security solutions. Equifax failed to modernize its IT environments in a timely manner. The complexity of the legacy IT environment hosting the ACIS application allowed the attackers to move throughout the Equifax network... Equifax’s legacy IT was difficult to scan, patch, and modify... Private sector companies, especially those holding sensitive consumer data like Equifax, must prioritize investment in modernized tools and technologies...."

The history of corporate data breaches and the above list of corporate failures by Equifax both should be warnings to anyone in government promoting the privatization of current government activities. Companies screw up stuff, too.

Recommendation #6 is frightening in that it hasn't been implemented. Yikes! No federal agency should do business with a private sector firm operating with antiquated computer systems. And, if Equifax can't protect the information it archives, it should cease to exist. While that sounds harsh, it ain't. Continual data breaches place risks and burdens upon already burdened consumers trying to control and protect their data.

What are your opinions of the report? Did it go far enough?


Survey: Complexities And Consumer Fears With Checking Credit Reports For Errors

Many consumers know that they should check their credit reports yearly for errors, but most don't. A recent survey found much complexity and fears surrounding credit reports. WalletHub surveyed 500 adults in the United States during July, and found:

  • 84 percent of survey respondents know that they should check their credit reports at least once each year
  • Only 41 percent of respondents said they check their credit reports
  • 27 percent said they don't have the time to check their credit reports
  • 14 percent said they are afraid to see the contents of their credit reports

WalletHub found that women were twice as likely as men to have the above fear. Millennials were five times as likely than Baby Boomers to have this fear. More findings are listed below.

It is important for consumers to understand the industry. Inaccurate credit report can lower your credit score, the overall number used to indicate your credit worthiness. A low credit score can cost you money: denied credit applications, or approved loans but with higher interest rates. The errors in credit reports can include another person's data co-mingled with yours (obviously, that should never happen), a dead person's data co-mingled with yours, or a credit report that doesn't accurately reflect a loan you truly paid off on time and in full.

A 2013 study by the U.S. Federal Trade Commission (FTC) found problems with credit reports accuracy. First, 26 percent of participants identified errors in their credit reports. So, one in four consumers were affected. Plus, of the 572 credit reports where errors were identified, 399 reports (70%) were modified by a credit reporting agency, and 211 (36%) resulted in a credit score changed. So, finding and reporting errors is beneficial for consumers. Plus, a report in 2013 by the 60 Minutes television news magazine listed problems with the dispute process: failures by the largest three credit reporting agencies to correct errors reported by consumers on their credit reports.

There are national and regional credit reporting agencies. The three national credit reporting agencies include Experian, Equifax, andTransUnion. Equifax operates a secondary consumer reporting agency focused solely upon the telecommunications industry and broadband internet services.

Credit reporting agencies get their data from a variety of sources including data brokers. So, their business model is based upon data sharing. Just about anyone can set up and operate a credit reporting agency. No special skills nor expertise are required. Credit reporting agencies make money by selling credit reports to lenders. Credit reports often contain errors. For better or worse regarding security, credit reporting agencies historically have outsourced work, sometimes internationally.

The industry and executives have arguably lackadaisical data security approaches. A massive data breach at Equifax affected about 143 million persons in 2017. An independent investigation of that breach found a length list of data security flaws and failures at Equifax. To compound matters, the Internal Revenue Service gave Equifax a no-bid contract in 2017.

The industry has a spotty history. In 2007, Equifax paid a $2.7 million fine for violating federal credit laws. In 2009, it paid a $65,000 fine to the state of Indiana for violating the state's security freeze law. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations of improper list sales. A data breach at Experian in 2015 affected 15 million wireless carrier customers. In 2017, Equifax and TransUnion paid $23.1 million to settle allegations of deceptive advertising about credit scores.

See the graphic below for more findings from the WalletHub survey.

2018 Credit Report Complexity Survey by WalletHub. Click to view larger version


Equifax Operates A Secondary Credit Reporting Agency, And Its Website Appears Haphazard

Equifax logo More news about Equifax, the credit reporting agency with multiple data security failures resulting in a massive data breach affecting half of the United States population. It appears that Equifax also operates a secondary credit bureau: the National Consumer Telecommunications and Utilities Exchange (NCTUE). The Krebs On Security blog explained Equifax's role:

"The NCTUE is a consumer reporting agency founded by AT&T in 1997 that maintains data such as payment and account history, reported by telecommunication, pay TV and utility service providers that are members of NCTUE... there are four "exchanges" that feed into the NCTUE’s system: the NCTUE itself, something called "Centralized Credit Check Systems," the New York Data Exchange (NYDE), and the California Utility Exchange. According to a partner solutions page at Verizon, the NYDE is a not-for-profit entity created in 1996 that provides participating exchange carriers with access to local telecommunications service arrears (accounts that are unpaid) and final account information on residential end user accounts. The NYDE is operated by Equifax Credit Information Services Inc. (yes, that Equifax)... The California Utility Exchange collects customer payment data from dozens of local utilities in the state, and also is operated by Equifax (Equifax Information Services LLC)."

This surfaced after consumers with security freezes on their credit reports at the three major credit reporting agencies (e.g., Experian, Equifax, TransUnion) found fraudulent mobile phone accounts opened in their names. This shouldn't have been possible since security freezes prevent credit reporting agencies from selling consumers' credit reports to telecommunications companies, who typically perform credit checks before opening new accounts. So, the credit information must have come from somewhere else. It turns out, the source was the NCTUE.

NCTUE logo Credit reporting agencies make money by selling consumers' credit reports to potential lenders. And credit reports from the NCTUE are easy for anyone to order:

"... the NCTUE makes it fairly easy to obtain any records they may have on Americans. Simply phone them up (1-866-349-5185) and provide your Social Security number and the numeric portion of your registered street address."

The Krebs on Security blog also explain the expired SSL certificate used by Equifax which prevents serving web pages in a secure manner. That was simply inexcusable, poor data security.

A quick check of the NCTUE page on the Better Business Bureau site found 2 negative reviews and 70 complaints -- mostly about negative credit inquiries, and unresolved issues. A quick check of the NCTUE Terms Of Use page found very thin usage and privacy policies lacking details, such as mentions about data sharing, cookies, tracking, and more. The lack of data-sharing mentions could indicate NCTUE will share or sell data to anyone: entities, companies, and government agencies. It also means there is no way to verify whether the NCTUE complies with its own policies. Not good.

The policy contains enough language which indicates that it is not liable for anything:

"... THE NCTUE IS NOT RESPONSIBLE FOR, AND EXPRESSLY DISCLAIM, ALL LIABILITY FOR, DAMAGES OF ANY KIND ARISING OUT OF USE, REFERENCE TO, OR RELIANCE ON ANY INFORMATION CONTAINED WITHIN THE SITE. All content located at or available from the NCTUE website is provided “as is,” and NCTUE makes no representations or warranties, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, title or non-infringement of proprietary rights. Without limiting the foregoing, NCTUE makes no representation or warranty that content located on the NCTUE website is free from error or suitable for any purpose; nor that the use of such content will not infringe any third party copyrights, trademarks or other intellectual property rights.

Links to Third Party Websites: Although the NCTUE website may include links providing direct access to other Internet resources, including websites, NCTUE is not responsible for the accuracy or content of information contained in these sites.."

Huh?! As is? The data NCTUE collected is being used for credit decisions. Reliability and accuracy matters. And, there are more concerns.

While at the NCTUE site, I briefly browsed the credit freeze information, which is hosted on an outsourced site, the Exchange Service Center (ESC). What's up with that? Why a separate site, and not a cohesive single site with a unified customer experience? This design gives the impression that the security freeze process was an afterthought.

Plus, the NCTUE and ESC sites present different policies (e.g., terms of use, privacy). Really? Why the complexity? Which policies rule? You'd think that the policies in both sites would be consistent and would mention each other, since consumers must use the two sites complete security freezes. That design seems haphazard. Not good.

There's more. Rather than use state-of-the-art, traditional web pages, the ESC site presents its policies in static Adobe PDF documents making it difficult for users to follow links for more information. (Contrast those thin policies with the more comprehensive Privacy and Terms of Use policies by TransUnion.) Plus, one policy was old -- dated 2011. It seems the site hasn't been updated in seven years. What fresh hell is this? More haphazard design. Why the confusing user experience? Not good.

