Equifax Data Breach And Their Business Model: My Thoughts

Unless you’ve been living under a rock this past week, you’ve heard of the huge data breach over at Equifax. 143 million people’s information was stolen by identity thieves. That’s literally half the country.

Equifax, being one of the three major credit reporting agencies, has treasure troves of data on just about every man, woman, and child in the United States. More than any private company out there, including your bank.

The Equifax data breach has put us all in danger. People don’t even know whether they’ve been affected, though it’s probably best to assume you were (it really is a 50/50 chance). Sensitive information such as your date of birth, Social Security number, driver’s license number, and even miscellaneous information used for the security questions (such as your favorite movie or your spouse’s vacation home’s zip code) is in the hands of thieves to be ransomed off on the dark web. Credit card numbers, files regarding disputes, everything got out.

The company came under fire for the handling of the situation. In order to address the issue, they hastily whipped together equifaxsercurity2017.com. Supposedly, it would allow you to see if you were impacted and to get their credit monitoring program free for a year. Of course, it didn’t quite work as intended. People were getting random results as to whether or not they were affected, often only getting a link to a sign-up page for a free year of their credit monitoring service (normally a paid product). And people had to input the very information that was compromised in the first place!

There’s more. Apparently, the company discovered the breach in July, but didn’t announce the hack until September. What’s worse is that two months before the hacking occurred, Equifax was warned about their security holes and did nothing about it.

Oh, it gets worse. There was originally an arbitration clause in the site vaguely indicating that use of the credit monitoring would cause you to waive your right to sue for damages. After much public outcry, that was replaced with a disclaimer explicitly stating that victims would still have the right to seek damages in court. And it was also revealed that Equifax executives sold off company stock days after the breach was discovered, which could definitely be construed as insider trading.

Equifax CEO Rick Smith. A man whose following days aren't going to be filled with sunshine and unicorns. [Photo courtesy of equifax.com]
Equifax CEO Rick Smith. A man whose following days aren’t going to be filled with sunshine and unicorns. [Photo courtesy of equifax.com]

My Reaction To Everything

I wasn’t originally planning to write about the Equifax breach. Equifax isn’t a bank and, to be honest, I’m taking care of other things right now and trying to get certain parts of my life out of “trainwreck” status. I’ll write about those things when they come about.

But a friend of mine asked me at a party, “So I take it you’re going to write about the whole Equifax thing.” So now I have to write about the whole Equifax thing. I think that’s how it works.

Well, my initial reaction to it all wasn’t one of anger like the rest of the country’s. At the time, at least, I had no reason to be angry about the data breach because it was an accident. People were complaining about the lax security at Equifax, but how do you know they didn’t do everything they could? Hackers get around security measures. It’s what they do.

This was, of course, before I knew that a patch for the Apache Struts Whatever security hole existed back in March and Equifax never got on it. Or that Equifax has a history of security breaches that it tries to keep under wraps.

Still, originally I didn’t really have much of a reaction like I did with Wells Fargo. When Wells Fargo fired 5,300 for opening fake accounts, it was the abuse of employees like me that led them to commit out and out fraud. There was no “accident” that could take the blame; employees were threatened and ridiculed and treated like crap and they opened the fake accounts in order to protect themselves, an act that itself was inherently unethical and fraudulent. Here, I was looking at a vague “security hole”, a computer hacking event that Equifax would never wanted to happen, and a world where identity theft seems to be a common thing in a world where the Target, Home Depot, and Yahoo data breaches have caused many people’s data to be compromised.

Also, I think I lost a lot of sympathy for people when it comes to identity theft over my years in banking. People would literally rather scream obscenities in a teenage teller’s face rather than show ID at the bank before a withdrawal (I have personally witnessed it many times, and have been the one being screamed at many times). To be honest, I’m surprised that people are so angry about potential identity theft when they refuse to cooperate with basic requests to verify their own identity. I guess your information is only valuable if it doesn’t involve taking your ID out of your wallet, an incredibly difficult and painful task, I know.

