Why I’m Not Worried About the Equifax Security Breach (And My Data Was Hacked)

Equifax blew it, though theirs is hardly the first hack. Personal data isn’t safe, and that should make us skeptical of centralized databases of personal information regardless of who collects it. Indeed, the entire system of using social security numbers as personal identifiers has been broken.

We’re stuck dealing with the consequences, and while the average consumer maybe should get a credit freeze I’m not going to, it’s a pain and slows down the credit origination process and not all issuers will follow up manually to get permission to access your credit. At this point I’m just going to aggressively monitor my accounts.

Although if enough people freeze their credit the credit industry is going to have to learn to accommodate, initially it’s going to be a big problem for store credit cards that are mostly set up at point of sale (you go to a retail merchant and are offered a discount on the day’s purchases for getting their credit card on the stop).

I am actually comforted by the scale at which this theft occurred. Since it looks like my data was included in the breach, I’m better off that there were 9 figures worth of accounts rather than say four figures.

  • While I hate the idea of the kind of personal information being freely available that would allow someone to social engineer access to my accounts, enough correct details to convince a bank to reset my password or make a wire transfer, that sort of attack is manual and time-consuming and not the sort of thing that will be done across 100,000,000 customers. So safety comes in the form of security by obscurity, sure I can be hacked but the odds that I’ll be one of the ones hacked are pretty low.

  • A consumer that’s a victim of a small data breach bears the cost of resolving ensuing credit issues. This one is so big that lenders, banks, and others will expect it and will have to develop better procedures for resolving fraud. Indeed, doing so could become a competitive differentiator, given the number of customers that would otherwise be disserviced.

It shouldn’t be our problem to stay on top of things, it should be Equifax’s. Ultimately Equifax will pay. A lot. But like most class action settlements which is probably how this will end individual consumers will get very little but the liability risks the company.

Meanwhile there’s going to be a tremendous amount of government scrutiny over the industry, certainly TransUnion and Experian are shaking their heads at the new very public challenges they face ‘through no fault of their own’ though the idea that they couldn’t have been hacked is silly.

At the same time regulation isn’t the answer. It’s easy to say “but there should be security standards” however there already are security standards and Equifax didn’t follow them. Data was encrypted but the encryption keys were on the same server vulnerable to the same hack. And the penetration occurred via a known vulnerability that Equifax apparently had failed to patch.

Meanwhile government isn’t better at this than the private sector. The United States Office of Personnel Management had an ongoing breach for over a year from March 2014 through April 15. The initially estimated data was stolen on four million federal workers but it turns out the number was over 20 million. And it didn’t just include names, addresses, dates and places of birth and social security numbers but even detailed security-clearance-related background information.

The OPM hack and the Equifax hack should give real pause regarding government data collection. Big databases are big targets, and government gets hacked just like the private sector does.

Contra Bruce Schneier who points out that Equifax’s customers are companies who want data on consumers, not the consumers so Equifax doesn’t have an incentive to protect consumers who aren’t customers, the incentive is that their business can be destroyed by tort liability. Government doesn’t face the same consequences as a private company, indeed government failure is usually met by calls for increases in budgets rather than bankruptcy risk.

There are no easy answers here because over the long term what we need is a replacement for social security numbers as national identifiers, but any centralized solution carries risk, need I mention that we just learned about vulnerabiltiies in Estonia’s ID cards and they’re perhaps the most advanced in the world? For now all we can really do is stay on top of things.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

Comments

  1. Gary, aside from the potential risk of credit lines being fraudulently opened, the greater exposure is the possibility of fraudulent tax returns and government services being filed under one’s identity. This is the most concerning really, as it would be like pulling teeth to deal with the government to get it resolved.

  2. I just posted this elsewhere but since my email is showing a long string of Equifax related posts going out this morning, why not. For reference in their materials Equifax refers to consumers, as products according to a NY Times article from this AM. My post:

    We as products can best refuse to be working products by refusing to use credit lending services that use Equifax. Campaign, e-blast, tweet disrupt, bad PR any bank that retains a relationship with them and well, if done right that should be it (??). Assuming protest still works in this country. [tongue + cheek].

