92 posts categorized "Credit Reporting Agencies" Feed

The Top Complaints About Financial Services. One Complaint Type Grew 325 Percent

Logo for Consumer Financial Protection Bureau After encountering unresolved issues with financial services, many consumers file complaints with the Consumer Financial Protection Bureau (CFPB). After each complain, the CFP works hard to get each consumer a reply within 15 days. This process allows the CFPB to track which issues affect most consumers, and to identify emerging problems.

According to its April Monthly Complaint Report, debt collection issues generated the most complaints on average, and complaints about student loans grew the fastest:

"As of April 1, 2017, the CFPB has handled approximately 1,163,200 complaints, including approximately 28,000 complaints in March 2017... Student loan complaints showed the greatest percentage increase from January - March 2016 (773 complaints) to January - March 2017 (3,284 complaints), representing about a 325 percent increase. Part of this year-to-year increase can be attributed to the CFPB updating its student loan complaint form to accept complaints about Federal student loan servicing in late February 2016. The CFPB also initiated an enforcement action against a student loan servicer during this time period."

CFPB Monthly Compalint Report. April, 2017. Table 1. Click to view larger version

The top five categories of complaints about during March, 2017:

  1. Debt collection: 8,711
  2. Credit reporting: 5,498
  3. Mortgages: 3,965
  4. Credit cards: 2,522
  5. Bank account or service: 2,476

Also during March: debt collection complaints represented about 31 percent of complaints; debt collection, credit reporting and mortgage were the top three most-complained-about consumer financial products and services. Together, these three categories represented 65 percent of complaints during March.

The top five categories of complaints since the CFPB began:

  1. Debt collection: 316,810
  2. Mortgages: 272,153
  3. Credit reporting: 195,826
  4. Credit cards: 118,732
  5. Bank account or service: 115,055

The CFPB began accepting complaints for different products and services at different times:

There were regional differences in complaint volume:

"Montana (54 percent), Georgia (46 percent), and Wyoming (45 percent) experienced the greatest complaint volume percentage increase from January - March 2016 to January - March 2017. New Mexico (-20 percent), Iowa (-5 percent), and Kansas (-0.7 percent) experienced the greatest complaint volume percentage decrease... Of the five most populated states, Texas (35 percent) experienced the greatest complaint volume percentage increase and Florida (8 percent) experienced the least complaint volume percentage increase from January - March 2016 to January - March 2017."

The report also tracks complaints by company:

CFPB Monthly Complaint Report. April, 2017. Figure 1. Click to view larger version

The CFPB reported additional details about student loan complaints:

"Approximately 32,700 (or 74 percent) of all student loan complaints handled by the CFPB from July 21, 2011 through March 31, 2017 were sent by the CFPB to companies for review and response. The remaining complaints have been found to be incomplete (7 percent), referred to other regulatory agencies (19 percent), or are pending with the CFPB or the consumer (0.5 percent and 0.4 percent, respectively)... The most common issues identified by consumers are problems dealing with their lenders or servicers (64 percent) and being unable to repay their loans (33 percent)."

"Federal student loan borrowers reported that when contacting their loan servicers regarding financial distress, servicers provided them with information on hardship forbearance or deferment, instead of potentially more beneficial repayment options like income-driven repayment plans... loan borrowers complained of difficulty enrolling in income-driven repayment plans. Borrowers reported lost documentation, extended application processing times, and unclear guidance when seeking to switch from one income-driven repayment plan to another."

Federal student loan borrowers described their experiences when trying to obtain guidance in completing annual income recertification for their income-driven repayment plan. Borrowers reported receiving insufficient information from their servicers to meet recertification deadlines and lengthy processing times. Some federal student loan borrowers stated their payments were misapplied. Borrowers reported overpayments were not applied to specified accounts but rather applied to all accounts managed by the servicer. Additionally, some borrowers’ overpayments—intended to reduce principal balance—were credited to the account as an early payment, resulting in their ac count reflecting a paid ahead status..."

To read more, download the full "April 2017: CFPB Monthly Complaint Report: Vol. 22" (Adobe PDF).

2 Credit Reporting Agencies To Pay $23.1 Million To Settle Deceptive Advertising Charges

Last week, the Consumer Financial Protection Bureau (CFPB) announced the actions it had taken against two credit reporting agencies and their subsidiaries for deceptive advertising practices with credit scores and related subscription programs. The CFPB announcement explained:

"TransUnion, since at least July 2011, and Equifax, between July 2011 and March 2014, violated the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act by: 1) Deceiving consumers about the value of the credit scores they sold: In their advertising, TransUnion and Equifax falsely represented that the credit scores they marketed and provided to consumers were the same scores lenders typically use to make credit decisions. In fact, the scores sold by TransUnion and Equifax were not typically used by lenders to make those decisions; 2) Deceiving consumers into enrolling in subscription programs: In their advertising, TransUnion and Equifax falsely claimed that their credit scores and credit-related products were free or, in the case of TransUnion, cost only “$1.” In reality, consumers who signed up received a free trial of seven or 30 days, after which they were automatically enrolled in a subscription program. Unless they cancelled during the trial period, consumers were charged a recurring fee – usually $16 or more per month. This billing structure, known as a “negative option,” was not clearly and conspicuously disclosed to consumers."

Credit scores are numerical summaries designed to predict consumer repayment behavior and while using credit. Those numeric summaries attempt to indicate a consumer's credit worthiness based up like their bill-paying history: the number and type of credit accounts, the total amount of debt, if the credit accounts are maxed out, the age of that debt, whether bills are paid on time, collection activities by lenders to get paid, and the age of the consumer's accounts.

It is important for consumers to know that lenders rely in part on credit scores when deciding whether to extend credit to consumers and how much credit to extend. Plus, there are several branded credit scores in the marketplace. So, no single credit score is used by all lenders, and lenders may use one or more branded credit scores when making lending decisions. Also, the credit scores sold to consumers by TransUnion:

"... are based on a model from VantageScore Solutions, LLC. Although TransUnion has marketed VantageScores to lenders and other commercial users, VantageScores are not typically used for credit decisions."

Generally, the higher a credit score, the less risky that consumer is to lenders. The U.S. Federal Trade Commission (FTC) has a helpful site that explains credit scores and provides answers to common questions by consumers.

The CFPB actions require Equifax and TransUnion to pay fines totaling $5.5 million to the CFPB, and to pay more than $17.6 million in restitution to affected consumers.TransUnion's share of the fines is $3 million, and Equifax's share is $2.5 million. Other terms of the enforcement action:

"TransUnion and Equifax must clearly inform consumers about the nature of the scores they are selling to consumers... Before enrolling a consumer in any credit-related product with a negative option feature, TransUnion and Equifax must obtain the consumer’s consent. TransUnion and Equifax must give consumers a simple, easy-to-understand way to cancel the purchase of any credit-related product, and stop billing and collecting payments for any recurring charge when a consumer cancels."

"Negative option" is when a free trial automatically converts to a monthly paid subscription if the fails to cancel during the free trial period. Historically, the three major credit reporting agencies have offshore outsourced call center operations. So, it will be interesting to see how many of these jobs return to the United States given the policy positions of the incoming President and his administration. And, the industry has come under scrutiny for failing to fix errors in the credit reports they sell.

The industry has had some spectacular information security failures. A May 2016 breach at Equifax exposed the sensitive personal information of more than 430,000 employees of its Kroger supermarkets client. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations by the FTC about the improper sales of customer lists from January 2008 and to early 2010.

The CFPB began supervision of the credit reporting industry in 2012. CFPB Director Richard Cordray said about this recent enforcement action:

"TransUnion and Equifax deceived consumers about the usefulness of the credit scores they marketed, and lured consumers into expensive recurring payments with false promises... Credit scores are central to a consumer’s financial life and people deserve honest and accurate information about them."

Kudos to the CFPB for this enforcement action.

Facts About Debt Collection Scams And Other Consumer Complaints

Logo for Consumer Financial Protection Bureau The Consumer Financial Protection Bureau (CFPB) recently released a report about debt collection scams. The report is based upon more than 834,00 complaints filed by consumers nationally with the CFPB about financial products and services: checking and savings accounts, mortgages, credit cards, prepaid cards, consumer loans, student loans, money transfers, payday loans, debt settlement, credit repair, and credit reports. Complaints about debt collection scams accounted for 26 percent of all complaints.