Plus, as mentioned before, my mind has been elsewhere and I’m working to put myself on a better and happier path right now. Simply put, the Equifax thing wasn’t on my mind. I literally first heard about it on TV at a bar, in which the story played once during the Hurricane Irma coverage and while I was telling my drinking buddy about the recent events in my professional life.

But the more thought I gave it, and the more I’ve heard about Equifax’s glaring failures and past transgressions, the more I realized one thing. The problem with the Equifax data breach isn’t just about their cybersecurity or aftermath handling; it’s about their very business model.

I Don’t Like Their Business Model

Equifax tried right away to profit off the compromising of our data and I’m not at all surprised.

And not because they are a “big greedy corporation looking out for its own profits and nothing else” because they are a for-profit company. Any good company would be trying to do damage control (both for itself and its customers) and trying to ensure that existing revenue streams don’t get compromised and are even added to. In other words, any company should be trying to make money.

Hell, I myself looked up Equifax stock to see if it was a good value play right now (I don’t think it is). Gotta make that money, right?

And Equifax tried to make that money by offering a free year of their credit monitoring service, theoretically with the idea that everyone would pay for it after the year ended. After all, the consequences of the data leak can last a lifetime.

But, justifiably, there’s been a public outcry. “Equifax allowed our most sensitive information to be stolen, and now they want to charge us to protect it going forward!? How could Equifax mistreat its customers so badly!?” people have furiously shouted from the mountaintop.

Yes, we heard you. Now please come down from there. [Photo courtesy of pexels.com]
Yes, we heard you. Now please come down from there. [Photo courtesy of pexels.com]
But Equifax didn’t mistreat its customers at all. Because we aren’t their customers. We are their product.

Experian, Equifax, and TransUnion are the three major credit bureaus. They hold more sensitive information about you than all your banks, the hospitals, and maybe even the government. Okay, maybe not as much as the government, but they hold more than simply your date of birth or credit card numbers. They have every bill you’ve paid late, every loan you’ve ever asked for, everything about you. The Party in 1984 didn’t have as much information about the citizens of Oceania as the bureaus do about you, and the Party had a camera in every room in people’s homes!

And you never signed up to be their customer!

They have the information on you without your express permission or knowledge. Yes, I know you agreed when you applied for that loan that your credit will be reported to the bureaus, but you know what I mean. Most of the 143 million victims have never voluntarily engaged in a business relationship with Equifax. Equifax just had their information.

Now here’s what pisses me off, and it’s not that credit monitoring thing. People always tell you, “Make sure you check your credit! You’re entitled to one free credit report per year!”

Wait a friggin’ sec. That’s my personal information being held by a private company that I never signed up or engaged in any sort of business transaction with, and I have to pay to access it if I want to see it more than once a year!?

In banking, we provide services that you use daily for free. You came into the bank and opened an account, but we don’t charge you to sit at my desk or to use your online banking. On the chance that a customer does get charged a fee, I might be dragged into a conversation about the nonsense of fee refunds. And I’m expected to refund them (I really shouldn’t be that angry; I often do so without much prodding). Again, this is a relationship started voluntarily and knowingly by the customer, who received as part of their disclosures the bank’s complete fee schedule.

But here, we have to pay a company we never entered a business arrangement with for our own information.

So for those who don’t know, the credit bureaus make money by selling our information to those who wish to extend us credit. When you apply for a loan, the bank wants to make sure that you’re gonna pay back that loan. Fair enough, right? Well, banks need information about you in order to make a decision about whether to lend you money, so they go to Equifax and the other bureaus for information. The bureaus have your information, the banks want it, so the bureaus charge the banks to see your credit report.

It’s not just potential lenders that want your information, but also potential landlords and employers. When background checks are done on someone, it involves a credit check. Lenders, landlords, employers, and others who need to access your personal information pay a fee to the bureaus to give them that information.

Believe it or not, I have no problem with that at all. Let the banks and mortgage lenders pay for my information. And having my information with a credit bureau is necessary for the concept of credit to exist. What I do have a problem with is when we, the product, have to pay for our own information.

