On September 7th, 2017, the credit bureau Equifax announced that cybercriminals broke in to its company servers sometime in mid-May 2017 and stole copies of information like Social Security Numbers, driver’s license numbers, birth dates, and home addresses for as many as 143 million residents of the US. The total population is about 329 million, counting children, so there’s a good chance the criminals stole your information and mine.
(I encourage you to copy and adapt the content of this article in any way you wish, and share it with anyone you wish, for any purpose you wish, without fee and without further permission. Creative Commons CC 1.0 Public Domain Dedication)
Why is this bad?
- It makes it easy for crooks to get credit cards with our names on them, run up big bills, and stick us with them.
- Social Security Numbers are permanent, so crooks can sit on our information for years before using it.
Sorting out these messes is frustrating and time-consuming. While we’re sorting them out, we will deal with all sorts of people who assume we’re the criminals. Even if we can eventually sort them out, these crimes damage our reputations permanently.
- It makes it easy for crooks to file for tax refunds in our names and get our refunds sent to them.
Sorting out tax fraud is possible, but the US Internal Revenue Service is notorious for not having enough staff to help people with problems like this.
Stock market fraud.
According to Bloomberg, the Equifax company discovered the security breach on August 29, 2017. They didn’t tell the world about it until September 7th. In the meantime three officers of the company sold almost US$1.8 million worth of stock they owned in the company. When the company announced the theft the stock lost 13% of its value. It looks like those officers sold in the nick of time.
The company claims those men didn’t know about the security breach when they sold their shares. Do you believe that? I don’t. Plus, one of the officers was the Chief Financial Officer of the company. Do you believe the CFO didn’t know? Do you believe “I didn’t know what was going on” is a valid excuse for a man with a job like that? I don’t.
If you owned shares in Equifax, or in a mutual fund that owned Equifax, it seems likely those company officers stole from you by selling their shares when they knew their company was in trouble but hadn’t yet told the world. It’s called insider trading. Martha Stewart did jail time for it.
What can we do about it right now?
First of all, don’t panic. Even if our information was stolen, we’re a tiny part of a vast crime. It takes a while for cybercrooks to actually use the information they get. So we have time to deal with the situation.
Put another way: It’s OK. Our hair isn’t on fire! We can deal with this situation calmly. (If you happen to work at Equifax, your hair is on fire. If it isn’t, with respect it should be.)
Was my information stolen?
Probably. The number of people affected in the breach was 43% of the US population, including kiddos and others who don’t have any credit. The odds are pretty good, if you are an adult with a job, a car, or an apartment, that those cybercrooks stole your information from Equifax.
Equifax offers a website where you can find out if your information might have been stolen. https://www.equifaxsecurity2017.com/. This web site gives vague answers. It told me, “your information may have been included.” Vague answers are frustrating, but they’re better than nothing. Maybe.
That web site will ask you for your surname, your date of birth, and the last six digits of your social security number.
Don’t forget: always look for the little green lock in the location bar on your web browser before putting that kind of information into a web site.
Equifax will offer to sign you up for free credit monitoring.
Credit monitoring. Meh.
Equifax is offering a one year credit monitoring service “for free”. That’s in quotes because it’s their credit monitoring service, and it doesn’t cost them much to provide it.
They’ll alert us whenever they get a request from a credit card company or whomever asking about us. That’s supposed to let us know when somebody tries to impersonate us. Of course, when the monitoring service alerts us, we have to act right away to say “hey, that wasn’t me trying to buy that wizzy new iPhone uLtra or that platinum Amex card” before the crooks succeed. You can sign up by pushing a web page button at the bottom of this page here. https://www.equifaxsecurity2017.com/
After the free year runs out Equifax will pester us to sign up for a monthly fee to continue the monitoring.
Credit monitoring can’t hurt. But will it help keep our information safe? Not very well. Meh.
We can instruct the four credit bureaus to freeze our information. That is, we can tell them not to release any information about us to anybody.
The credit bureaus charge for credit freezes. As of mid-September 2017 you’ll have to pay for a freeze, and pay to reinstate the freeze if you thaw it to get a new credit card or phone. There are four credit bureaus, and they can charge up to $15 each. So you may be out as much as $60. The good news: these are one-time fees; credit freezes are permanent (unless you thaw them and need to refreeze them.)
What should we do?
- have a credit card ready to pay the fees.
- have a sheet of paper ready to write down the phone numbers and PIN numbers for each credit agency, in case you need to unfreeze your freeze.
- visit the four credit bureau freeze-request web sites and fill out the annoying forms Be patient. Don’t forget to make sure your browser’s Location bar shows the little green lock before putting in personal information.
Innovis: visit their signup site https://www.innovis.com/securityFreeze/index
Trans Union: visit their signup site https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp
Experian: visit their signup site https://www.experian.com/freeze/center.html
Equifax: visit their signup site https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
What does a freeze mean?
When we apply for credit cards, or sign up for electric service in a new apartment or whatever, the company asks one of the credit bureaus about us. “Is Ollie Jones a deadbeat, or does he pay his bills?”. If we’ve frozen our information, those companies will get an answer saying “sorry, that person’s information isn’t available.” So, to get that electric service, we’ll have to temporarily unfreeze our information.