The most frequent scam are attempts to collect money from consumers for debts they don't owe. This accounted for 38 percent of all debt-collection-scam complaints submitted. This included harassment:

"Consumers complained about receiving multiple calls weekly and sometimes daily from debt collectors. Consumers often complained that the collector continued to call even after being repeatedly told that the alleged debtor could not be contacted at the dialed number. Consumers also complained about debt collectors calling their places of employment... Consumers complained that they were not given enough information to verify whether or not they owed the debt that someone was attempting to collect. "

The two companies with the most complaints:

"... were Encore Capital Group and Portfolio Recovery Associates, Inc. Both companies, which are among the largest debt buyers in the country, averaged over 100 complaints submitted to the Bureau each month between October and December 2015. In 2015, the CFPB took enforcement actions against these two large debt buyers for using deceptive tactics to collect bad debts."

Compared to a year ago, debt collection complaints increased the most in Indiana (38 percent), Arizona (27 percent), and New Hampshire (26 percent) during December 2015 through February 2016. Debt collection complaints decreased the most in Maine (-34 percent), Wyoming (-26 percent), and North Dakota (-23 percent). And:

"Of the five most populated states, California (10 percent) experienced the greatest percentage increase and Illinois (-4 percent) experienced the greatest percentage decrease in debt collection complaints..."

The report lists 20 companies with the most debt-collection complaints during October through December 2015. The top five companies with with average monthly complaints about debt collection are Encore Capital Group (139.3), Portfolio Recovery Associates, Inc. (112.3), Enhanced recovery Company, LLC (65.7), Transworld Systems Inc. (63.7), and Citibank (54.7). This top-20 list also includes several banks: Synchrony Bank, Capital One, JPMorgan Chase, Bank of America, and Wells Fargo.

While the March Monthly Complaint Report by the CFPB focused upon debt collection complaints, it also provides plenty of detailed information about all categories of complaints. From December 2015 through February 2016, the CFPB received on average every month about 6,856 debt collection complaints, 4,211 mortgage complaints, 3,556 credit reporting complaints, 2,021 complaints about bank accounts or services, and 1,995 complaints about credit cards. Most categories showed increased complaint volumes compared to the same period a year ago. Only two categories showed a decline in average monthly complaints: credit reporting and payday loans. Debt collection complaints were up 6 percent.

Compared to a year ago, average monthly complaint volume (all categories) increased in 40 states and decreased in 11 states. The top five states with the largest increases (all categories) included Connecticut (31 percent), Kansas (30 percent), Georgia (25 percent), Louisiana (25 percent), and Indiana (24 percent). The top five states with the largest decreases (all categories) included Hawaii (-25 percent), Maine (-19 percent), South Dakota (-14 percent), District of Columbia (-8 percent), and Idaho (-6 percent). Also:

"Of the five most populated states, New York (12 percent) experienced the greatest complaint volume percentage increase, and Texas (-8 percent) experienced the greatest complaint volume percentage decrease from December 2014 to February 2015 to December 2015 to February 2016."

The chart below lists the 10 companies with the most complaints (all categories) during October through December, 2015:

Companies with the most complaints. CFPB March 2016 Monthly Complaints Report. Click to view larger image

The "Other" category includes consumer loans, student loans, prepaid cards, payday loans, prepaid cards, money transfers, and more. During this three-month period, complaints about these companies totaled 46 percent of all complaints. Consumers submit complaints about the national big banks covering several categories. According to the CFPB March complaints report (links added):

"By average monthly complaint volume, Equifax (988), Experian (841), and TransUnion (810) were the most-complained-about companies for October - December 2015. Equifax experienced the greatest percentage increase in average monthly complaint volume (32 percent)... Ocwen experienced the greatest percentage decrease in average monthly complaint volume (-18 percent)... Empowerment Ventures (parent company of RushCard) debuted as the 10th most-complained-about company..."

To learn more about the CFPB, there are plenty of posts in this blog. Simply enter "CFPB" in the search box in the right column.

Experian Has Paid $20 Million (So Far) In Post Breach Costs

Experian logo Just before the Thanksgiving holiday, The National Law Review reported:

"Experian’s most recent earnings report shows that it has spent $20 million to date on its response to the September 2015 data breach that exposed the personal information of nearly 15 million wireless carrier customers. The exposed information included names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers – all information Experian uses to process credit checks as part of the customer registration process. The $20 million spent so far on notification and credit monitoring for affected individuals may only be just the beginning of Experian’s financial woes – the credit monitoring firm still has several pending class action lawsuits to manage as well as cooperating with the government’s investigations in to the matter."

Details about the September breach area available here.

Not good.As I wrote in October,Experian CEO Brian Cassin should resign. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (again) is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

If they can't protect it, don't collect it; and go do something else.

The CFPB Helps Consumers

The Consumer Financial Protection Bureau (CFPB) helps consumers in many ways. To learn more, read:

Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian

Medical Informatics Engineering logo One result of the Medical Informatics Engineering (MIE) data breach has been a class-action lawsuit filed against MIE. The Journal Gazette reported on July 31:

"James Young, a patient whose medical information was compromised, filed the paperwork Wednesday in U.S. District Court in Fort Wayne. The Indianapolis man is seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit... Young alleges that MIE failed "to take adequate and reasonable measures to ensure its data systems were protected," failed to stop the breach and failed to notify customers ina timely manner."

In a Sunday, August 2 article, the Fort Wayne, Indiana-based Journal Gazette described the wide range of companies that access consumers' medical records:

"A lot more people than you realize, including your employer, your bank, state and federal agencies, insurance companies, drug companies, marketers, medical transcribers and the public, if your health records are subpoenaed as part of a court case. All those entities can access your records without getting special permission from you, according to Patient Privacy Rights."

Austin, Texas-based Patient Privacy Rights is an education, privacy, and advocacy organization dedicated to helping consumers regain control over their personal health information.

The Journal Gazette news article was the first report I've read disclosing the total number of breach victims. Reportedly, MIE sent 3.1 million breach notices to affected consumers nationwide. Help Net Security reported a total of nearly 5.5 million consumers in the U.S. affected. That includes 1.5 million consumers affected in Indiana, and 3.9 million consumers in other states. Compromised or stolen data goes as far back as 1997. Reportedly, the Indiana Attorney General's office has begun an investigation.

The Journal Gazette news article also discussed some of the ways stolen medical information can be misused:

"An unethical provider could bill an insurance company or the federal government for health care that it never gave you. Any amount not covered would then be billed directly to you, which could affect your credit score... Then there’s the issue of using sensitive medical information for marketing – or even for blackmail. Let’s say someone was treated for AIDS, hepatitis C or a sexually transmitted disease. A company selling prescription drugs or other products might like to target that patient for advertising. But sending brochures or coupons in the mail could tip off others about the condition. Someone with those or similar medical conditions could face discrimination in hiring..."

Experian logoIn a separate case, a class-action was filed against the credit reporting service Experian. The Krebs On Security blog reported on July 21:

"The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves... The lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures— a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States... The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA)..."

I included information about both class-actions in a single blog post since both companies are of interest to consumers affected by MIE's data breach. MIE has offered breach victims two years of free credit monitoring services from Experian.

U.S. Supreme Court To Hear Arguments About Spokeo Lawsuit

While the country focuses on the U.S. Supreme Court as it considers arguments about whether the U.S. Constitution contains rights for gay and lesbian adults to enter into marriage contracts, there is another case before the Court that is arguably of equal, if not more, importance.

The current case is Spokeo v. Robins, U.S. Supreme Court, No. 13-1339. The U.S. Chamber of Commerce, Facebook, and Google have filed friend-of-the-court briefs to support Spokeo.com's position. Maybe you've heard about Spokeo.com, the people-finder website, or have even used it. This blog first reported about Spokeo.com back in 2010.

This is a Court case you'll want to follow. Why? Basically, the lawsuit is about who controls consumers' personal property: specifically, the profile information about consumers in various databases compiled by data brokers. Do individual consumers each control their profile data, or do the data brokers? You might say, the case is about whether we want accurate "bigdata" or not.