Image of confusing drop-down menu for exchanges within the security freeze process. Click to view larger version There's more. When placing a security freeze, the ESC site includes a drop-down menu asking consumers to pick an exchange (e.g., NCTUE, Centralized Credit Check System, California Utility Exchange, NYDE). The confusing drop-down menu appears in the image on the right. Which menu option is the global security freeze? Is there a global option? The form page doesn't say, and it should. Why would a consumer select one of the exchanges? Perhaps, is this another slick attempt to limit the effectiveness of security freezes placed by consumers. Not good.

What can consumers make of this? First, the NCTUE site seems to be a slick way for Equifax to skirt the security freezes which consumers have placed upon their credit reports. Sounds like a definite end-run to me. Surprised? I'll bet. Angry? I'll bet, too. We consumers paid good money for security freezes on our credit reports.

Second, the combo NCTUE/ESC site seems like some legal, outsourcing ju-jitsu to avoid all liability, while still enjoying the revenues from credit-report sales. The site left me with the impression that its design, which hasn't kept pace during the years with internet best practices, was by a committee of attorneys focused upon serving their corporate clients' data collection and sharing needs while doing the absolute minimum required legally -- rather than a site focused upon the security needs of consumers. I can best describe the site using an old film-review phrase: a million monkeys with a million crayons would be hard pressed in a million years to create something this bad.

Third, credit reporting agencies get their data from a variety of sources. So, their business model is based upon data sharing. NCTUE seems designed to effectively do just that, regardless of consumers' security needs and wishes.

Fourth, this situation offers several reminders: a) just about anyone can set up and operate a credit reporting agency. No special skills nor expertise required; b) there are both national and regional credit reporting agencies; c) credit reports often contain errors; and d) credit reporting agencies historically have outsourced work, sometimes internationally -- for better or worse data security.

Fifth, you now you know what criminals and fraudsters already know... how to skirt the security freezes on credit reports and gain access to consumers' sensitive information. The combo NCTUE/ESC site is definitely a high-value target by criminals.

My first impression of the NCTUE site: haphazard design making it difficult for consumers to use and to trust it. What do you think?


How To View The List Of Advertisers Tracking You On Facebook. Any Surprises On Your List?

The massive privacy and data security breach at Facebook.com involving Cambridge Analytica has heightened many users' sensitivity to the advertising practices by the social networking service. Many Facebook users want to know the exact list of advertiser tracking them.

How To View The List Of Advertisers Tracking You

Facebook Ad Preferences page. Click to view larger version How to view this list? It's easy. Sign into Facebook.com and navigate to Settings > Ads > Advertisers You've Interacted With. (When using a web browser, you'll have to click on the tiny arrow in the upper right portion of the page to access the drop-down menu.) Within the Ad Preferences page, click on the "Advertisers You've Interacted With" headline to open that module. When opened, it displays several lists of advertisers:

  1. Who've added their contact list to Facebook
  2. Whose website or app you've used,
  3. Whom you've visited, and
  4. More

The default view of list #1 displays 12 advertisers tracking you. There probably are many more in your list. Select "Show More" to view more advertisers. Facebook doesn't make it easy. The module lacks a "Show All" button, which forces users to repeatedly select "Show More." Not good. Come on Facebook! You can do better.

List #1 includes important explanatory text:

"These advertisers are running ads using a contact list they uploaded that includes your contact info. This info was collected by the advertiser, typically after you shared your email address with them or another business they've partnered with."

The key phrase to remember: or another business they've interacted with. So, list #1 includes not only advertisers but also affiliates or business partners. Not good. More Facebook being Facebook.

I selected "Show More" about two dozen times to view my complete list: 235 advertisers tracking me, and collecting data about me. 235 advertisers even though I never used the Facebook mobile app, and had already disabled the Facebook API platform on my account years ago! Not good.

Your mileage will vary. There may be fewer or more advertisers on your list.

My list #1 included both advertisers I expected and many I didn't expect. The advertisers I expected to see brands I currently do business with (e.g., Marriott Rewards, ACLU), brands I no longer do business with (e.g., Bank of America, AT&T), and/or brands whose Facebook pages I "Liked" or left comments on. The advertisers who I didn't expected to see included politicians in other states I've neither visited nor live in, brands I've never purchased nor interacted with in any manner, brands I have never "Liked," and more.

Who's on your list? A friend shared:

"I looked at my list and it's crazy. Will follow the opt-out links tomorrow and clear them out. Cardi B was in my list of FB advertisers."

A rapper? That's too funny. I guess that's to be expected if you stream and share music online via Facebook. Me? I don't stream music online because that is another way to be tracked. Instead, I enjoy listening to CDs privately in my home. I prefer to keep my home a truly private place.

What's really going on here? Why the crazy long list? Popular Science explained:

"You, can thank the "data providers" for this mess. Mark Zuckerberg spent roughly 11 hours testifying in front of Congressional committees... One thing that got very little attention was the concept of “data brokers,” middleman businesses that collect consumer information and sell it to companies. Facebook stopped using them just last month. However, that long string of companies, personalities, and alternative rock bands is a result of Facebook’s old program... after the Cambridge Analytica scandal broke, but before Mark Zuckerberg’s marathon testimony in front of Congress, Facebook announced that it was ending a program called Partner Categories, canceling a long-standing relationship between the social network and data brokers. The change was announced in a short statement, but it has big implications for your personal information and the agencies that collect and sell it."

"The ability to target advertising is what makes Facebook its money—roughly $40 billion last year... while you provide lots of user information to Facebook, advertisers typically want even more... and that’s where data brokers come in. Facebook calls on brokers like Acxiom, Epsilon, and TransUnion to act as a conduit between Facebook and individual advertisers looking to reach targeted audiences..."

Readers of this blog may recognize TransUnion, one of the three major credit reporting agencies. So, the "advertisers" on Facebook tracking you (and data harvesting) include a variety of entities: traditional advertisers, business partners, affiliates, data brokers, and their intermediaries.

It's called "surveillance capitalism" for good reasons. Many companies besides Facebook do it.

What To Do Next

It's not easy to opt out or delete items from your advertising list. For those brands and entities you have "Liked," you can visit their Facebook page and "Unlike" them. However, that won't stop them or other "advertisers" from re-targeting (and tracking) you in the future. The "Ad Preferences" page for your profile also includes the "Your Information" module where you can toggle on or off advertising based upon certain profile elements:

Your Information module within Ad Preferences. Facebook. Click to view larger version

The above image is from 2017. back then I disabled all of the active toggles you see. Deactivating these toggles might minimize the number of ads displays, but it won't stop the tracking and data collection. The Popular Science article includes links to several opt-out mechanisms for major data brokers. You could (and should) use those. However, two key problems remain.

First, these opt-out links should be easily accessible within Facebook. They aren't. This forces consumers to waste time hunting for the opt-out mechanisms, when Facebook has the expertise to provide them. Facebook probably knows that many consumers will give up and quit, rather than hunt for opt-out links. It's great that Popular Science did a lot of the work for consumers.

Second, the opt-out mechanisms offered by some data brokers are unnecessarily complex. Example: see the opt-out mechanisms offered by Experian, another credit reporting agency:

Experian opt-out site pages. Click to view larger version

Didn't know that Experian plays in both ponds: credit reporting and data brokerage? Most people probably don't know. Experian's site lacks a unified, single opt-out mechanism which forces consumers to wade through seven different mechanisms and methods; some of which are paper-based and lack an online method. Not good!

TransUnion's opt-out mechanism isn't much better. And, it raises more questions than it answers? It links to the OptOutPrescreen.com site, which I completed way back in 2007. Did my Facebook membership undo that? Or is there some other data sharing at work, which the OptOutprescreen doesn't cover? TransUnion's page doesn't explain, and nither does Facebook's page. Not good.

Some people choose to use ad-blocking software (e.g., Adblock Plus, Ghostery) to suppress the display of online ads, but that probably won't stop the tracking and data collection internal to Facebook. There's no substitute for Facebook giving its users internal tools to completely disable and opt out of the tracking and data collection.

That highlights another problem: users are automatically included, so the burden is upon users to (continually) opt out. This is Facebook's business model. The reverse should be the default. Users should not be tracked nor data harvested unless they register and opt into the program. Given the social media site's business model, even if you opt out today, there's nothing stopping Facebook from re-subscribing you in the future with any updates to its system or terms of use.

How many advertisers are on your list? 200 or more? 300? 400? Any surprises on your list?


Securities & Exchange Commission Charges Former Equifax Executive With Insider Trading

Last week, the U.S. Securities and Exchange Commission (SEC) charged a former Equifax executive with insider trading. While an employee, Jun Ying allegedly used confidential information to dump stock and avoid losses before Equifax announced its massive data breach in September, 2017.

