Unless you’ve been living under a rock this past week, you’ve heard of the huge data breach over at Equifax. 143 million people’s information was stolen by identity thieves. That’s literally half the country.
Equifax, being one of the three major credit reporting agencies, has treasure troves of data on just about every man, woman, and child in the United States. More than any private company out there, including your bank.
The Equifax data breach has put us all in danger. People don’t even know whether they’ve been affected, though it’s probably best to assume you were (it really is a 50/50 chance). Sensitive information such as your date of birth, Social Security number, driver’s license number, and even miscellaneous information used for the security questions (such as your favorite movie or your spouse’s vacation home’s zip code) is in the hands of thieves to be ransomed off on the dark web. Credit card numbers, files regarding disputes, everything got out.
The company came under fire for the handling of the situation. In order to address the issue, they hastily whipped together equifaxsercurity2017.com. Supposedly, it would allow you to see if you were impacted and to get their credit monitoring program free for a year. Of course, it didn’t quite work as intended. People were getting random results as to whether or not they were affected, often only getting a link to a sign-up page for a free year of their credit monitoring service (normally a paid product). And people had to input the very information that was compromised in the first place!
There’s more. Apparently, the company discovered the breach in July, but didn’t announce the hack until September. What’s worse is that two months before the hacking occurred, Equifax was warned about their security holes and did nothing about it.
Oh, it gets worse. There was originally an arbitration clause in the site vaguely indicating that use of the credit monitoring would cause you to waive your right to sue for damages. After much public outcry, that was replaced with a disclaimer explicitly stating that victims would still have the right to seek damages in court. And it was also revealed that Equifax executives sold off company stock days after the breach was discovered, which could definitely be construed as insider trading.
My Reaction To Everything
I wasn’t originally planning to write about the Equifax breach. Equifax isn’t a bank and, to be honest, I’m taking care of other things right now and trying to get certain parts of my life out of “trainwreck” status. I’ll write about those things when they come about.
But a friend of mine asked me at a party, “So I take it you’re going to write about the whole Equifax thing.” So now I have to write about the whole Equifax thing. I think that’s how it works.
Well, my initial reaction to it all wasn’t one of anger like the rest of the country’s. At the time, at least, I had no reason to be angry about the data breach because it was an accident. People were complaining about the lax security at Equifax, but how do you know they didn’t do everything they could? Hackers get around security measures. It’s what they do.
This was, of course, before I knew that a patch for the Apache Struts Whatever security hole existed back in March and Equifax never got on it. Or that Equifax has a history of security breaches that it tries to keep under wraps.
Still, originally I didn’t really have much of a reaction like I did with Wells Fargo. When Wells Fargo fired 5,300 for opening fake accounts, it was the abuse of employees like me that led them to commit out and out fraud. There was no “accident” that could take the blame; employees were threatened and ridiculed and treated like crap and they opened the fake accounts in order to protect themselves, an act that itself was inherently unethical and fraudulent. Here, I was looking at a vague “security hole”, a computer hacking event that Equifax would never wanted to happen, and a world where identity theft seems to be a common thing in a world where the Target, Home Depot, and Yahoo data breaches have caused many people’s data to be compromised.
Also, I think I lost a lot of sympathy for people when it comes to identity theft over my years in banking. People would literally rather scream obscenities in a teenage teller’s face rather than show ID at the bank before a withdrawal (I have personally witnessed it many times, and have been the one being screamed at many times). To be honest, I’m surprised that people are so angry about potential identity theft when they refuse to cooperate with basic requests to verify their own identity. I guess your information is only valuable if it doesn’t involve taking your ID out of your wallet, an incredibly difficult and painful task, I know.
Plus, as mentioned before, my mind has been elsewhere and I’m working to put myself on a better and happier path right now. Simply put, the Equifax thing wasn’t on my mind. I literally first heard about it on TV at a bar, in which the story played once during the Hurricane Irma coverage and while I was telling my drinking buddy about the recent events in my professional life.
But the more thought I gave it, and the more I’ve heard about Equifax’s glaring failures and past transgressions, the more I realized one thing. The problem with the Equifax data breach isn’t just about their cybersecurity or aftermath handling; it’s about their very business model.
I Don’t Like Their Business Model
Equifax tried right away to profit off the compromising of our data and I’m not at all surprised.
And not because they are a “big greedy corporation looking out for its own profits and nothing else” because they are a for-profit company. Any good company would be trying to do damage control (both for itself and its customers) and trying to ensure that existing revenue streams don’t get compromised and are even added to. In other words, any company should be trying to make money.
Hell, I myself looked up Equifax stock to see if it was a good value play right now (I don’t think it is). Gotta make that money, right?
And Equifax tried to make that money by offering a free year of their credit monitoring service, theoretically with the idea that everyone would pay for it after the year ended. After all, the consequences of the data leak can last a lifetime.
But, justifiably, there’s been a public outcry. “Equifax allowed our most sensitive information to be stolen, and now they want to charge us to protect it going forward!? How could Equifax mistreat its customers so badly!?” people have furiously shouted from the mountaintop.
But Equifax didn’t mistreat its customers at all. Because we aren’t their customers. We are their product.
Experian, Equifax, and TransUnion are the three major credit bureaus. They hold more sensitive information about you than all your banks, the hospitals, and maybe even the government. Okay, maybe not as much as the government, but they hold more than simply your date of birth or credit card numbers. They have every bill you’ve paid late, every loan you’ve ever asked for, everything about you. The Party in 1984 didn’t have as much information about the citizens of Oceania as the bureaus do about you, and the Party had a camera in every room in people’s homes!