The plaintiff, Thomas Robbins a Virginia resident, originally filed a lawsuit in 2010 in California alleging the data collected and sold about him by Spokeo.com was incorrect, prevented him from finding a job, and as a result violated the Fair Credit Reporting Act (FCRA). The FCRA requires that consumers receive notice about their profile information and have the rights to view and correct their information collected by credit reporting agencies. Also, consumers have the right to lock down or prevent their credit reports from being sold by the three major credit reporting agencies: Experian, TransUnion, and Equifaz. Of course, in this case Spokeo.com claimed that it is not a credit reporting agency.

Robbins' suit was dismissed in 2011 by a lower court for lack of standing; that he hadn't proved harm. An Appeals Court reversed the lower court's decision in 2014. The U.S. Supreme Court will hear the case, and its decision will hopefully settle the matter.

University of Washington School of Law professor Anita Ramasastry analyzed the case:

"Spokeo attempts to immunize itself from FCRA violations by stating that it is not providing data for use in credit reporting. But as a recent lawsuit illustrates, Spokeo’s data is being used for such purposes, because the company may not have sufficient safety precautions... Robins’s lawsuit is not the first time that Spokeo has gotten into hot water. While it claims to be a site selling personal data for other uses (e.g., cultivating new clients, finding old friends, and evaluating prospects for business deals) it is skating on thin ice, as its data is also useful to landlords, employers, and even lenders, who may subscribe to the service as a way of doing additional background checks on people. These new types of data brokers are either unregulated, or claim that certain laws do not apply to them..."

Spokeo paid $800,000 in 2012 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by marketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

A 2012 survey found that most consumers are unaware about how data brokers operate. In her analysis, professor Ramasastry explained:

"[Spokeo] obtains information from dozens of sources including public records, marketing surveys, online maps, and social networks, the company says on its website. What is unclear from the company’s site is how it merges and melds data together to create a unique profile—so that data that may not be yours, or data that has an error in it, will not get wrongly compiled into your unique individual profile. In one of its blog posts, the company tells the public that “Spokeo is not a private investigator, but an information aggregator. This means that our machines do not have the human intelligence to decide which information is right, and which is wrong." This may be its assertion, but many people rely on Spokeo to serve as a sort of online detective and make decisions based on what they find in its records. Spokeo says in its Terms of Use that using the site to determine eligibility for employment, credit or other use under the FCRA is “explicitly prohibited.” "

Plus, consumers must pay to view their full profile at Spokeo.com. Professor Ramasastry concluded that the lawsuit (bold emphasis added):

"... illustrates the gray zone in which Spokeo has been operating. It is collecting data that is not traditionally the type of data that has been used for credit-reporting purposes. Employers, banks, insurers, and landlords have typically relied on financial history: how much debt a person has, whether he or she has paid their bills on time, whether he or she has a criminal record, etc. But Spokeo and other companies are compiling even more robust data sets, with new types of profiles that creditors and others will also find useful when making decisions, so Spokeo has a product that creditors want... And the underlying issue is this: when the information is used for a major life decision, such as whether someone might be hired or not, the person affected has no recourse, or ability to correct the errors."

It's not just Spokeo.com. Other data brokers operate in the same "gray zone." One example is the mugshot industry, where its data seems similarly error-filled. Mugshots from arrest records published don't seem to be updated based upon the results of court cases when charges are dropped or when defendants are found not guilty by a court. And, there are some print mugshot publications. Plus, the mugshot industry operates in an ethically questionable manner when it charges consumers with large take-down fees to have their mugshots removed (only to reappear in another site).

What can consumers conclude about all of this? Four things:

  1. The data compiled by many data brokers has errors, whether they admit it or not. Consumers don't know how accurate (or inaccurate) the data compilation processes are. This can affect you. That data brokers' databases have errors should not be a surprise since errors by credit reporting agencies are well documented. the two perform similar functions.
  2. What consumers share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites will sell your information to data brokers, and your profile data will find its way into sites like Spokeo.com.
  3. What gets decided in this case probably will have ripple impacts upon the whole Internet of things (ioT) industry, as the Internet-connected devices installed in "smart homes" collect even more information about consumers' habits, movements, purchases, utilities, and product usage.
  4. There are rarely-discussed ethical issues. Is it right for data brokers to sell information about consumers they know isn't correct, and pretend that it is? Is it right for data brokers to charge consumers a fee to see their own profile data? After all, without consumers data brokers like Spokeo wouldn't have anything to sell. Is it right for creditors and employers to sue data brokers' sites with incorrect information?

My opinion: if it walks like a duck, quacks like a duck, and smells like a duck, then it probably is a duck. Spokeo claims it's not a credit reporting agency, but it surely operates like one. The FTC case highlighted the company's operations with procedures that may not prevent creditors from performing FCRA applications. Think of it this way: to find somebody online, you can simply search Facebook, one of the major search engines, or a white-page telephone site. So, the data compiled by Spokeo seems intended for more advanced purposes beyond finding people. Spokeo can't and shouldn't have it both ways: enjoy the benefits and revenues without complying with the FCRA requirements.

At some point, one has to hold companies accountable for selling error-filled information. If not, then you have chaos. What are your opinions?

Massachusetts And Several States Attorney Generals Investigate Breach At Experian

I apologize to readers. I am almost caught up with blog posts after the DDoS attack last week against Typepad, the blogging service I use.

Last week, the Office of the Attorney General of Massachusetts announced an investigation, along with several other states' attorney generals, of the Experian credit reporting agency after criminals were able to obtain consumers' sensitive financial data. The statement said:

"On March 3, Hieu Ngo, a Vietnamese national, pleaded guilty to federal charges in New Hampshire federal court involving his operation of a website that offered his clients access to sensitive personal information for more than 200 million U.S. citizens, including social security numbers, which could be used to commit identity theft or financial fraud... Ngo gained access to the personal information when he obtained an account with a U.S. company known as Court Ventures by posing as a private investigator from Singapore. Due to a reciprocal data sharing agreement between Court Ventures and U.S. Info Search, LLC of Columbus, Ohio, Ngo’s account allowed him access to a database that allegedly contained names, addresses, dates of births, and social security numbers of more than 200 million U.S. citizens."

Ngo may have already resold stolen credit reports, since about 1,300 persons accessed his online account:

"For at least an 18-month period, more than 3.1 million queries were made to the database using Ngo’s account. According to Experian, it purchased Court Ventures’ assets in March 2012, and continued to honor Ngo as a customer until December 2012."

Experian and Court Ventures have sued each other about indemnification: who will pay the costs for this breach. Regardless of who pays in the end, it is bad. Very bad. With 200 million consumers affected, the breach will victimize consumers in most, if not all, states. Massachusetts AG Martha Coakley said:

"We are especially concerned about allegations that the companies may have known of this incident for over a year, while not reporting it so consumer could protect themselves. We will actively investigate this matter and in the meantime, we remind consumers to take proactive steps to protect their personal information.”

The Massachusetts Attorney General advised consumers:

  1. Order copies of your credit reports from the three major credit-reporting agencies (e.g., Experian, Equifax, and TransUnion) and review them for fraudulent entries.
  2. If you notice fraudulent entries on your credit reports, place a Fraud Alert on them.
  3. Review your credit card and debit card statements for fraudulent entries.
  4. Contact the fraud departments at your bank or card issuer to report fraudulent charges.
  5. File a police report with local police if you are a victim of fraud.
  6. Consider placing a Security Freeze on your credit reports for stronger protection.

Consumers that don't have a credit monitoring service can visit AnnualCreditReport.com to order their free credit report once each year from the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion). Consumers that experience fraud can also submit complaints to the Federal Trade Commission, which tracks fraud affecting consumers.

Consumers who experience problems (e.g., poor customer service, failure to fix fraudulent charges you reported, etc.) with a credit reporting agency, can submit complaints to the Consumer Financial Protection Bureau, (CFPB). At the CFPB site, click on "the Submit A Complaint" link. The CFPB began overseeing credit reporting agencies in 2012.

Expect to hear more news about this breach investigation.