The SEC announced on March 14th that it had:

"... charged a former chief information officer of a U.S. business unit of Equifax with insider trading in advance of the company’s September 2017 announcement about a massive data breach that exposed the social security numbers and other personal information of about 148 million U.S. customers... The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief... According to the SEC’s complaint, Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach. The SEC alleges that before Equifax’s public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses... The U.S. Attorney’s Office for the Northern District of Georgia today announced parallel criminal charges against Ying."

The massive data breach affected about 143 million persons. Equifax announced in March, 2018 that even more people were affected, than originally estimated in its September, 2017 announcement.

MarketWatch reported that Ying:

"... found out about the breach on Friday afternoon, August 25, 2017... The SEC complaint says that Ying’s internet browsing history shows he learned that Experian’s stock price had dropped approximately 4% after the public announcement of [a prior 2015] Experian breach. Later Monday morning, Ying exercised all of his available stock options for 6,815 shares of Equifax stock that he immediately sold for over $950,000, and a gain of over $480,000... on Aug. 30, the global CIO for Equifax officially told Ying that it was Equifax that had been breached. One of the company’s attorneys, unaware that Ying had already traded on the information, told Ying that the news about the breach was confidential, should not be shared with anyone, and that Ying should not trade in Equifax securities. According the SEC complaint, Ying did not volunteer the fact that he had exercised and sold all of his vested Equifax options two days before. Equifax finally announced the breach on Sept. 7, and Equifax common stock closed at $123.23 the next day, a drop of $19.49 or nearly 14%..."


Update: 2.4 Million More Persons Affected By Massive Data Breach At Equifax In 2017

Equifax logo Equifax, one of the three national credit reporting agencies, announced today that 2.4 million more persons were affected by its massive data breach in 2017. The March 1st announcement stated, in part:

"Equifax Inc. today announced that the company has confirmed the identities of U.S. consumers whose partial driver’s license information was taken. Equifax was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.

Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates... Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information..."

Equifax will notify the newly identified breach victims via U.S. Postal mail, and will offer them complimentary identity theft protection and credit file monitoring services.

The timeline for the massive breach: intrusions occurred in May (2017), Equifax staff first discovered the intrusions in July (2017); Equifax notified the publicy in September (2017); and now identified 2.4 million more breach victims (March, 2018).

Equifax said in September (2017) that 143 million persons were affected. That was about 44 percent of the United States population. In October (2017), Equifax revised upward the number affected by 2.5 million to 145.5 million persons. What's the new total? Equifax didn't have the guts to admit it in its March 1st announcement. Since the company doesn't seem to want to admit it, I'm going with 147.9 million persons affected -- about 45.6 percent of the population.

So, it took Equifax almost six months after its initial announcement to determine exactly who was affected during its massive data breach. This does not inspire confidence. Instead, it suggests that the company's internal systems and intrusion detection mechanisms failed miserably.

A breach investigation by U.S. Senator Elizabeth Warren (Democrat - Massachusetts) reported several failures:

  1. Equifax Set up a Flawed System to Prevent and Mitigate Data Security Problems
  2. Equifax Ignored Numerous Warnings of Risks to Sensitive Data
  3. Equifax Failed to Notify Consumers, Investors, and Regulators about the Breach in a Timely and Appropriate Fashion
  4. Equifax Took Advantage of Federal Contracting Loopholes and Failed to Adequately Protect Sensitive IRS Taxpayer Data
  5. Equifax’s Assistance and Information Provided to Consumers Following the Breach was Inadequate.

Equifax's latest breach update highlights item #3: the company's failure to promptly notify consumers. When consumers aren't notified promptly, they are unable to take action to protect their sensitive personal and payment information.

Have we heard the last from Equifax? Will it provide future updates with even more persons affected? I hope not, but the company's track record suggests otherwise.

Equifax has foisted upon the country a cluster f--k of epic proportions = #FUBAR. Businesses and consumers depend upon secure, reliable credit reports. The United States economy relies upon it, too. Equifax executives need to experience direct consequences: fines, terminations, and jail time. Without consequences, executives won't adequately secure sensitive personal and financial information -- and this will happen again. What do you think?


Investigative Report By Senator Warren Details Failures By Equifax From Massive Data Breach

Equifax logo Earlier this month, U.S. Senator Elizabeth Warren (Democrat - Massachusetts) issued a report about her office's investigation in to the massive Equifax data breach. Key findings from the report:

  1. "Equifax Set up a Flawed System to Prevent and Mitigate Data Security Problems. The breach was made possible because Equifax adopted weak cybersecurity measures that did not adequately protect consumer data. The company failed to prioritize cybersecurity and failed to follow basic procedures that would have prevented or mitigated the impact of the breach. For example, Equifax was warned of the vulnerability in the web application software Apache Struts that was used to breach its system, and emailed staff to tell them to fix the vulnerability – but then failed to confirm that the fixes were made...
  2. Equifax Ignored Numerous Warnings of Risks to Sensitive Data. Equifax had ample warning of weaknesses and risks to its systems. Equifax received a specific warning from the Department of Homeland Security about the precise vulnerability that hackers took advantage of to breach the company’s systems. The company had been subject to several smaller breaches in the years prior to the massive 2017 breach, and several outside experts identified and reported weaknesses...
  3. Equifax Failed to Notify Consumers, Investors, and Regulators about the Breach in a Timely and Appropriate Fashion. The breach occurred on May 13, 2017, and Equifax first observed suspicious signs of a problem on July 29, 2017. But Equifax failed to notify consumers, investors, business partners, and the appropriate regulators until 40 days after the company discovered the breach. By failing to provide adequate information in a timely fashion, Equifax robbed consumers of the ability to take precautionary measures to protect themselves...
  4. Equifax Took Advantage of Federal Contracting Loopholes and Failed to Adequately Protect Sensitive IRS Taxpayer Data. Soon after the breach was announced, Equifax and the IRS were engulfed in controversy amid news that the IRS was signing a new $7.2 mil lion contract with the company. Senator Warren’s investigation revealed that Equifax used contracting loopholes to force the IRS into signing this “bridge” contract, and the contract was finally cancelled weeks later by the IRS after the agency learned of additional weaknesses in Equifax security that potentially endangered taxpayer data.
  5. Equifax’s Assistance and Information Provided to Consumers Following the Breach was Inadequate. Equifax took 40 days to prepare a response for the public before finally announcing the extent of the breach – and e ven after this delay, the company failed to respond appropriately. Equifax had an inadequate crisis management plan and failed to follow their own procedures for notifying consumers. Consumers who called the Equifax call center had hours-long waits. The website set up by Equifax to assist consumers was initially unable to give individuals clarity other than to tell them that their information “may” have been hacked – and that website had a host of security problems in its own right. Equifax delayed their public notice in part because the company spent almost two weeks trying to determine precisely which consumers were affected..."

Senator Warren's investigation was one of several underway. The importance of this investigative report cannot be overstated for several reasons. First, the three national credit reporting agencies (e.g., Equifax, Experian, and TransUnion) maintain reports about the credit histories and worthiness of all adults in the United States. That's extremely sensitive -- and valuable -- information that affects just about everyone. And, the country's economy relies on the accuracy and security of credit reports.

Second, Mick Mulvaney, the interim director appointed by President Trump to head the Consumer Financial Protection Bureau (CFPB), announced a halt to its investigation of the Equifax breach. This makes Senator Warren's investigative report even more important. Third, the massive Equifax data breach affected at least 143 million persons in the United States... about 44 percent of the United States population... almost half. Nobody in their right mind wants to experience that again, so a thorough investigation seems wise, appropriate, and necessary.

The credit reporting industry includes national agencies, regional agencies, and a larger list of "consumer reporting companies" -- businesses that collect information about consumers into reports for a variety of decisions about credit, employment, residential rental housing, insurance, and more. The CFPB compiled this larger list in 2017 (Adobe PDF; 264k bytes).

Senator Warren's report highlighted fixes needed:

"Federal Legislation is Necessary to Prevent and Respond to Future Breaches. Equifax and other credit reporting agencies collect consumer data without permission, and consumers have no way to prevent their data from being collected and held by the company – which was more focused on its own profits and growth than on protecting the sensitive personal information of millions of consumers. This breach and the response by Equifax illustrate the need for federal legislation that (1) establishes appropriate fines for credit reporting agencies that allow serious cybersecurity breaches on their watches; and (2) empowers the Federal Trade Commission to establish basic standards to ensure that credit reporting agencies are adequately protecting consumer data."