A person should have free access to their information 24/7, not once a year. I don’t think I can break that down any more than that. I should have fully free access to my own credit report all the time. What’s more, credit monitoring should also be free by default for those who opt into it. Emailing me that someone tried to apply for credit in my name is not something I should have to pay anyone $14.95/month for. The private company that holds all of my personal information without me expressly forming a business relationship with them should automatically be sending me alerts of any activity regarding said personal information. Plain and simple.

And that’s my problem with the credit bureaus. Look, it might be painful to be reduced to being a product for a big corporation (or three) just as it might be painful to be reduced to nothing more than a number between 300 and 850. But more than “that’s just how it is”, there is a reason for it if you examine it. For-profit corporations are making money (the very reason for their existence, and the same reason that you get up in the morning to go to work) by selling information to companies in an easily digestible manner (a credit score) so they can make informed decisions on the requests you make to them to lend you their money. The bureaus sell our information; we are the product.

But products don’t pay. Customers pay. And customers engage willfully and voluntarily with the business that they are paying. We should have full free access to our own information as we are the product being sold, just as we have full free access to the nutritional contents of the food products we buy at the supermarket and put in our bodies. Nor should we have to go and pay extra money for the company to monitor and protect the personal data we never gave them. Are we the product or the customer? If we are the latter, then can Equifax show me my signed signature card, just like I can pull up for any customer of my bank?

The supermarket doesn’t charge you an extra fee to not have rotten food on the shelves. They need to protect their products. Ditto for a restaurant; they don’t tack on extra at the end of the bill for serving you food that doesn’t have salmonella. The same should apply to the credit bureaus. They shouldn’t charge you or anyone extra to ensure that their product, our personal information, is safe and protected.

I don’t mind being the product. But don’t treat me and everyone else like a customer by making us pay for the protection of our own data. Not only should access to our own credit reports be free all the time, but credit monitoring should be free and standard. If you’re not willing to protect my information for free, then don’t have it on your computer systems unless I dictate otherwise in writing.

What To Do To Protect Yourself After The Equifax Data Breach

You could be like my grandma and the rest of the senior population, screaming about the dangers of the Internet while clinging so hard to your savings passbook that they’re going to have to bury it with you.

But as an alternative to living in the mid-20th Century, there are some things you can do.

I’m not going to tell you to sign up for their credit monitoring service, free or otherwise. Their ability to safeguard our information after such complacency in their cyber-security are one of many unanswered questions for Equifax and they are going to have to rebuild that trust before I would ever consider signing up for their services.

According to experts, the one move to make after the Equifax breach is to put a freeze on all your credit. This blocks anyone, including you, from requesting information from a credit bureau (and thus all credit applications). You have to temporarily remove the freeze if you ever want to apply for a loan. How nice of Equifax to make it free………for thirty days. You still have to pay for a credit freeze on the other two bureaus.

The other thing you can do is to monitor your credit report. You can get your annual credit report at annualcreditreport.com fittingly, but you want more than a once a year snapshot. I usually use Credit Karma to check my credit score for free. It doesn’t have all the information that your credit report will have and sometimes the information can be slightly off, but it will have everything you need in order to protect yourself. If someone tries to use your identity after the Equifax data breach to apply for credit in your name, you’ll know if you use Credit Karma.

Like your bank statements, you want to monitor your own credit periodically. Because in the end, no one will ever look out for your information better than you.

Especially not Equifax.

Readers–What do YOU think!? What is your reaction to the Equifax data breach? And what are you doing to protect your information? What changes would you like to see in the credit reporting agencies? Leave your thoughts in the comments below!

Comments

  1. Dan says

    The thing with credit monitoring is that it is backward looking. Even if you monitor your credit daily, by the time you see a new credit card has been opened in your name, it’s too late.

    I locked my credit report at all three credit reporting agencies. I took advantage of Equifax waiving the fee in response to the data breach. I am not looking to take out a loan anytime soon so it seemed like a prudent thing to do at the moment. One thing to note about freezing your credit report. There is typically a fee to freeze and another fee to unfreeze it. If you freeze all three today, you’ll have to pay $20 (assuming a $10 fee). If you want to take out new credit in the future, you’ll possibly have to pay $60. 3 x $10 to unfreeze and after the loan/credit card another 3 x $10 to freeze (if you choose to revert back to the freeze).