The Words Organizations Use In Their Data Breach Notices

What words do organizations use frequently in breach notification letters and announcements? To better understand this, I used the Wordle tool to create word clouds from several actual, high-profile breach notifications during the past six months. The tool gives more prominence to words that appear more frequently.

Some breach notices were blog posts, some were press releases, some were web pages in a small website specifically about that data breach, and others were letters shared with state agencies, as required by law in some states. I wanted to see what words were frequently used and any variations.

A word cloud from the February 2013 breach notice by Twitter:

Word cloud for the Twitter.com breach notice


A word cloud from the February 2013 breach notice by GE Capital Retail Bank (Adobe PDF):

Word cloud for the GE Capital Retail bank breach notice

A word cloud from the February 2013 breach notice by Walgreens drug stores (Adobe PDF):

Word cloud for the Walgreens breach notice

A word cloud from the January 2013 breach announcement by the Experian credit reporting agency (Adobe PDF):

Word cloud for the Experian breach notice

A word cloud from the January 2013 breach announcement by Zaxby's restaurants:

Word cloud for the Zaxbys breach notice

A word cloud from the November 2012 breach notice by Pinnacle Foods:

Word cloud for the Pinnacle Foods Group breach notice

A word cloud from the November 2012 breach notice by Nationwide Insurance:

Word cloud of the Nationwide Insurance breach notice

Clearly, there is a lot of variety. Some words (e.g., information, report, credit, security) appear frequently within and across breach notices. Some breach notices feature the company name prominently while others don't. While the words may vary, basic information about the breach is presented pretty consistently: organization name, relevant dates, the types of individuals affected (e.g., members, employees, students), and what that organization calls the notice.

A lot of this is mandated by state breach notification laws. Depending upon local laws, the notification may be sent to affected individuals, a public notice, or both.

The content that varies seems to be the amount of detail disclosed about he cause of the data breach, and the resources for breach victims. The resources vary based on the type of data stolen. For example, when consumers' Social Security numbers have been stolen. the notices frequently mention the major credit reporting agencies. This is what I have seen frequently in both breach notices I have received and others I have read.

An exception seems to be the GE notice which only mentions a single credit reporting agency. Sometimes, the resources to help breach victims are in a separate document or website page. So, this will affect the words used in the actual breach notice.

Sadly, the credit reporting agencies experience data breaches, too. Since they specialize in information about individuals, you might think that they don't experience data breaches, but they do. The FTC has studied the accuracy of credit reports, and many people feel that credit reporting agencies should do a lot more to fix the errors in their consumer credit reports.

What do you think of data breach notices? How many breach notices have you received?

FTC Studies The Accuracy Of Consumer Credit Reports. Plenty Of Errors To Be Fixed By Credit Reporting Agencies

The blog post on Monday discussed the 60 Minutes report about the failures in the dispute process at credit reporting agencies to fix mistakes in consumers' credit reports. Today's post discusses the recent U.S. Federal Trade Commission (FTC) survey, which prompted that news report.

The FTC survey analyzed the accuracy and completeness of consumer credit reports. This was the agency's fifth such report. Section 319 of the 2003 FACT Act requires the FTC to conduct a study of the accuracy and completeness of consumer credit reports.

Major findings from this FTC study:

  1. 26% of consumers (262 of 1,001 participants) identified errors on their credit reports that might affect their credit scores. 19% of credit reports (572 of 2,968 reports) had an alleged error reported by participants
  2. 20% of consumers had an error that was corrected by a credit reporting agency (CRA) after it was disputed, on at least one of their three credit reports
  3. Of the 572 credit reports where an error was submitted, 399 reports (70%) were modified by a credit reporting agency, and 211 (36%) had a credit score changed. Those same 211 credit reports are 7.1% of all credit reports in the study
  4. Of the 262 consumers who identified alleged inaccuracies in their credit reports and filed disputes, 206 consumers (80%) had a modification made by a credit reporting agency to their credit report in response to the dispute. Of these, 129 consumers (12.9% of all 1,001 participants) experienced a change in credit score following the dispute process
  5. Slightly more than 10% of consumers saw a change in their credit score after the credit reporting agencies fixed errors on their credit reports
  6. Approximately 5% of consumers had a maximum credit score change of more than 25 points, while 0.4% of consumers had a maximum score change of more than 100 points

If you skimmed or quickly read the high-level findings or the FTC press release, then you might assume that there is no problem -- and you would be wrong for a several reasons. First, that 20% of consumers found an error in at least one of their credit reports means that about could be as many as 40 million people (20% of the 200 million Americans with credit reports) have at least one error in one of their three credit reports with Experiran, Equifax, or TransUnion. That seems to be a huge error rate.

Second, this error rate is based on a percentage of consumers. Some credit reports had multiple errors in them. So, a more accurate error rate would be based on the number of credit reports with errors compared to the total number of credit reports. Or, an even better error rate would be the average number of errors in a credit report. Third, the report doesn't seems to measure the percentage of error items that credit reporting agencies don't fix which they should have fixed (that's another type of error).

Fourth, that 20% error rate is the number of consumers who reported errors and the credit reporting agencies fixed them. (Explanation below.) A much higher rate of consumers reported errors: 26%. It seems that the real error rate is far higher.

I waded through the 370-page FTC report because credit reports are critical documents. Consumers need them to be accurate do business with lenders, and lenders use these documents constantly. Plus, credit reports contain a lot of important, sensitive, personal information about you, your lifestyle, and the purchases you've made:

"... (1) Identifying information including name, address, birth date, SSN, and previous/alternate names and addresses; (2) Credit account information including information about current and past credit accounts such as mortgages, car loans, credit cards, and installment payments; (3) Public records such as bankruptcies, foreclosures, civil judgments, and tax liens; (4) Collection accounts, which include unpaid debts (such as medical bills) that have been turned over to collection agencies; and (5) Inquiries (subscriber requests to access a consumer credit report)."

When you apply for credit or when a potential lender requests to view your credit report to make a lending decision, a "hard inquiry" results. Too many "hard" inquiries and your credit score can go down. The study identified different types of errors (bold emphasis added):

"... we define a ‘potential error’ as an alleged inaccuracy identified by the participants with the help of the study associate... Lenders often use the credit score associated with a credit report to assess the credit risk of a particular consumer. Therefore, we define a ‘potentially material error’ as an alleged inaccuracy in information that is commonly used to generate credit scores. Information used to generate credit scores include the number of collections accounts, the number of inquiries (hard pulls on a credit file), the number of negative items such as late or missed payments, and other factors. An alleged error is considered potentially material prior to the dispute process simply by its nature as an item used to generate credit scores... We define a ‘confirmed material error’ in several ways, though all rely on a confirmed error being determined as a result of the FCRA dispute process..."

If you are reading this closely, then you realize that credit reports contain errors both in the information used to calculate consumers' credit scores, and in the information not used to calculate credit scores:

"Errors in header information (current/previous address, age, or employment) are not considered in determining a FICO credit score and thus are not defined as material in the context of this study."

In my opinion, this distinction does a disservice to consumers. It tolerates a certain level of sloppiness; that it is okay for credit reporting agencies to get their credit reports mostly correct. Header information elements are no less important than other credit report elements. These header elements could be used to match credit reports for a person with input submitted by lenders and/or within dispute investigations. Second, a credit report is such an important document that it needs to be correct. Period. Credit reports are important because:

Errors are errors. Period. They all are important. Fix them all. Decades ago and early in my business career, I learned an important lesson about producing a quality product or service:

"Why spend all this time finding and fixing and fighting when you could prevent the incident in the first place?... It is much less expensive to prevent errors than to rework, scrap, or service them... It is always cheaper to do the job right the first time."

Either the credit reporting agencies haven't learned these lessons about quality, or they intentionally choose not to pursue a goal of zero defects.

To the good, the FTC study looked at error rates among header information from credit reports:

"In cases where a participant identified only an error in header information, the participant was instructed to dispute the error directly with FICO and the participant’s credit report was not redrawn. For the individuals with material errors and header information errors, the outcome for the header information disputes is known. The third most common alleged inaccuracies occur in the data on header information (154 alleged errors on 127 reports, comprising 4.3% of the sample). Note this represents a lower bound of the frequency of header information errors, as reports with errors only in header information are not included. The modification rate for header information is higher than that of other alleged material error types (99 modifications, comprising 64.3% of the disputed header information items)."