Download the full report (Adobe PDF; 672k bytes) titled, "Bad Credit: Uncovering Equifax's Failure to Protect Americans' Personal Information." Senator Warren's report is also available here. The CFPB list of consumer reporting companies is also available here.

My personal view: data breaches like Equifax's will stop only after executives at credit reporting agencies suffer direct consequences for failed information security: jail time or massive personal fines. There has to be consequences. What do you think?


CFPB Backs Off Investigating The Massive Equifax Breach

Logo for Consumer Financial Protection Bureau MarketWatch reported on Monday that the Consumer Financial Protection Bureau (CFPB) has:

"...  scaled back its investigation into a data breach at credit reporting agency Equifax Reuters reported Monday. The CFPB's interim director Mick Mulvaney, appointed by the Trump administration, has not followed "routine steps" that would be involved in a probe, including issuing subpoenas against Equifax and seeking sworn testimony from its executives, Reuters reported.

And when regulators at the Federal Reserve, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency have offered to help examine the credit bureaus, the CFPB reportedly declined the help... several politicians and consumer advocates said this is the latest sign the CFPB under Mulvaney will be weak in its prosecution of financial firms... The Federal Trade Commission is also investigating the breach, but imposes financial penalties more rarely than the CFPB does... Mulvaney wrote in an op-ed published in January The Wall Street Journal that the bureau will no longer “push the envelope.” “When it comes to enforcement, we will focus on quantifiable and unavoidable harm to the consumer,” he wrote..."

Equifax logo The massive Equifax data breach affected at least 143 million persons in the United States. That was about 44 percent of the United States population... almost half. Nobody in their right mind wants to experience that again, so a thorough investigation seems wise, appropriate, and necessary.

The CFPB began supervision of the credit reporting industry in 2012. While the news report by MarketWatch is very troubling, sadly there is even more bad news:

"Consumer advocates are also concerned that the CFPB will get rid of the database of complaints related to current investigations, which allows the public to air complaints publicly. It also provided a direct way for the public to engage with the CFPB’s activities. The database contains hundreds of thousands of complaints filed by consumers about issues ranging from predatory debt collectors to errors on credit reports. Republicans have argued that the database shouldn’t be public, while consumer advocates say the public list of complaints is an important tool for consumers.

A public database has been “a powerful mechanism for keeping financial predators accountable to consumers,” Melissa Stegman, senior policy counsel at the Center for Responsible Lending, a nonprofit based in Durham, N.C., told MarketWatch... Mulvaney announced in January the CFPB may reconsider a rule Cordray implemented for payday lenders that was designed to protect consumers and limit the amount lenders are allowed to loan them, if they do not meet certain borrowing criteria."

Now, you know why you should be concerned, too, about foot-dragging by the CFPB's Equifax probe. There is plenty of evidence that the CFPB has done a spectacular job protecting consumers and their money:

While campaigning for President, Donald Trump positioned himself as a populist... promoting "populist nationalism." A true populist would not appoint a CFPB director that weakens or abandons protection for consumers. What do you think?


Considerations For Consumers Affected By The Equifax Breach

Earlier this month, Discover sent me a replacement credit card. The letter with the replacement card stated:

"Notice of Data Breach
What happened: we recently learned your Discover card account might have been part of a data breach. Please know, this breach did not involve Discover card systems.
What we are doing to resolve: we are issuing you a new card with a new account number, security code, and expiration date to reduce the possibility of fraud on your account... So as a safety precaution, we are issuing you a new card to protect your Discover card account information from being misused"

Good. I like the proactive protection, and hope that the retailer absorbed the costs of replacement cards for all affected consumers like me. However, the letter from Discover didn't identify the retailer. I called Discover's customer service hotline. The phone representative wouldn't identify the retailer, either. I'd shopped at four retail stores during the past month, and assumed it was one of them. It wasn't.

Equifax logo On Saturday, I received via postal mail a breach notification letter from Equifax dated October 23, 2017:

"We are writing with regard to the cybersecurity incident Equifax announced on September 7, 2017. At Equifax, our priorities with regard to this incident are transparency and continuing to provide timely, reassuring support to every consumer. You are receiving this letter because the credit or debit card number used to pay for a freeze service, credit score, or disclosure of your Equifax credit file was accessed. We have no evidence that your credit file itself was accessed."

So, confirmation that it was Equifax's fault. What to make of this? Keep reading.

First, thanks Equifax for the postal mail notice. However, this isn't timely communication. Why? Equifax considers it's September 7th press release timely communication. How many consumers read Equifax press releases? Did you? My guess, most don't.

Thankfully, I read online newspapers and was aware of the breach soon after Equifax's September 7th announcement. Yet, my postal letter from Equifax arrived seven weeks after its September 7th press release (and almost three months after it first discovered the breach on July 29).  This incident is a reminder for consumers not to rely upon postal mail for breach notices. Many states' breach notice laws allow for companies to post public notices online in websites and/or in newspaper advertisements. This allows companies to skip (the expense of) mailing individual breach notices via postal mail.

The October 23rd Equifax breach letter also stated:

"On September 7, 2017, Equifax notified U.S. customers of the data security incident, including that 143 million U.S. consumers were impacted. On October 2, 2017, following the completion of the forensic portion of the investigation of the incident, Equifax announced that the review determined that approximately 2.5 million additional U.S. consumers were potentially impacted. Equifax also announced that credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182, 000 consumers were accessed."

So, I am one of the "lucky" 209,000 consumers in the United States whose payment information was exposed stolen in addition to other sensitive personal information. Thanks Equifax for failing to protect my sensitive personal -- and payment -- information you are entrusted to protect.

Second, to upgrade earlier this year from slow, antiquated DSL to fiber broadband from Verizon, I used my credit card to pay for a temporary lift of the security freeze on my Equifax credit report. Why did Equifax retain my payment information for this transaction? Why did it retain that payment information in a complete and UN-encrypted format?

Discover's Frequently Asked Questions page for merchants advises merchants to do the following to protect consumers' highly sensitive payment card information:

"Tips for protecting customer information: a) Truncate all credit card information; b) Avoid storing CID data in your records or within sales data; c) Secure your site; d) Store data securely; e) Protect your data with firewalls; f) Limit authorized use and require passwords; g) Avoid storing customer or credit card information on your web server
Refer to your Merchant Operating Regulations for further card-not-present (CNP) requirements for the submission of sales."

So, it seems that Equifax failed to follow Discover's data security guidelines for merchants. (Browse privacy guidelines for merchants by other card issuers.) I do not have any ongoing services or subscriptions with Equifax, so there seems to be no need for it to retain my full credit card payment information. Not good. I called the Equifax customer service hotline. The phone representative could not explain why Equifax retained my payment information. Not good.

Third, Equifax failed to customize the letter for my situation. In 2008, I placed security freezes on my credit reports at Equifax, Experian, and TransUnion. So, Equifax already knows I have a security freeze in place, and failed to customize the letter accordingly. Rather than explain what applies to customers in my situation, instead the letter repeated the same general fraud-prevention advice for all consumers: how to contact the FTC, visit annualcreditreport.com for free copies of credit reports, file a police report if a victim of identity theft, place a fraud alert or security freeze on my credit reports for protections, and how to lift/remove an existing security freeze. Not good.

This was fast becoming a crappy customer experience.

Fourth, while on the phone with Equifax's customer service I asked if the TrustedID Premier credit monitoring service it ofered would work with the security freezes in place at all three credit reporting agencies. The phone representative said yes, but that the "credit file lock feature" would not work. What's that? According to the Equifax FAQ page:

"What is the difference between a credit file lock and a security freeze?
At their most basic level, both prevent new creditors from accessing your Equifax credit report, unless you give permission or take an action such as removing, unlocking or lifting the freeze or lock. Both a security freeze and a credit file lock help prevent a lender or other creditor from accessing a consumer’s credit report to open unauthorized new accounts.

  • Security freezes were created in the early 2000’s, are subject to regulation by each state and use a PIN based system for authentication.
  • Credit file locks were created more recently, are mobile-enabled and use modern authentication techniques, such as username and passwords and one-time passcodes for better user experience."

So, the "credit file lock" feature is new and different from a security freeze. The new feature allows mobile users to easily and quickly unlock/lock your Equifax credit reports. That seems beneficial for consumers needing frequent and quick access to credit. According to the FAQ page, the new feature will be "free, for life." The above description gives the impression that security freezes are antiquated.