That’s a nuisance. But it’s a bigger nuisance to the company trying to sell us something than it is to us, so they’ll work with us.
The respected cybersecurity journo and expert Brian Krebs (respected by me, anyway) thinks it’s a good idea to sign up for security freezes on your credit bureau accounts. His article on the subject is worth reading.
The Consumers’ Union (publisher of Consumer Reports) has a summary of state laws about freezes.
What can we do longer term?
File our taxes early.
The best way to avoid the tax scam where the criminal files your tax and steals your refund is to file first. So, if you can, file your taxes as soon as you get your Important Tax Documents like your W2. You can also consider filing for an extension if you can’t get your tax return done completely a few months before the due date.
Opt out from credit offers and promotions.
You know those letters you get saying “you’re preapproved for an exclusive unlimited Ruby Express Visa Card with a low low interest rate of only 30%!” You can make them stop. US Federal law makes the credit bureaus honor opt-out requests for these sorts of offers. Here’s how to opt out. https://www.optoutprescreen.com/opt_form.cgi
Each person who does this makes it just a little harder for the credit bureaus to rule our lives. So do it! You’ll get less junk mail.
Slow down crooks who might open bank accounts in our names.
Many banks use a service called ChexSystems to check up on people who want to open new bank accounts or take out new debit cards. You can put an alert on ChexSystems, and they’ll ask for your approval before telling a bank it’s OK to open an account. Do that here.
Ask to see our credit reports.
US residents may retrieve a credit report each year, free, from Trans Union, Experian, and Equifax. To get these free credit reports use the web site called https://annualcreditreport.com/ . Be careful: other services may try to reel you in with the promise of free credit reports, then pester you to spend money on other services. https://annualcreditreport.com/ won’t try to upsell you.
Hassle our state legislators.
We can write to our state legislators and demand a few things.
- Credit freezes should be free in our state. The burden of validating the identity of persons applying for credit freezes should fall squarely on the credit bureau, not the applicant.
- Our state should require each credit bureau doing business in the state to appoint and fund an ombudsman’s office to help residents with all matters related to that credit bureau. The credit bureaus should be required to meet meaningful quality-of-service standards for ombudsman service. Failure to meet QoS standards should result in the payment of daily penalties.
- Our state should regulate the gathering, dissemination, and use of credit information.
- Our state should criminalize withholding of information disclosing those breaches. Coverups should mean jail time for executives.
The US federal government already criminalizes breaches of health care data. These are not outrageous demands.
Here’s my letter to my state senator, Kathleen O’Connor Ives of Massachusetts. Feel free to adapt it for your use.
Hassle the Social Security Administration
It needs to be possible to change a person’s social security number. This will probably be very difficult for the social security administration to pull off; they probably keep our records on Hollerith cards somewhere. But they need to get working on it.
Credit Freeze Signup Experience
Innovis: Free. One form on one web page was all it took. No monkey business. Nice!
TransUnion: $5 in Massachusetts, payable by credit card. They have a complex create-an-account setup, with some draconian terms and conditions etc. I’d call it monkey business, but that would be slandering our fellow primates. You will need to create a six digit PIN. Here’s a random number generator to make PINs. Please don’t use your pet’s birthday for this number.
Experian: $5 in Massachusetts, payable by credit card online or check by mail. They refused my online application and asked me to send a letter applying for the freeze, with a copy of a driver’s license and a recent utility bill. This was their message. Their form asks for name, date of birth, social security number, present address, and former address.
To request a security freeze, send all of the requested information via certified or regular mail to Experian Security Freeze, P.O. Box 9554, Allen, TX 75013. Include your full name, with middle initial and generation, such as JR, SR, II, III, etc.; Social Security number; date of birth (month, day and year); current address, previous addresses for the past two years and any applicable fee as indicated below. If you are a victim of identity theft and submit a valid investigative or incident report or complaint with a law enforcement agency, the fee will be waived. In addition, enclose one copy of a government issued identification card, such as a driver’s license, state ID card, etc., and one copy of a utility bill, bank or insurance statement, etc. Make sure that each copy is legible, displays your name and current mailing address, and the date of issue (statement dates must be recent). We are unable to accept credit card statements, voided checks, lease agreements, magazine subscriptions or postal service forwarding orders as proof. To protect your personal identification information, Experian does not return correspondence sent to us.
Send copies of any documents you wish to provide to us and always retain your original documents. You may also submit your request electronically at experian.com/upload. We will send you a confirmation notice once the security freeze has been added, and you will be given a personal identification number (PIN) that will be required in order to remove the freeze temporarily (in order to apply for credit or for any transaction that requires that another party access your personal credit report) or permanently.
If you are paying for a security freeze placement, enclose your check or money order for $5.00.
Mail this form, along with payment (if applicable) to:Experian Security FreezePO Box 9554Allen, TX 75013
How did this happen?
The web site people at Equifax failed to apply a security patch to a software system called Apache Struts that help run one of their web sites. The security defect involved was announced and patched in March 2017.