In other words, in this study 127 credit reports had 154 alleged errors in the header information, or 1.2 errors on average per credit report. The credit reporting agencies fixed 99 of these 154 alleged errors -- what I would calculate as a 64.3% correction rate for header items. Still, this is still a best-case correction rate, because the above excluded instances where the only error reported by the consumer was in the header information.

The study found that the main types of confirmed material errors (that could affect a consumer's credit score) that were fixed by credit reporting agencies were:

"... errors in the tradeline (consumer accounts) or collections information. The most common alleged inaccuracies occur in the data on tradelines (708 alleged errors on 409 reports, comprising 13.8% of the sample) or collections accounts (502 alleged errors on 223 reports, comprising 7.5% of the sample). The most commonly modified errors are tradeline information errors (395 modifications) and collections information errors (267 modifications)."

The supporting details:

Error Type # of Alleged Errors Items Modified #(%) # Reports with Alleged Errors Avg. # Alleged Errors / Report Reports with Errors Modified #(%)
Collections 502 267 (53.2%)
223 2.3 146 (4.9%)
Duplicate Entries 65
30 (46.2%) 39 1.7 27 (0.9%)
Header Information 154
99 (64.3%)
127 1.2 90 (3.0%)
Inquiries 88 48 (54.5%)
48 1.8 34 (1.1%)
Derogatory Public Records 44 25 (56.8%) 35 1.3 20 (0.7%)
Tradeline Information 708 395 (55.8%) 409 1.7 267 (9.0%)
Total 1,561 864 (55.3%) -- -- --

Note: the report did not provide totals. I calculated that row. Overall, slightly more than half (55.3%) of error items reported by consumers are fixed -- and this chart includes only the material errors that could affect a consumer's credit score. What I found interesting: regardless of the error type, there is consistently more than one error per credit report.

The following chart highlights how often credit reporting agencies co-mingle your information with other persons' information:

Error Type # of Alleged Errors # Items "Not Mine" Alleged Items "Not Mine" Corrected #(%) # Reports With This Alleged Error # Reports With "Not Mine" Alleged Reports With "Not Mine" Corrected #(%)
Collections 502 413 209 (50.6%) 224 190 116 (61.1%)
Inquiries 88 88 48 (53.9%) 48 48 33 (68.8%)
Tradeline Information 708 246 133 (54.1%) 409 144 81 (56.3%)
Total 1,561 747 390 (52.2%) -- -- --

Again, the report did not calculate the total row. I did. As you can see, credit reporting agencies fixed slightly more than half of errors consumers reported as not theirs. How the researchers calculated the effects on consumers' credit scores from credit report errors:

"After the disputes were filed and completed, the study associate drew new credit reports for the consumer and analyzed whether there were changes to the report in response to the dispute. If there were no changes to the report, the original FICO score is relevant for our calculations and if all the alleged inaccurate items were modified by the CRA, the provisional FICO rescore is the relevant credit score. If only some of the disputed items were changed, the modified report was sent to a FICO analyst for a second rescoring to assess the impact of the modifications. The relevant FICO score at the conclusion of the dispute and rescoring process is then compared to the original FICO score to determine how the credit report inaccuracies affected the consumer credit score."

The reports shared a brief explanation of why credit reporting agencies don't fix errors as consumers who reported errors expect:

"... There are a number of reasons, however, why a CRA may make changes to a credit report that differ from the consumer’s instructions. For example, a consumer may dispute an account balance and instruct the CRA to change the balance to a specific amount (i.e., the consumer alleges what is incorrect and what action by the CRA would set it right). If the CRA cannot confirm the existence of the account with the data furnisher, the account is removed from the consumer’s credit report; in this case the outcome is not what the consumer requested. In addition, a consumer may dispute multiple items on a credit report as inaccurate and the CRA may only modify a subset of the disputed items, thus suggesting that the consumer was correct regarding some of the inaccuracies on the report but not all."

The report shared a brief explanation of why credit reporting agencies may not fix at all any errors reported by consumers:

"... there are some consumers who file disputes and yet the CRA makes no modification to their report. For the purpose of the analysis within this report, these consumers are not defined as having a confirmed material error. It is important to note that these consumers with alleged potentially material errors that are not confirmed through the FCRA dispute process may still have inaccurate items on their credit reports; however, we are unable to verify the inaccuracy within the design of this study..."

So, the 20% error rate (percentage of consumers who reported errors and credit reporting agencies fixed them) in the study is probably the best-case scenario; and the real-world error rate is higher. How? If an error discovered and reported by a consumer cannot be verified via the FCRA dispute process, then the credit reporting agencies does nothing and that error remains in the consumers' credit reports. The 60 Minutes show documented real-world examples where consumers fully documented errors in their credit reports; which the credit reporting agencies proceeded to ignore (sometimes setting a lawsuit later out of court).

This best-case error rate problem is also backed by the research methodology. The research team included members from the University of Missouri, St. Louis (UMSL), the University of Arizona, and the Fair Isaac Corporation (FICO). The research methodology included consumers selected at random:

"... from the population of interest (consumers with credit histories at the three national CRAs). Ultimately, 1,001 study participants reviewed 2,968 credit reports (roughly three per participant) with a study associate who helped them identify potential errors. Study participants were encouraged to use the Fair Credit Reporting Act (“FCRA”) dispute process to challenge potential errors that might have a material effect on the participant’s credit standing (i.e., potentially change the credit score associated with that credit report). When a consumer identified and disputed an error on a credit report, the study associate informed FICO of the disputed items, and FICO generated a provisional FICO score for the report under the assumption that all consumer allegations were correct. After the completion of the FCRA dispute process, study participants were provided with new credit reports and credit scores. Using the provisional FICO score, the new credit reports and credit scores, and the original credit reports and credit scores, we are able to determine the impact on the consumer’s credit score..."

Descriptive information of the study participants:

FICO Credit ScoreAgeEducationRace
589 and below: 18.2%
590 - 679: 20.2%
680 - 749: 21.0%
750 - 789: 19.5%
790 and above: 21.2%
18 - 30: 21%
31 - 40: 20%
41 - 50: 15%
51 - 60: 21%
61 and older: 22%
HS diploma or less: 12%
Some college: 31%
College degree: 30%
Graduate study: 26%
White: 78%
Black: 12%
Other: 9%

The study never looked at credit report accuracy in the regional and smaller credit reporting agencies. So, there are more than three credit reports per person on average, when you include those smaller and regional agencies. More credit reports and probably more errors.

What do I think of this study by the FTC? It highlights several important concepts:

  • How you define an "error" matters. In the study, a conservative definition yielded a 9.7% error rate (defined as the as the percentage of consumers) while a more expansive definition yielded a 21% error rate.
  • How you define an "error" matters. The study calculated the much-publicized error rate based on the percentage of consumers who reported errors. To me, a better method is to calculate the error rate based on the percentage of credit reports with errors. This lets you proceed to the next level to calculate which which credit reporting agency has the higher (or lower) error rate.
  • How you label an "error" matters. While caclulating the percentage of credit reports with errors fixed and/or the percentage of error items fixed by credit reporting agencies, what you label these is important. The study used what I consider to be clumsey labels:  "Percent of All Reports Examined With This Error Modified" and "Percent of Items With Any Allegation of this Type Modified," respectively. Let's call them what they really are: "Report Correction Rate" "Report Item Correction Rate," respectively. Then, we can examine which credit reporting agency does a better job of fixing credit reports. Sadly, the study did not provide this level of detail.
  • How you define "investigation" matters: this includes both the FCRA dispute process and what credit reporting agencies actually do (or don't do) to investigate error disputes reported by consumers. The 60 Minutes report mentioned low-wage staff in other countries simply assign code numbers to error reports without performing a substantial, comprehensive investigation -- which most consumers probably expect.
  • Which brand of credit score matters: this study used FICO credit scores, while many credit reporting agencies and other retailers sell different brands of credit scores to consumers
  • Where you place the "responsibility" matters. The study is consistent with general practice -- for better or worse -- that places the responsibility for finding and reporting errors with consumers. Why aren't the credit reporting agencies held responsible for finding, reporting and fixing errors on their own? Would they find the same errors that consumers found? Or more? Or fewer?