To further understand this new feature, I visited the TrustedID Premier Privacy Policy page, which stated:

"The types of personal information we collect and share depend on the product or service you have with us. This information can include: Social Security number and credit card information; Payment history and transaction history; Credit scores and credit history"

The "depend on the product or service you have" seems vague and broad. Just tell me! Plus, "transaction history" could include geo-location: where you bought something since some purchases are made at brick-and-mortar retail stores. It could also include when and where you use the "credit file lock" feature. So, even though the policy doesn't explicitly mention geo-location data collection, it seems wise to assume that it does. For the new "credit file lock" feature to work on your phone, it probably needs to know your location -- where you and your phone are.

So, this new feature seems to be a slick way for Equifax to collect (and archive) location data about when, where, the duration, and frequency of consumers' travels in the physical world -- something it couldn't get previously through the traditional security freeze process. Remember, any app on your smartphone can collect location data.

Plus, the "credit file lock" feature won't work with a security freeze in place. According to the customer service representative, consumers need to remove a security freeze for the credit file lock feature to work. This is a new, important wrinkle which consumers must understand in order to make informed decisions.

The representative said it would be free to remove the security freeze on my Equifax credit report in order to use the new feature. I asked if the TrustedID Premier service Equifax offers would work with credit reports from Innovis. The rep said no. The duration of my phone call was long since the representative needed to place me on hold and check with others in order to answer my questions. This did not instill confidence.

Plus, this lengthy question-and-answer page about Equifax's services indicates that many consumers (and perhaps some Equifax customer service representatives) don't fully understand the differences between security freezes, credit file locks, and other service features.

Fifth, the letter from Equifax did not mention any of the new threats nor the additional protection steps consumers must take, both of which you can read about in this October 10th blog post. Even though I've written about privacy, data breaches and credit monitor for the past 10+ years, like you there are new things to learn. It seems that Equifax is hoping that breach victims will take the easy route: enroll in TrustedID Premier -- which is free for now, but will likely cost you later.

Overall, for me it was a crappy post-breach customer experience with Equifax. I expected better -- better data security and a better post-breach support. Plenty of news articles have documented the security problems, failures, and post-breach problems with Equifax's breach site.

What are your opinions? What do you think of the new credit file lock feature? If you've used it, share your experience in the comments section below the image.

Overview of features. TrustedID Premier service. Click to view larger version


Equifax Reported 15.2 Million Records Of U.K. Persons Exposed

Equifax logo Yesterday, Equifax's United Kingdom (UK) unit released a press release about the credit reporting agency's massive data breach and the number of breach victims. A portion of the statement:

"It has always been Equifax’s intention to write to those consumers whose information had been illegally compromised, but it would have been inappropriate and irresponsible of us to do so before we had absolute clarity on what data had been accessed. Following the completion of an independent investigation into the attack, and with agreement from appropriate investigatory authorities, Equifax has begun corresponding with affected consumers.

We would like to take this opportunity to emphasize that Equifax correspondence will never ask consumers for money or cite personal details to seek financial information, and if they receive such correspondence they should not respond. For security reasons, we will not be making any outbound telephone calls to consumers. However, customers can call our Freephone number on 0800 587 1584 for more information.

Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test data-sets, duplicates and spurious fields... we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post... The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed."

Below is the tabular information of risk categories from the Equifax UK announcement:

Consumer groups Remedial action
12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed

14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details - from 2014 accessed

29,188 consumers who had their driving license number accessed

We will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organizations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence.

637,430 consumers who had their phone numbers accessed Consumers who had a phone number accessed will be offered a leading identity monitoring service for free.

Some observations seem warranted.

First, the announcement was vague about whether the 15.2 million U.K. persons affected were included in the prior breach total, or in addition to the prior total. Second, the U.K. unit will send written breach notices to all affected consumers via postal mail, while the U.S. unit refused. The U.K. unit did the right thing, so their users are confused by and don't have to access a hastily built site to see if they were affected.

Third, given the data elements stolen some U.K. breach victims are vulnerable to additional frauds and threats like breach victims in the USA.

Kudos to the Equifax U.K. unit for the postal breach notices and for clearly stating the above risk categories.


Without Fanfare, Equifax Makes Bankruptcy Change That Affects Hundreds of Thousands

[Editor's note: today's guest post, by the reporters at ProPublica, highlights how credit reporting agencies treat certain information contained in consumers' credit reports. It is reprinted with permission.]

By Paul Kiel. ProPublica

For what appears to be decades, the credit rating agency Equifax has quietly layered three more years of tarnish on the credit histories of hundreds of thousands of people who had filed for bankruptcy under Chapter 13.

While its competitors, TransUnion and Experian, placed a flag on such histories for seven years, Equifax left it on the reports of Chapter 13 filers who failed to complete their bankruptcy plans for 10.

After ProPublica asked about the difference in its policy, the company said it now leaves the flag on for seven years, but refused to say when and why the change was made.

The consequences of Equifax’s harsher policy were likely life-changing for some unlucky people. As Experian warns consumers on its website, “having a bankruptcy in your credit history will seriously affect your ability to obtain credit for as long as it remains on your report. It can also affect your ability to qualify for things like an apartment, utilities, and even employment. Even car insurance rates may be affected.” Without knowing why, consumers could have been turned down for apartments because landlords checked their Equifax report rather than those from Experian or TransUnion.

Why Equifax’s policy was different is unclear and the company would not address it. But that such a discrepancy had gone unnoticed and unaddressed for so long underscores how lightly regulated the industry is.

ProPublica contacted all of the major credit agencies earlier this year as part of our ongoing series on consumer bankruptcy. The policies of TransUnion and Experian were similar: People who filed under Chapter 7, which wipes out most debts, would have a flag on their report for 10 years; those who filed under Chapter 13, which usually involves five years of payments before debts are forgiven, would have a flag for seven.

Equifax had the same Chapter 7 policy. But the company had a key difference in its policy for Chapter 13 filers: Those who were unable to complete their five years of payments and had their cases dismissed were saddled with a flag for three additional years.

This difference had the potential for widespread impact. About half of Chapter 13 cases are dismissed, usually because debtors fall behind on payments. From 2008 through 2010, 574,000 Chapter 13 cases were filed and subsequently dismissed, according to our analysis of filings. Under Equifax’s policy of keeping the flag on for 10 years, all those debtors would have a flag on their Equifax report through the end of 2017, but not on their TransUnion and Experian histories.

“It’s a problem, because you have a disparate treatment of debtors depending on which credit rating agency is reporting,” said Tara Twomey, an attorney with the National Consumer Law Center. “We really need consistent credit reporting for this system to work.”

Equifax’s policy also disproportionately affected black consumers, because, as our analysis showed, black debtors are more likely than whites to choose Chapter 13 and have their cases dismissed.

ProPublica wrote the company again in July, prior to its recent disclosure that its records had been hacked, laying out the potential impact of its policy on consumers and asking why it differed from competitors. In an email, Equifax spokeswoman Nancy Bistritz-Balkan wrote that the company had “recently modified the length of time for how long a dismissed Chapter 13 bankruptcy remains on file.” Under the new policy, she wrote, “Equifax removes the flag for a Chapter 13 bankruptcy after seven years, regardless of outcome.”

She would not say what “recently” meant, only saying, “The change we referenced was not implemented after we received your inquiry.” As to why Equifax made the change, she wrote, “At this time, I do not have additional details about how the change was made.”

It might seem puzzling that such a meaningful policy is not governed by law. While some aspects of credit reporting are, others are simply decided among the agencies themselves. Bankruptcy is a mix of the two. Under the Fair Credit Reporting Act, the longest a bankruptcy can stay on someone’s credit report is 10 years. The credit rating agencies have voluntarily decided to treat Chapter 13 cases differently because Chapter 13 typically involves the repayment of some debt, while Chapter 7 does not. Bistritz-Balkan made a point of saying that Equifax’s previous policy had been legal.

Initially, Chapter 7 and Chapter 13 have a similar effect on debtors’ credit scores, one that diminishes over time. Bankruptcy is a negative mark on a debtor’s history, but that doesn’t mean that declaring bankruptcy will invariably damage someone’s credit score. In fact, research shows that most people who declare bankruptcy actually see their score rise in the following months. That’s because the typical score is so low that the negative effect of the bankruptcy is outweighed by the positive effect of wiping out debt.

According to Zachary Anderson, a spokesman for FICO, the median FICO score for consumers who declared bankruptcy between October 2009 and October 2010, when filings peaked during the Great Recession, was 558 — lower than all but 20 percent of consumers with a credit score.