    Senior citizens are less likely to open new lines of credit. They typically have less need for new credit and are emotionally wedded to their existing credit. My father lived the final ~20 years of his life with his credit report locked without ever needing to unlock it.

    • ARB says

      Thanks for pointing that out about the fee structure of the credit freezes. As infuriating as it is to keep handing over money to the credit bureaus, it’s probably worth it here. To be honest, I personally only recommend going into debt a couple times in your life (a credit card, a mortgage, and a Home Equity Line Of Credit), but that’s it. As for the seniors, I should hope they aren’t applying for credit. After working their whole lives, they should be able to sit back, relax, and enjoy the fruits of their labor.

      Credit monitoring (both self-monitoring and through the credit bureaus) may be backward-looking, but it’s still necessary. Like monitoring your bank account statements for unauthorized transactions, you want to catch the errors and fraud as quickly as possible. Better to be disputing something on your credit report NOW rather than down the line when you’re trying to apply for a mortgage on your dream home.

      Thanks for commenting!

      Sincerely,
      ARB–Angry Retail Banker

  2. says

    I remember being at a Ross store and an employee asked to see I.D. because this guy was paying by credit card, then he got angry with her and started raving, but she told him politely it was store policy.

    In general our society doesn’t take privacy very seriously. Privacy starts out small and escalates. Most of us don’t encrypt our email, we freely give away our names and addresses to contests, freebies by snail-mail, to magazines for free subscriptions if we fill out a short survey, loyalty rewards clubs, we talk about everything and anything on social media, etc.

    Anyway, so I put in a credit freeze with all the credit bureaus including the fourth lesser well known credit bureau Innovis. Most finance experts don’t mention Innovis, but I figure that since they are a credit bureau and have my private info I will do it with them too. I feel better for doing it.

    • ARB says

      Lila,

      I feel that Ross employee’s pain. That’s what we go through everyday. I’ve been dealing with customers like that for about a decade. A woman was just telling a teller and the manager yesterday about how we’re the worst branch because we wouldn’t accept a photocopied ID for a check cashing.

      And you’re right. We as a society don’t take privacy seriously at all. Or more accurately, we only take our privacy/security seriously if SOMEONE ELSE is providing it. The same people who get angry about having to show ID to a new teller (or when paying by credit card at a store) have their names, dates of births, and the fact that they are currently out of the country all over their Facebook profile.

      Great tip on Innovis! I’ve never even heard of them before. I’ll have to look them up. Thanks for that!

      I appreciate the comment.

      Sincerely,
      ARB–Angry Retail Banker

  3. says

    Great thoughts on the latest (and surely not the last) privacy breach. I don’t have a problem giving out my data, as long as it’s held onto responsibly. But once that data is gone, it’s gone forever, if my date of birth info was stolen as part of this breach, and it was sold by the hackers on the dark web, that it, it’s out there forever, it’s virtually impossible to get that data to be private again. I guess that is the risk of doing business in the early days of the internet. All you can do is keep on top of your financials and hope for the best.

    • ARB says

      Fake Cheap,

      You’re absolutely right. Suffice to say, this data breach has changed everything. Your personal information, as well as mine and everyone else’s, is out there and it will never be truly private ever again. Ironically, it almost makes future privacy protection irrelevant and obsolete; with the most private details of half the adult population of the US floating around the Dark Web, what will any future attempts to safeguard said data do?

      Like you said, all you can do is keep on top of your finances and hope for the best. Spending your life in fear of faceless hackers won’t make you safer, just more stressed. The fact is that identity theft has been around forever and will continue to exist as long as there is something to be gained from stealing that which belongs to someone else. We can only be careful, but outside of punishing those who are responsible, there’s not a whole lot that we can do to make things better. Not that there’s NOTHING that can be done, but we all want someone (Equifax, the government, etc) to “fix this”, but there’s nothing that can really be “fixed” when we’re at the point where the most private details of 143 million people are being passed around the Dark Web as we speak.

      As always, I appreciate the comment.

      Sincerely,
      ARB–Angry Retail Banker

Leave a Reply

Your email address will not be published. Required fields are marked *