This FTC study is half a loaf at best. Why?

First, it didn't analyze the real problem of actual errors already reported by consumers that were never fixed -- what I call the correction rate. A better study would investigate both error rates and correction rates, by perhaps using an independent third-party to analyze the dispute process and the supporting documents submitted by consumers to credit reporting agencies. This would get at the true heart of the matter: how accurate credit reporting agencies are (or are not) with using the documentation consumers provide. In other words, lets better understand the errors that weren't fixed which should have been fixed by credit reporting agencies.

Second, it is better to define error rates not as a percentage of consumers, but instead based on either the number of credit reports with errors, or the average number of error items in a credit report. Each consumer has at least three credit reports -- one with each of the three major credit reporting agencies: Experian, Equifax, and TransUnion. Some consumers have more credit reports with the smaller, regional credit reporting agencies.

Third, the study perpetuates a current bias that distinguishes between errors used to make credit score decision and errors not used in this calculation. Errors are errors. Period. Credit reports are so important, that they need to be correct. Fourth, the study ignored the smaller and regional credit reporting agencies.

Fourth, the study methodology had 100% of participants review their credit reports. In the real-world, far fewer consumers check their credit reports for accuracy. In its report, the FTC said:

"... In 1992, the Associated Credit Bureaus (later Consumer Data Industry Association, or “CDIA”) commissioned Arthur Andersen & Company to perform a study about credit report accuracy. Using credit applicants who had been denied credit, the Andersen Study found that only 8% requested a copy of their report and 2% of those denied credit disputed information contained in their report. Following the dispute, 3% of the people who received copies of their report had the original decision to deny credit reversed...."

While the report cites other studies, the important point is this: if only 8% or consumers request copies of their credit reports, then it makes sense to pursue ways to engage more consumers with checking their credit reports for accuracy. Business as usual means a lot of errors go unreported and undiscovered. In a truly open market with credit reports, each credit reporting agency would tout its accuracy levels; unlike the current mess. The FTC needs to make it real for consumers by explaining the real-world costs of inaccurate credit reports with real examples of denied credit and loans with higher interest rates.

Fifth, I found the language in the report and study methodology needlessly confusing. It could have been simplified with clearer labels, such as:

  • Consumer Dispute Rate: the percentage of consumers that submitted error reports
  • Credit Report Dispute Rate: the percentage of credit reports with at least one error reported by consumers
  • Credit Report Average Item Dispute Rate: the average number of error items per credit report submitted by consumers
  • Gross Credit Report Correction Rate: the percentage of credit reports with (all or some) error items fixed by credit reporting agencies
  • Net Credit Report Correction Rate: the percentage of error items in credit reports where all items are fixed by credit reporting agencies
  • Gross Item Correction Rate: the average number of error items fixed (all or partial) per credit report
  • Net Item Correction Rate: the average number of error items where all items are fixed per credit report

What is your opinion of credit reporting agencies? Of their dispute process? Of the FTC study? Share you thoughts below.

Download the 2013 FTC FACTA report (Adobe PDF, 20.8 Mbytes).

60 Minutes: Dispute Processes At Credit Reporting Agencies Fail To Fix Errors in Consumers' Credit Reports

Recently, the 60 Minutes television news magazine reported about the credit reporting industry. The report focused on problems with the dispute process: failures by the largest three credit reporting agencies to correct errors reported by consumers on their credit reports.

Basically, one out of every five Americans has an error on their credit report. That is a massive amount of credit reports with errors, since the companies archive credit reports for about 200 million Americans and since each person has at least three credit reports (e.g., one report each at Equifax, Experian, and TransUnion, plus regional credit reporting agencies). That is an unacceptably high error rate.

Few other businesses would remain operating with such a high error rate. Think of it this way: if one out of every five airplane passenger was killed or injured during a crash, then that airline would be out of business. At a minimum, the public wold demand changes and accountability. If one out of every five credit card purchases were incorrect or lost, that bank would be out of business. And, consumers would demand changes and accountability. But somehow, credit reporting agencies remain in business despite high error rates. If you made an error in one out of five projects at your job, your employer would likely suspend or fire you.

If you are unfamiliar with what credit reporting agencies do, here's what you need to know. The banks and lenders you already have loans or credit accounts with, provide your history to the credit reporting agencies about your loans, payments you've made (or failed to make), outstanding loan balances, and the associated dates. When a loan is paid off, your credit report should indicate that. Like social networking websites, you are the product since credit reporting agencies make money by selling your credit reports to potential lenders (e.g., banks, retail stores, phone companies, educational loan companies), both when you apply for credit and when potential lenders request credit reports in order to send out offers via e-mail or snail mail.

Credit reporting agencies also make money by selling to consumers both credit scores and credit monitoring services, whose monthly fees can be as high as $18. 60 Minutes reported that these credit monitoring services don't provide consumers with the exact same credit reports that the credit reporting agencies sell to potential lenders. I'd like to hear more about that.

Your credit report is the basis of future lending decisions made by potential lenders. A bad or inaccurate report will affect and lower your credit score, the overall number used to indicate your credit worthiness. A low credit score can cost you money: denied credit applications, or approved loans but with a far higher interest rate. Bad reports can include valid late or non-payments on your loans. The errors in credit reports can include another person's data co-mingled with yours (obviously, that should never happen), a dead person's data co-mingled with yours, or a credit report that doesn't accurately reflect a loan you truly paid off on time and/or in full.

The $4 billion credit reporting industry is dominated by three huge companies: Equifax, Experian, and TransUnion. What 60 Minutes didn't mention is that credit reporting agencies regularly do business with data brokers, such as Acxiom, to buy and sell your personal information. Credit reporting agencies experience data breaches, just like other companies.

The reality is that information in your credit report is transmitted around the globe, since much of the credit report maintenance and customer service operations are outsourced to firms in other countries (e.g., Argentina, Brazil, Canada, Chili, Costa Rica, El Salvadore, Honduras, India, Ireland, Jamaica, Peru, Portugal, Spain, United Kingdom, Uruguay). The work is often performed by low-wage workers. Readers of this blog are already know this, since this blog reported a 4-part series in 2008 about offshore outsourcing within the industry. The 60 Minutes reporter interviewed several former credit reporting agency workers in Chile, who admitted that they really didn't have any way to investigate errors, and were directed to simply assign number codes to error disputes submitted by consumers, and then rubber-stamp inputs from lenders; regardless of whether that input was correct or incorrect.

If this makes you mad, it should. The 60 Minutes report included concerns by the Attorney General for the state of Ohio, Mike DeWine. He is concerned that the credit reporting agencies don't fix mistakes in consumers' credit report, that the high error rates are the industry's fault (and not the banks'), and that the industry violates the Fair Credit Reporting Act (FCRA). While the industry claims that it adequately protects the credit reports of children, DeWine's office has taken action to check the accuracy of the credit reports of youth in the state's foster care system.

60 Minutes reported that some consumers have sued credit reporting agencies to get a resolution and errors fixed. Consumers shouldn't have to go to that extreme to resolve errors in their credit reports. Perhaps, some enterprising class-action attorney will take up the challenge.

You can watch the report below. After watching it, report any credit problems you have had to the CFPB. You should also contact your elected officials and demand action:

Want to learn more? Read:

10 Tips For Consumers To Stay Safe During 2013

The Better Business Bureau (BBB) has released its list for 2013 of tips for consumers to stay safe during 2013. The list includes items you can use both online and in the physical world to protect your money and your identity information:

"1. Do your research. Whether it's a business you're looking to hire or a product you're looking to buy, take the time to do your research. Check out a business at bbb.org to see its BBB Business Review. For product information, go to the Consumer Product Safety Commission.

2. Keep your computer safe. Install anti-virus software on your computer and regularly check for software and operating system updates. Don't open attachments or click on links in emails unless the email has been scanned for viruses or is from someone you know or trust.

3. Get it in writing. Don't just take a business's word for it. Get every verbal agreement in writing to limit miscommunication and misunderstandings."