A recent analysis of credit files by Paul Goldsmith-Pinkham, an economist with the Federal Reserve Bank of New York, shows how scores change before and after bankruptcy. In the months prior to filing, as consumers fall deeper into debt, the average credit score plunges. The analysis, using a credit score generated by Equifax that works similarly to a FICO score, found that the average score fell to a low around 520-530, but recovered sharply over the next 6 months, then gradually increased thereafter.

Chart. Average Credit Scores Plunge Before Bankruptcy, Rise After. Click to view larger version

The next noticeable bump was seven or 10 years later, depending on the chapter, when the bankruptcy flags were removed. Consumers’ credit scores then jumped by about 10 points.

The consumers with the lowest credit scores, the analysis found, were those who had their Chapter 13 cases dismissed. That would be due, in part, to the fact that they tend to be disproportionately low-income and black, two groups with lower credit scores on average.

As we showed in our story about bankruptcy in Memphis, where Chapter 13 dismissals are incredibly common, these debtors can find themselves worse off for having tried bankruptcy. They might be even further behind on their debts after their cases are dismissed, making it harder to re-establish their credit. The effect of a dismissal lasts for years. At the very least, Equifax’s change in how it handles Chapter 13s means that the shadow cast by a past bankruptcy isn’t quite as long.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Why The IRS Gave Equifax A No-Bid Contract Extension

You've probably heard the news. The Internal Revenue Service (IRS) gave a no-bid contract to Equifax, even after knowing about the credit reporting agency's massive data breach and arguably lackadaisical data security approaches by management.

Why would the IRS do this? The contract's synopsis in the Federal Business Opportunities (FBO) site stated on September 30:

"This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service. A sole source order is required to cover the timeframe needed to resolve the protest on contract TIRNO-17-Z-00024. This is considered a critical service that cannot lapse."

C/Net explained the decision and sequence of key events:

"The IRS already had enough trouble dealing with tax fraud, losing $5.8 billion to scammers in 2013... The contract, first reported by Politico,... describes the agreement as a "sole source order," calling Equifax's help a "critical service." When it comes to credit monitoring, there are really only three major names in the US: Equifax, Experian and TransUnion. Experian has also suffered a breach... The IRS actually awarded its authentication service contract to another company in July, Jeffrey Tribiano, the agency's deputy commissioner for operations support told members of Congress. Equifax protested losing the contract to the US Government Accountability Office on July 7, according to documents. The office will decide on the protest by October 16. Until then, the IRS could not move onto its new partner. That meant that when the IRS' old contract with Equifax was supposed to expire on Friday (Sept. 29), Tribiano said, millions of Americans would not have been able to verify their identity with the agency for more than two weeks."

Wow! So, the IRS was caught between a rock and a hard place... or "caught between a rock and a hacked place" as C/Net described. Apparently, consumers taxpayers are also caught.

Once again, another mess involving Equifax gives consumers that "I've been mugged" feeling.


Equifax: 2.5 Million More Persons Affected By Massive Data Breach

Equifax logo Equifax disclosed on Monday, October 2, that 2.5 more persons than originally announced were affected by its massive data breach earlier this year. According to the Equifax breach website:

"... cybersecurity firm Mandiant has completed the forensic portion of its investigation of the cybersecurity incident disclosed on September 7 to finalize the consumers potentially impacted... The completed review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million. Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process."

The September breach announcement said that persons outside the United States may have been affected. The October 2nd update addressed that, too:

"The completed review also has concluded that there is no evidence the attackers accessed databases located outside of the United States. With respect to potentially impacted Canadian citizens, the company previously had stated that there may have been up to 100,000 Canadian citizens impacted... The completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted. In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian. The company will mail written notice to all of the potentially impacted Canadian citizens."

So, things are worse than originally announced in September: more United States citizens affected, fewer Canadian citizens affected overall but more Canadians' credit card information exposed, and we still don't know the number of United Kingdom residents affected:

"The forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom. Equifax is continuing discussions with regulators in the United Kingdom regarding the scope of the company’s consumer notifications...

And, there's this statement by Paulino do Rego Barros, Jr., the newly appointed interim CEO (after former CEO Richard Smith resigned):

"... As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements..."

To review? That means Equifax has not finished the job of making its systems and websites more secure with security fixes based upon how the attackers broke in, which identify attacks earlier, and which prevent future breaches. As bad as this sounds, the reality is probably worse.

After testimony before Congress by former Equifax CEO Richard Smith, Wired documented "six fresh horrors" about the breach and the leisurely approach by the credit reporting agency's executives. First, this about the former CEO:

"... during Tuesday's hearing, former CEO Smith added that he first heard about "suspicious activity" in a customer-dispute portal, where Equifax tracks customer complaints and efforts to correct mistakes in their credit reports, on July 31. He moved to hire cybersecurity experts from the law firm King & Spalding to start investigating the issue on August 2. Smith claimed that, at that time, there was no indication that any customer's personally identifying information had been compromised. As it turns out, after repeated questions from lawmakers, Smith admitted he never asked at the time whether PII being affected was even a possibility. Smith further testified that he didn't ask for a briefing about the "suspicious activity" until August 15, almost two weeks after the special investigation began and 18 days after the initial red flag."

Didn't ask about PII? Geez! PII describes the set of data elements which are the most sensitive information about consumers. It's the business of being a credit reporting agency. Waited 2 weeks for a briefing? Not good either. And, that is a most generous description since some experts question whether the breach actually started in March -- about four months before the July event.

Wired reported the following about Smith's Congressional testimony and the March breach:

"Attackers initially got into the affected customer-dispute portal through a vulnerability in the Apache Struts platform, an open-source web application service popular with corporate clients. Apache disclosed and patched the relevant vulnerability on March 6... Smith said there are two reasons the customer-dispute portal didn't receive that patch, known to be critical, in time to prevent the breach. The first excuse Smith gave was "human error." He says there was a particular (unnamed) individual who knew that the portal needed to be patched but failed to notify the appropriate IT team. Second, Smith blamed a scanning system used to spot this sort of oversight that did not identify the customer-dispute portal as vulnerable. Smith said forensic investigators are still looking into why the scanner failed."

Geez! Sounds like a managerial failure, too. Nobody followed up with the unnamed persons responsible for patching the portal? And Equifax executives took a leisurely (and perhaps lackadaisical) approach to protecting sensitive information about consumers:

"When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers... It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax's attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all," Smith replied. "There are varying levels of security techniques that the team deploys in different environments around the business."

Geez! So, we now have confirmation that the "core" information -- the most sensitive data about consumers -- in Equifax's databases is only partially encrypted.

Context matters. In January of this year, the Consumer Financial Protection Bureau (CFPB) took punitive action against TransUnion and Equifax for deceptive marketing practices involving credit scores and related subscription services. That action included $23.1 million in fines and penalties.

Thanks to member of Congress for asking the tough questions. No thanks to Equifax executives for taking lackadaisical approaches to data security. (TransUnion, Innovis, and Experian executives: are you watching? Learning what mistakes not to repeat?) Equifax has lost my trust.

Until Equifax hardens its systems (I prefer NSA-level hardness), it shouldn't be entrusted with consumers' sensitive personal and payment information. Consumers should be able to totally opt out of credit reporting agencies that fail with data security. This would allow the marketplace to govern things and stop the corporate socialism benefiting credit reporting agencies.

What are your opinions?

[Editor's note: this post was amended on October 7 with information about the CFPB fines.]


Bloomberg: Equifax Had A Data Breach In March, Too. More Questions Result

Equifax logo According to news reports, Equifax experienced another data breach earlier this year before the massive data breach it announced on September 7th where criminals gained unauthorized access to Equifax's systems and computers from May through then end of July, 2017. Bloomberg reported:

"Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation... Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said..."

Two major data breaches? What's happening? A news report by Bank Info Security may clarify things:

"... the Bloomberg story is "attempting to connect two separate cybersecurity events and suggesting the earlier event went unreported." Instead, Equifax says the breach described by Bloomberg was a "security incident involving a payroll-related service." The incident, which Equifax refers to as the "March event," was reported to customers, affected individuals and regulators, as well as covered by the media, it says. "Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related."