And you never signed up to be their customer!
They have the information on you without your express permission or knowledge. Yes, I know you agreed when you applied for that loan that your credit will be reported to the bureaus, but you know what I mean. Most of the 143 million victims have never voluntarily engaged in a business relationship with Equifax. Equifax just had their information.
Now here’s what pisses me off, and it’s not that credit monitoring thing. People always tell you, “Make sure you check your credit! You’re entitled to one free credit report per year!”
Wait a friggin’ sec. That’s my personal information being held by a private company that I never signed up or engaged in any sort of business transaction with, and I have to pay to access it if I want to see it more than once a year!?
In banking, we provide services that you use daily for free. You came into the bank and opened an account, but we don’t charge you to sit at my desk or to use your online banking. On the chance that a customer does get charged a fee, I might be dragged into a conversation about the nonsense of fee refunds. And I’m expected to refund them (I really shouldn’t be that angry; I often do so without much prodding). Again, this is a relationship started voluntarily and knowingly by the customer, who received as part of their disclosures the bank’s complete fee schedule.
But here, we have to pay a company we never entered a business arrangement with for our own information.
So for those who don’t know, the credit bureaus make money by selling our information to those who wish to extend us credit. When you apply for a loan, the bank wants to make sure that you’re gonna pay back that loan. Fair enough, right? Well, banks need information about you in order to make a decision about whether to lend you money, so they go to Equifax and the other bureaus for information. The bureaus have your information, the banks want it, so the bureaus charge the banks to see your credit report.
It’s not just potential lenders that want your information, but also potential landlords and employers. When background checks are done on someone, it involves a credit check. Lenders, landlords, employers, and others who need to access your personal information pay a fee to the bureaus to give them that information.
Believe it or not, I have no problem with that at all. Let the banks and mortgage lenders pay for my information. And having my information with a credit bureau is necessary for the concept of credit to exist. What I do have a problem with is when we, the product, have to pay for our own information.
A person should have free access to their information 24/7, not once a year. I don’t think I can break that down any more than that. I should have fully free access to my own credit report all the time. What’s more, credit monitoring should also be free by default for those who opt into it. Emailing me that someone tried to apply for credit in my name is not something I should have to pay anyone $14.95/month for. The private company that holds all of my personal information without me expressly forming a business relationship with them should automatically be sending me alerts of any activity regarding said personal information. Plain and simple.
And that’s my problem with the credit bureaus. Look, it might be painful to be reduced to being a product for a big corporation (or three) just as it might be painful to be reduced to nothing more than a number between 300 and 850. But more than “that’s just how it is”, there is a reason for it if you examine it. For-profit corporations are making money (the very reason for their existence, and the same reason that you get up in the morning to go to work) by selling information to companies in an easily digestible manner (a credit score) so they can make informed decisions on the requests you make to them to lend you their money. The bureaus sell our information; we are the product.
But products don’t pay. Customers pay. And customers engage willfully and voluntarily with the business that they are paying. We should have full free access to our own information as we are the product being sold, just as we have full free access to the nutritional contents of the food products we buy at the supermarket and put in our bodies. Nor should we have to go and pay extra money for the company to monitor and protect the personal data we never gave them. Are we the product or the customer? If we are the latter, then can Equifax show me my signed signature card, just like I can pull up for any customer of my bank?
The supermarket doesn’t charge you an extra fee to not have rotten food on the shelves. They need to protect their products. Ditto for a restaurant; they don’t tack on extra at the end of the bill for serving you food that doesn’t have salmonella. The same should apply to the credit bureaus. They shouldn’t charge you or anyone extra to ensure that their product, our personal information, is safe and protected.
I don’t mind being the product. But don’t treat me and everyone else like a customer by making us pay for the protection of our own data. Not only should access to our own credit reports be free all the time, but credit monitoring should be free and standard. If you’re not willing to protect my information for free, then don’t have it on your computer systems unless I dictate otherwise in writing.
What To Do To Protect Yourself After The Equifax Data Breach
You could be like my grandma and the rest of the senior population, screaming about the dangers of the Internet while clinging so hard to your savings passbook that they’re going to have to bury it with you.
But as an alternative to living in the mid-20th Century, there are some things you can do.
I’m not going to tell you to sign up for their credit monitoring service, free or otherwise. Their ability to safeguard our information after such complacency in their cyber-security are one of many unanswered questions for Equifax and they are going to have to rebuild that trust before I would ever consider signing up for their services.
According to experts, the one move to make after the Equifax breach is to put a freeze on all your credit. This blocks anyone, including you, from requesting information from a credit bureau (and thus all credit applications). You have to temporarily remove the freeze if you ever want to apply for a loan. How nice of Equifax to make it free………for thirty days. You still have to pay for a credit freeze on the other two bureaus.
The other thing you can do is to monitor your credit report. You can get your annual credit report at annualcreditreport.com fittingly, but you want more than a once a year snapshot. I usually use Credit Karma to check my credit score for free. It doesn’t have all the information that your credit report will have and sometimes the information can be slightly off, but it will have everything you need in order to protect yourself. If someone tries to use your identity after the Equifax data breach to apply for credit in your name, you’ll know if you use Credit Karma.
Like your bank statements, you want to monitor your own credit periodically. Because in the end, no one will ever look out for your information better than you.
Especially not Equifax.
Readers–What do YOU think!? What is your reaction to the Equifax data breach? And what are you doing to protect your information? What changes would you like to see in the credit reporting agencies? Leave your thoughts in the comments below!