Tip #1 applies especially to prepaid cards. I would modify tip #2 to also include your mobile devices, smart phones and tablets, since they are computers too. Some more tips:

"5. Protect your identity. Always shred paper documents that include sensitive financial data and dispose of computers, cell phones and digital data safely. Safely store all personal documents, such as your Social Security card, and look up your credit score at least once a year. Check your credit and debit card statements frequently.

6. Shop on trustworthy websites. Online shopping has increasingly become more popular, so before you provide any personal or banking information over the web, make sure you're using a trusted site. Look for the "s" in https:// in the URL for a secure site."

Read the entire list at the Boston BBB website.

Infographic: How Credit Reporting Agencies Get Your Information For Their Credit Reports

The infographic below is from the folks at Credit Sesame:

Inforgraphic: how information ends up on your credit file

You may also find the following articles of interest:

Data Breach Raises Questions About Whether Credit Reporting Agencies Can Adequately Protect Consumer Data

Experian logo If you haven't read it, there is a good news story at Bloomberg about a recent data breach that affected not only the credit union but a broader number consumers not affiliated with the credit union. The breach highlighs the fact that Identity criminals are smart and persisntent.

In this breach incident, they targeted Abilene Telco Federal Credit Union and stole the credit union's ID and passwords to its Experian account. Those stolen credentials allowed the thieves to access and steal 847 consumers' credit reports. The breach highlighted the fact that instead of attacking the credit reporting agencies directly, identity criminals target the companies and lenders (e.g., banks, credit unions, auto dealers) that often buy consumer credit reports.

In the United States, the three major credit reporting agencies are Experian, Equifax, and TransUnion. However, there are many regional and local credit reporting agencies. All credit reporting agencies make money by selling credit reports to potential lenders: banks, credit unions, auto dealers, clothing stores, and similar retailers that provide credit to consumers. However, the big-three credit unions also make money by operating credit monitoring services both for consumers and for client companies' post-breach response.

Bloomberg reported that this approach by identity thieves:

"... has netted more than 17,000 credit reports taken from the agencies since 2006... The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate... Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports..."

You can learn about those breaches in this blog. If a credit reporting company can't adequately protect consumers' sensitive personal information, then they don't deserve to be in business. It's that simple. And:

  • Client companies like the Abilene Telco Federal Credit Union, that allegedly fail to adequately protect sensitive data, should pay some (or all) of the post-breach management costs for all affected consumers
  • Credit reporting agencies should include mandatory, yearly data security training for their client users

What's your opinion?

Equifax And Its Customers To Pay $1.6 Million In FTC Settlement About Alleged Improper List Sales

This morning, the U.S. Federal Trade Commission (FTC) announced that Equifax Information Services LLC., the credit reporting agency, and some of its customers, had agreed to pay $1.6 million to settle allegations about the improper sales of customer lists between January 2008 and early 2010. In a lawsuit (Adobe PDF) filed in U.S. Distrcit Court in Southern California, the FTC alleged that the sales of customer lists violated the Fair Credit Reporting Act (FCRA):

"Defendants buy and sell “prescreened lists,” which are lists of consumers that meet certain pre-selected credit criteria. For example, in this case, Defendants bought and sold “prescreened lists” of consumers who were, among other things, 30, 60, or 90 days late on their mortgage payments... Information such as whether a consumer is 30, 60, or 90 days late on their mortgage bears on, among other things, a consumer’s credit worthiness and credit standing and is used or expected to be used as a factor in determining a consumer’s eligibility for credit. Section 604(f) of the FCRA, 15 U.S.C. §1681b(f), prohibits persons from using or obtaining consumer reports in the absence of a “permissible purpose.” In addition, Section 607(e) of the FCRA, 15 U.S.C. § 1681e(e), requires persons who procure consumer reports for resale to establish and comply with reasonable procedures designed to ensure that the consumer reports are only resold for a permissible purpose. The only permissible purpose for using a prescreened list is to make a firm offer of credit or insurance..."

The following companies and individuals were named as defendants in the complaint:

  • Equifax Information Services
  • Direct Lending Source, Inc., based in Key Largo, Florida
  • Bailey & Associates Advertising, Inc., based in Florida and with in El Paso, Texas and San Diego, California
    Virtual Lending Source, LLC, based in San Diego, California
  • Robert M. Bailey, Jr., the Executive Vice President of Direct Lending, Bailey & Associates, and Virtual Lending
  • Linda Giordano, President of Direct Lending, Bailey & Associates, and Virtual Lending and an owner of Bailey & Associates and Virtual Lending

Terms of the settlements require Equifax to pay $393,000 for alleged inadequate procedures that led to the sale of lists of consumer information to companies that it should not have sold the information to. According to the FTC, Equifax sold more than 17,000 prescreened lists of consumers to companies including Direct Lending Source, Inc., which subsequently resold some lists to third parties, who used their data to pitch loan modification and debt relief services to people in financial distress. Direct Lending Source will pay a $1.2 million civil penalty,and will be barred from using or selling prescreened lists.

CFPB Begins Supervision Of Credit Reporting Industry

At a July 15, 2012 Credit reporting Field Hearing in Detroit, Richard Cordray, Director of the Consumer Financial Protection Bureau (CFPB), explained the bureau's role in overseeing the credit reporting industry. Some highlights from Mr. Cordray's speech:

"After the financial crisis and extreme credit crunch of 2007-2008, tens of millions of Americans are now being pursued by debt collectors. Many people’s credit ratings have taken a hit and... They are blocked from obtaining access to the credit that is often so essential to meaningful opportunity – to get an education, start a business, or buy a house. We understand these realities at the Consumer Financial Protection Bureau because we hear about them from consumers every day. We also believe it is important to get out of Washington and listen directly to consumers by meeting them face to face. So we are glad to be with you today..."

About the CFPB's oversight role:

"Today, the Consumer Bureau is issuing a new regulation to expand our supervision program to oversee these credit reporting companies. The authority to supervise firms is the authority to conduct on-site examinations of whether and how they are complying with the law... we will be supervising the credit reporting companies that are the larger participants in this marketplace. These companies have never before been subject to a federal supervision program. Starting this September, we will be monitoring and examining them just as we monitor and examine the big banks... Up to this point, no single federal government agency could access all the information necessary to generate a complete picture of what was happening inside these companies..."

The credit reporting industry is huge, as the three largest credit reporting agencies (Experian, Equifax, and TransUnion) maintain credit reports for about 200 million people in the USA. Those reports contain inputs from about 10,000 information providers: lenders and companies that make loans to individuals.The industry sells about 3 billion credit reports every year to potential lenders. What consumers may not know:

"A credit report contains information about the consumer’s transactions – including loans that a consumer has paid on time, has paid late, has not paid, or has paid off, along with current amounts and sources of debt. The credit reporting companies also collect and report on information about consumers’ finances available from public records, including civil judgments, liens, and bankruptcies from thousands of federal, state, and local courts and public offices. The information contained in consumers’ credit reports is used to derive their credit scores... Credit scores translate this great mass of information into a single number that indicates, in shorthand, a consumer’s expected likelihood of repaying a loan... But credit reports are also used in a wide range of other types of decision-making – including determinations about eligibility for rental housing, what deposits are required for utility or telephone service, and premiums for auto and homeowners’ insurance. Credit reports are even sometimes used to determine eligibility for a job. Banks, landlords, cell phone providers, and all kinds of other companies rely on the accuracy of this information..."

The CFPB will focus on three areas:

"First, our oversight of the credit reporting companies will help us make sure that the information provided to them is itself reliable. Lenders and others who furnish information to the credit reporting companies are legally required to have policies in place about the accuracy and integrity of the information they report – which includes identifying consumers accurately, correctly recounting their actual payment history, and keeping their information and record-keeping in order. Otherwise, their sloppy work becomes the true source of harm to the consumer’s overall creditworthiness... Second, given the number of complaints we have already heard from consumers, and the findings reached in some (but not all) reports on the subject, we want and need to know more about the accuracy of how the credit reporting companies assemble and maintain the information contained in consumer credit reports. Accuracy is critical for consumers and for markets... because of the increasingly significant role these reports are taking on in our financial lives, the collateral consequences of mistakes can greatly harm consumers... Third, we are keenly interested in understanding more about the problems and frustrations that consumers tell us they encounter in trying to resolve disputes about the information contained in their credit reports. Some errors may be unavoidable even in the best of systems. But when consumers find what they perceive to be erroneous information in their credit reports, they should not be burdened by unreasonably laborious processes to get errors removed from their files..."