Equifax appears to refer a breach involving TALX its payroll, human resources, and tax services subsidiary formally known as Equifax Workforce Solutions. The Bank Info Security news report explained:

"In early March, Equifax began notifying individuals whose employers use TALX for payroll services that it had detected unauthorized access to its web-based portal. Employees use the TALX portal to access their W-2, which is the annual income reporting form that U.S. employees need to file their federal tax return. That's also a key document for fraudsters, because it puts them one step closer to being able to fraudulently file and claim a tax refund in someone else's name.

In the March attack, hackers had luck accessing TALX accounts by guessing registered users' personal questions, according to Equifax's breach notifications. By answering the questions correctly, fraudsters were able to reset a PIN needed to access an account. With the fresh PIN, they were able to obtain an electronic copy of victims' W-2. The unauthorized access incidents occurred between April 17, 2016, and March 29, 2017, Equifax says..."

It's frightening that the TALX breach went undetected for almost a year. Also, the Krebs On Security blog reported in May about the Equifax-TALX breach. However, the Bloomberg news report explored another hacking method criminals might have used in March:

"... one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter. This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.

According to the person and a Sept. 14 internal memo reviewed by Bloomberg, the gateway linked a test and development site used by the bank’s wealth management division to Equifax, allowing the two entities to share information digitally."

So, there was a breach in March. Was it the TALX hack, the hack via a bank, both, or something else? If the Bloomberg report is accurate, then the post-breach consequences listed probably apply:

"... will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading... New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity... the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that [March] investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July."

If true, then consumers are left with more questions: which bank(s)? What fixes have been implemented so this doesn't happen again? Why wasn't this disclosed sooner? How many consumers were affected? Exactly how did the hackers gain access? Was it the same or a different group of hackers? Which consumers' data elements were accessed/stolen?

The cynic in me wonders if Equifax executives are using its TALX breach as cover -- to avoid having to admit to another massive (and embarrassing) data breach.

Regardless of which news report is accurate, there are plenty of reasons for consumers to feel uneasy about Equifax's breach(es), data security protections, and breach notifications. Equifax is a custodian of extremely valuable and sensitive information about consumers. It makes money selling that information to potential lenders, and consumers have a right to have their questions answered fully.

Maybe the various investigations and inquiry by 31 states will provide answers for consumers. Or maybe Congress needs to hold hearings. It's been done before. What do you think?


31 States Sent Joint Letter Demanding Equifax Provide Free Services And Better Support For Consumers

On Friday, September 15, the attorneys general in several states sent a joint letter to Equifax as a result of the credit reporting agency's response to a massive data breach affecting about 143 million persons in the United States. The participating attorneys general are concerned about the impacts and costs to consumers. They want Equifax to respond better to the needs of consumers, extend the duration of the sign-up period for breach victims, and waive the fees of certain services. Perhaps most importantly, they are concerned about Equifax benefiting unjustly due to a situation it created.

The joint letter explained:

"... Chief among the issues causing confusion and concern are the inclusion of terms of service that required consumers to waive their rights, the offer of competing fee-based and free credit monitoring services by Equifax, and the charges consumers incur for a security freeze with other credit monitoring companies like Experian, TransUnion, and Innovis.

Initially, in order to enroll in the free credit monitoring that Equifax offered to all Americans, it appeared that Equifax attached certain conditions to the offer, including mandatory arbitration, among other things. The fact that Equifax’s own conduct created the need for these services demands that they be offered to consumers without tying the offer to complicated terms of service that may require them to forgo certain rights. It was not until after urging from our offices and public condemnation that Equifax withdrew these objectionable terms from its offer of free credit monitoring.

We remain concerned that Equifax continues to market its fee-based services to consumers affected by its data breach. Consumers who view Equifax’s homepage are offered both Equifax fee-based credit monitoring services, as well as its services offered at no cost. Again, at the urging of our offices and following criticism in the media, Equifax made its offer of free credit monitoring services more prominent so that it can be more easily found by consumers. Although these changes are an improvement over the site’s original offering, which presented a much less prominent link when compared to Equifax’s fee-based offering, they do not address all of our concerns.

We believe continuing to offer consumers a fee-based service in addition to Equifax’s free monitoring services will serve to only confuse consumers who are already struggling to make decisions on how to best protect themselves in the wake of this massive breach. We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims. Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair, particularly if consumers are not sure if their information was compromised.

Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families. If there is any substantial benefit consumers can obtain by purchasing the fee-based services over the free credit monitoring, then we strongly suggest that Equifax upgrade its free credit monitoring service to provide equivalent protection. On the other hand, if the services are equivalent, then we fail to understand why Equifax continues to offer its fee-based services to those affected by the breach if equivalent services are obtainable at no cost. Either way, we request that Equifax disable links to its fee-based services until the sign-up period for the free service has ended. Additionally, the cutoff date of November 21, 2017 for consumers to avail themselves of the free services provided appears to us to be rather short-sighted and we suggest that date be extended to at least January 31, 2018.

Our offices are also receiving complaints from proactive consumers who have requested a security freeze. Although Equifax is not charging consumers a fee for its own security freeze service, these consumers are furious that they have been forced to pay for a security freeze with other companies, such as Experian and TransUnion, when this privacy breach was no fault of their own. We agree with these consumers that it is indefensible that they be forced to pay fees to fully protect themselves from the fallout of Equifax’s data breach.

Accordingly, we believe Equifax should, at a minimum, be taking steps to reimburse consumers who incur fees to completely freeze their credit..."

The participating attorneys general are from Alabama, Arizona, Connecticut, Delaware, Georgia, Hawaii, Illinois, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, North Dakota, Oklahoma, Ohio, Oregon, South Carolina, South Dakota, Pennsylvania, Virginia, West Virginia, and the District of Columbia. Read the announcement by Christopher S. Porrino, the State of New Jersey Attorney General. A copy of the joint letter is also available here (Adobe PDF).


The Equifax Breach: Several Investigations Underway

The Office of the Attorney General (AG) for the State of Nevada announced yesterday an investigation into the Equifax data breach. About 143 million persons were affected. The announcement stated:

"The breach, which took place from mid-May through July of this year, neglected to keep important personal identifying information safe and allowed hackers to access names, Social Security numbers, birth dates, addresses and even some driver’s license numbers. As a result of this breach, approximately 209,000 individuals throughout the country are estimated to have had their credit card numbers stolen."

Nevada AG Adam Paul Laxalt said:

"As a part of my commitment to safeguard the identities and personal information of Nevadans, my office will be working diligently with other states to investigate the cause of the Equifax breach... I encourage Nevadans to contact Equifax to determine whether their data was compromised, and to consider taking additional steps to protect themselves."

The statement did not mention the other states the Nevada AG's Office is working with. Residents of Nevada should read the announcement which lists specific actions consumers in that state should take to protect themselves.

The Attorney General for the State of New York announced on September 8 both an investigation into the Equifax data breach and a consumer alert:

"Under New York law, businesses with New York customers are required to inform customers and the Attorney General’s Office about security breaches that have placed personal information in jeopardy. The Attorney General’s Office investigates data breaches to determine if customers were properly notified of the breach and if the entity had appropriate safeguards in place to protect customers’ data..."

The consumer alert portion of the announcement:

"1) Check your credit reports from Equifax, Experian, and TransUnion by visiting annualcreditreport.com. Accounts or activity that you do not recognize could indicate identity theft. This is a free service; 2) Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. It will not prevent a thief from using any of your existing accounts; 3) Monitor your existing credit card and bank accounts closely for unauthorized charges. Call the credit card company or bank immediately about any charges you do not recognize; and 4) Since Social Security numbers were affected, there is risk of tax fraud. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Consider filing your taxes early and pay close attention to correspondence from the IRS."

Annulacreditreport.com is the official site for free credit reports.  The U.S. Federal Trade Commission (FTC) issued new rules in 2010 which addressed consumer confusion in the marketplace about sites offering free credit reports. When using unofficial sites, some consumers found the "free" credit reports weren't truly free because they included expensive subscriptions to credit monitoring services.

On September 11, the New York AG's issued a warning about cyber attacks resulting from the Equifax breach:

"In addition to taking measures to protect their credit cards and bank accounts, New Yorkers should also think twice before clicking on any suspicious [e-mail] links claiming to be from Equifax or financial institutions... Hackers are resourceful criminals who are constantly looking to exploit any vulnerabilities... New Yorkers should be on the lookout for these possible attacks: a) Phishing emails that claim to be from Equifax where you can check if your data was compromised; b) Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information; c) Calls from scammers that claim they are from your bank or credit union..."

Also, the Los Angeles Times confirmed an investigation by the U.S. Federal Trade Commission (FTC):

"The FTC’s disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country."

The news report cited comments by Peter Kaplan, the agency’s acting director of public affairs. So far, little is known which aspects of the breach the FTC is investigating.

No doubt, there is more news to come.


Equifax Data Breach: 11 Reasons Why It Is Worse Than You Think

Equifax logo Equifax, one of the three major credit reporting agencies, announced on September 7 a massive data breach where criminals accessed the company's computer systems. How bad is it? It is instructive to analyze the text of Equifax's breach announcement:

"... a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."

First, this is huge. Do the math 143 million persons is about 44 percent of the United States population of 325 million on July 4, 2017. So, almost half of the population was affected. Not good. But, there's more to this than size.

Second, the announcement stated "approximately." So, the true number could be lower or higher. The vagueness suggests that Equifax doesn't really know exactly how many consumers were affected. Not good. And, other details support this assumption that Equifax really doesn't know.

Third, the announcement stated "accessed." During the 10+ years I've written this blog, I've read dozens or hundreds of breach announcements. Many use this term. While the term may accurately describe what's Equifax knows, it also can be misleading. Criminals don't access companies' systems simply to window-shop or read files. They access systems to download and steal valuable information they can either use to make money, or resell to others. It's what online criminals do.

Fourth, the data elements accessed stolen allow criminals to do a lot of damage. That might include: a) obtain fraudulent loans or credit in breach victims' names; b) impersonate breach victims (it's called pretexting) to access online accounts; c) with online access withdraw money from victims' bank accounts; and much more. With online access, criminals can change passwords and take over victims' accounts effectively locking out victims.

Fifth, the breach investigation isn't finished:

"Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks."

The announcement didn't state when Equifax expected the investigation to be finished. Days? Weeks? Months? Not good.

Equifax hired an outside, independent technology firm to investigate its breach. That's what companies usually do during their post-breach response. This tiny bit of good news is quickly overshadowed by the bad. Without a completed breach investigation, Equifax can't really know whether the breach was caused by a technical systems problem, employee error, management oversight lapses, a sloppy or incompetent subcontractor, something else, or a combination of items. Only after a completed breach investigation can Equifax implement one or several fixes so this won't happen again. Not good.

Sixth, without knowing how criminals accessed their systems it is unlikely Equifax also can't know with certainty what data elements about consumers were stolen. More data elements could have been stolen, perhaps entire credit reports. Not good.

Seventh, it seems that Equifax's intrusion detection systems failed. Just look at the timeline. The breach started in mid-May and Equifax discovered it near the end of July. So, criminals had at least 2 full months to steal whatever they could find. Not good. Plus, after discovering the breach it would take Equifax another 5 weeks later to announce it. Why the delays? The breach announcement doesn't explain why. Not good.

Eighth, Equifax seems to take shortcuts with its breach notification:

"Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."

Setting up a website to convey breach updates to consumers is a good thing, but using the site to notify consumers about the breach is not good for two reasons: a) the site requires consumers to enter many of the same sensitive, valuable data elements criminals want to steal; and b) it forces consumers to trust that the breach site is secure, when we know that the breach investigation is incomplete. This is a breach notification failure.

In the 10+ years I've written this blog, trustworthy companies notify breach victims via postal mail. Why won't Equifax notify all breach victims directly via postal mail? It has consumers' residential addresses in its databases. (That is a benefit for its lending customers.) So, the lack of data is not an excuse. Plus, the credit reporting agency is willing to notify some consumers directly:

"In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

Rather than notify all breach victims directly, Equifax seems to want to take shortcuts. Maybe it is to save money, laziness, or poor decisions by its executives. The announcement doesn't explain why, so consumers are left to draw their own conclusions. Not good.

Ninth, technologists have questioned the security of Equifax's new breach site. Ars Technica reported:

"... the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details..."

Reportedly, the domain name registration problem was fixed on Sunday. Still, Equifax's post-breach response appears amateurish. Meanwhile, data security problems persisted in its main website. According to Ars Technica:

"... in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So, Equifax hasn't completed its breach investigation, doesn't know how its systems were hacked, has vulnerabilities in its main site, but wants consumers to trust that its breach site is secure. Not good.

Tenth, the Equifax announcement promoted its credit monitoring service (emphasis added):

"Equifax has established a dedicated website... to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year."

One year? Are Equifax executives serious? Stolen consumers' credentials don't magically lose value after one year. Criminals will use stolen credentials (e.g., name, address, Social Security Number, birth date, etc.) as long as they can. Criminals will resell stolen data to other criminals as long as the data has value. In my opinion, Equifax should provide complimentary lifetime credit monitoring indefinitely to all breach victims.

Why lifetime? Because the data elements accessed stolen have ongoing value. The cynical part of me wonders if some finance executives have done the math. As long as credit reporting agency executives believe that one year of free credit monitoring will appease breach victims, it's cheaper to pay that cost (plus a few out-of-court settlements), rather than implement more robust data security.

Eleventh, there is a history of questionable decisions by Equifax executives. In 2007, it paid a $2.7 million fine for violating federal credit laws. In 2009, it paid a $65,000 fine to the state of Indiana for violating the state's security freeze law. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations of improper list sales. Earlier this year, Equifax and TransUnion paid $23.1 million to settle allegations of deceptive advertising about credit scores.

This history provides some context to news reports that three Equifax executives sold about $1.8 million in stock after the breach was discovered and before the public breach announcement. Equifax stock fell about 13 percent after the breach announcement. The company said on Thursday that these executives didn't know about the intrusion when they sold shares. Even if true, the optics of this look absolutely terrible.

The whole sordid affair should be a reminder to consumers that we are the product. Credit reporting agencies' true customers are lenders - the companies that lend money and make loans to consumers. Equifax makes its money selling credit reports to lenders.

What to make of this? I see several considerations for consumers:

  1. Assume the worst. Every time you hear or read the word "accessed" by Equifax, replace it with "stolen." Then, make your data security decisions accordingly.
  2. If you don't trust the security of Equifax's breach site, then call the company instead via the hotline listed in the breach announcement (preferably using a landline phone) to see if you are affected.
  3. Carefully consider the advantages and disadvantages of Equifax's offer of free credit monitoring and identity theft protection. Equifax has been criticized for forcing arbitration on consumers who accept the free credit monitoring offer. In a September 11th update in its breach site, Equifax reversed course and said the arbitration clause and class-action waiver don't apply in this incident. Regardless, read the fine print before signing up. They may try to re-insert it later. If you don't know what it is, learn about arbitration. A variety of companies have inserted these clauses into their user agreements policies. You'll need to learn about arbitration anyway in order to make informed purchase decisions about other products and services.
  4. If you don't need credit, consider a Security Freeze to lock down your Equifax credit reports. Then, Equifax can't sell your credit report to lenders. You can do this at all three major credit reporting agencies. I did this several years ago after a data breach by a former employer. Know that a Security Freeze is not a cure-all, since it won't stop data breaches and it won't stop all forms of identity theft and fraud. To learn more, this blog has plenty of information about credit reporting agencies, credit monitoring services, fraud alerts for your credit reports, and security freezes.
  5. If you dislike Equifax's post-breach response, then contact your elected officials and demand that they pressure Equifax to do the right thing: a) notify all breach victims directly via postal mail; and b) implement better data security.
  6. Equifax's post-breach response makes me question whether the company is really up to the data security task -- it's responsibility -- to adequately protect consumers' sensitive information. All credit reporting agencies are high-value targets by criminals. If Equifax's executives didn't understand this before, they should now -- and take actions to demonstrate to consumers they realize the seriousness of the breach. Words are not enough.
  7. Consumers lack choices. Citizens cannot opt in nor opt out of the data collection by credit reporting agencies. (Consumers can opt out of pre-approved credit offers, but can't opt out of the data collection. There's a difference.) Also, the Equifax breach highlights the hypocrisy of pundits and politicians who object to the mandate within Obamacare (e.g., the Affordable Care Act) legislation -- some called it socialism -- while remaining remain silent about a similarly socialistic mandate with credit reporting.

While writing a post recently about misdeeds at Wells Fargo, I asked the question: "How much damage can one bank do?" Now, I find myself asking a similar question about Equifax: "How much damage can one company do?" Credit and lending are essential to the United States economy. In my opinion, all credit reporting agencies should have NSA-level data security for their networks and computer systems. The data they archive is that critical.

And: if you can't protect it, don't collect it. It's that simple.

As more issues emerge about this breach, I will address them in subsequent posts. What are your opinions of the Equifax breach? Did you lock down your credit reports with a Security Freeze?