During the last five years, I've written plenty about credit reporting agencies including fraud alerts, security freezes, data breaches, violations, offshore outsourcing, consumer satisfaction surveys, reviews of credit monitoring services offered by credit reporting agencies, and several industries that historically haven't used but now want access to the information in consumers' credit reports. It was good to read Director Cordray's remarks.

Credit Reporting Agency Wants Access To Your Facebook, LinkedIn, And Twitter Information

Schufa logo The leading credit reporting agency in Germany wants access to your personal data at popular social networking websites. Spiegel Online reported that business documents leaked to the news media describe the interest by Schufa to access and data-mine consumers' profile, messages/posts, and connections information at Facebook.com, LinkedIn.com, and Twitter.com data to evaluate consumers' creditworthiness.

Schufa's interest seems to focus on both the relationships between consumers (e.g., who you know), residential addresses, and address changes. Reportedly, there are about 20 million Facebook users in Germany, and Schufa has credit files on about 66 million consumers.

Data Breach At University of Nebraska

There is a storm brewing at the University of Nebraska. After a member of the school's information technology department discovered the data breach on May 23, the university distributed a notice on May 25 that the Nebraska Student Information Service, NeSIS, which contains sensitive information about students, alumni, and applicants had been accessed by unauthorized users.

Individuals are concerned because the types of data exposed or stolen includes school records, addresses, bank account information, and Social Security numbers. The breached database contains records for more than 650,000 individuals. The breach affects students, alumni, and applicants of the university’s four campuses, the Nebraska College of Technical Agriculture, plus university employees and parents of students who applied for financial aid.

In a letter to breach victims, Joshua Mauk, the university's Information Security Officer stated:

"On May 23, 2012, University personnel detected a security breach in the system indicating that an unauthorized individual had gained high-level access to the restricted database. This was a sophisticated and skilled attack on our system. Information in the system includes Social Security numbers, any bank account information associated with the NeSIS account, and personal and academic data. Our records indicate that you have a bank account that is associated with your NeSIS account, so we are writing to notify you of this breach and to advise you to monitor your bank accounts over the next several weeks and report any suspicious activity to your financial institution."

The letter also advises individuals to monitor their financial accounts and to consider placing a fraud alert or security freeze on their credit reports at the major credit reporting firms: Equifax, Experian, and TransUnion. The final number of records exposed/stolen has not been determined yet.

A breach investigation is underway by Nebraska University with local and federal law enforcement. The university has set up the http://nebraska.edu/security website to distribute updates about the breach and breach investigation.

Data security has been an issue in higher education since at least 2005: George Mason University (32,000 records). Recent, notable data breaches:

  • May 3, 2012: University of Pittsburgh: undisclosed
  • April 30, 2012: Volunteer State Community College (Tennessee): 14,000 records
  • April 18, 2012: Emory Healthcare, Emory University Hospital: 315,000 records
  • April 14, 2012: Texas A&M University: 4,000 records
  • April 10, 2012: Case Western Reserve University: 600 records
  • March 31, 2012; San Francisco State University: undisclosed
  • March 16, 2012: University of Tampa: 30,000 records
  • March 14, 2012: Humboldt State University: 5,700 records
  • March 13, 2012: Brigham Young University: 1,300 records
  • February 16, 2012: Central Connecticut State University: 18,763 records
  • February 15, 2012: University of North Carolina at Charlotte: 350,000 records
  • January 27, 2012: Indiana University (President's Challenge): 650,000 records
  • January 20, 2012: Arizona State University: 300,000 records

Breach history source: Privacy Rights Clearinghouse

Data Breach At Experian Credit Reporting Service

Logo_experianExperian has notified the New Hampshire Department of Justice of data breach where unauthorized third parties may have obtained consumers credit reports. The company discovered the breach in February 2012 and began notifying affected consumers on May 17, 2012.

The breach notice did not disclose the number of consumers affected. The unauthorized access occurred between November 2010 and March 2012. An investigation into the breach was conducted including the analysis of computer logs. In its breach notice, Experian stated:

"... we do not believe that any third party obtained access to any specific data elements that are covered by the New Hampshire security breach law because those data elements (e.g., financial account numbers) were redacted or truncated on any credit report disclosure..."

New Hampshire is one of about 46 states that require entities (e.g., companies and state agencies) to notify both the state and affected residents in each state whose personal information archived by that entity was lost, stolen, or accessed by unauthorized persons.

In its breach notice to consumers, Experian stated:

"While any consumer report will contain public information like name and address, Experian masks or displays only partial social security numbers, birth dates, and account numbers, so they are not identifiable and cannot be abused."

This is troublesome because, a) the breach went undiscovered for a long time, 16 months; b) partial social security and bank account numbers, partially masked, and c) the extremely sensitive personal and financial information contained in consumer credit reports.

Experian placed fraud alerts on the files of breach victims, and, of course, is offering breach victims two years of fee credit monitoring services through its ProtectMyID service.

Experian is one of the three larges credit reporting agencies. The other two are Equifax and TransUnion. Experian also operates the Triple Alert and FreeCreditReport.com websites. In 2010, the U.S. Federal Trade Commission changed the disclosre rules for web sites offering free credit reports. Consumers should know that the official webiste for truly free credit reports.

5 Things You Should Know About Prepaid Cards

Right now, there probably are three different types of plastic in your wallet or purse. Each type has different rules, disclosures, government regulations, and fees. So, wise consumers use the best type of plastic instead of cash.

Most consumers are familiar with credit cards and debit cards -- the first two types of plastic. Credit cards include an interest rate applied to all purchases, plus a variety of fees (e.g., overdraft, annual usage). Debit cards are offered by banks to their account-holders to access money in their checking and savings accounts.

Prepaid cards often look like debit cards but have several important differences. Prepaid cards must have value stored or "loaded" onto them before they can be used. Usually, consumers use cash to add value to a prepaid card. Then, the consumer uses the prepaid card for purchases, which are deducted from the balance on the card until there is no value left on the prepaid card. Then, more value must be added to the card before it can be used again.

Retail stores, restaurants and malls offer prepaid cards, usually called gift cards. Chances are you may have already received a prepaid card as a gift. I've received and given several prepaid cards as gifts. Customers use the Dunkin' Donuts prepaid card are the chain's retail stores. Prepaid cards from The Old Spaghetti Factory, Starbucks, and Target all operate similarly. Some retailers use their prepaid cards to track customers' purchases for rewards for loyalty programs.

Besides retail stores, many other companies and entities offer prepaid cards. Some employers pay their employees via prepaid cards, often called payroll cards. These payroll cards are designed for employees who don't have checking and savings accounts. Behind every payroll card is a bank that handles the transactions.

Some employers offer their employees prepaid cards only for qualified healthcare spending purchases. Some golf clubs offer prepaid cards for their members to use at the club's golf store and restaurant.

Some banks offer prepaid cards, too, for consumers who lack checking and savings accounts. With all of these prepaid cards in use, it is important for consumers to to know the advantages and disadvantages. There is a pretty good CNN Money article that discusses what consumers should know about prepaid cards:

"Watch out for the fees: The average prepaid card charges nearly $300 in basic fees a year, such as monthly charges, ATM fees and reloading fees, a recent NerdWallet study found... many prepaid cards also charge activation fees, transaction fees, bill payment fees, declined transaction fees, inactivity fees, customer service fees and paper statement fees."

"They don't build credit: Using a prepaid card doesn't help you build credit with the three major credit bureaus... don't be fooled into thinking they are doing anything to boost your credit score."

To browse the entire list of five tips, read the CNN Money article. To learn more about the differences between the three types of plastic in your wallet/purse, read the FDIC alert about consumers' rights. You can also select Prepaid Cards in the tag cloud in the near right column.

What has been your experience? What prepaid cards have you used?