    Chase, Citi and USAA exclusively use Equifax according to this post:
    http://firstquarterfinance.com/credit-cards-that-use-equifax-only/

    While I did love Fight Club, I like my points more…

  3. The other day, prompted by reports in the media, I went to the net for a scan (Equifax.com/scan).
    I had read that I would be prompted to enter the last six digits of of my SS#, but I was asked instead to enter my email address and informed that a report would be sent later. The next day, I received an email saying that my email address had been compromised and that I should enter a great deal more information to see what else had been compromised. This seemed suspicious. Whoever I was dealing with had my email address from my corresponding with them and could easily say that it was compromised. As a result, I ignored what seemed to me to be a phishing operation and froze my credit report instead. I am not planning to apply for more credit anyway.

  4. If you sign up for “free” credit monitoring from Equifax, you waive your right to participate in a class action lawsuit and/or class action arbitration.

  5. So we need new national identifiers. I agree. And which group has resisted all efforts to have, say, national id cards?

    Pick your poison.

    Just sayin’.

  6. 2buffalo says:
    September 17, 2017 at 11:12 am

    “If you sign up for “free” credit monitoring from Equifax, you waive your right to participate in a class action lawsuit and/or class action arbitration.”

    THAT IS NOT TRUE.

  7. “It shouldn’t be our problem to stay on top of things”

    How will stay on top of a new bank account opened in your name?

  8. The number one thing you should secure (as best as possible) is your two-factor authentication mechanism. It’s not 100%, but I requested that my phone service require a separate password for any account modifications by phone.

    I also agree that there’s protection in numbers here (herd protection).

    Equifax invites a regulatory response through sheer managerial and IT incompetence.

  9. Juan says:
    ‘ “If you sign up for “free” credit monitoring from Equifax, you waive your right to participate in a class action lawsuit and/or class action arbitration.”

    THAT IS NOT TRUE.’

    To be clear: that is not true ANYMORE. It took a couple of days’ media scrutiny, and a hell of a lot of consumer outrage, for Equifax to “clarify” its position (read: back down.) Don’t fool yourself that it was voluntary, or that this is a consumer-friendly company. They are, essentially, a legally-sanctioned protection racket; it just turns out that they’re also incompetent.

  10. Government can’t protect itself from hacks, so we shouldn’t have legal regulation of private data holders? The logic escapes me entirely, making me wonder about the author’s agenda.

  11. Sunday NY Times had an interesting article about the lack of financial consequences for Equifax execs, whose bonus structure is specifically excluded from the costs tied to security breaches. Perversely, I’d guess they’re incentivized to sell my personal data to as many firms as possible. I’m not sure what the free market solution would be to this societal ill. Seems like they’re begging to be more closely regulated.

  12. We need increased government regulation and oversight, not to impose their own security standards, but regulation to require that all credit reporting agencies provide consumers with unlimited access to their own credit reports (instead of one free report per year), and oversight to monitor that the companies are adhering to industry security practices.

  13. I just have a bad feeling about this Equifax thing. I had a Target AMEX debit card (remember those?) that was part of the infamous nationwide Target data breach and it took more than a year for criminals to use the stolen info to hack my account. I also had an Ink card hacked in a regional Staples hack and, sure enough, I had fraudulent charges on that card many months later. I guess in this case they didn’t steal that many actual credit card numbers, right? So maybe it will be better. Maybe. At least, in the end, you don’t really lose money as a consumer; there’s usually just hassle involved.

  14. credit card fraudulent charges are not my concern at all.

    Stolen SSN being used to file fraudulent tax return can take over a year to get it resolved with IRS. Been a victim of such 3 years ago and it was a very frustrating experience that involved numerous phone calls to IRS, sending in affidavits 2 times as the first time while received by IRS but not entered into its system until many months later, and also needed to send in address correction form due to the thief changed the address to a different street number which did not exist. If not for our mailman then was one who served the area for over 30 years and knew pretty much everyone in every condo building, we would not ever receive that IRS letter asking questions on that fraudulent return – despite the wrong street number the mailman knew our names and delivered that IRS letter – so we found out a fraudulent return was filed under my husband’s SSN…

    We now have a person PIN to put in our return. Even so, the IRS has sent out WRONG PIN in the past! They reused old PIN from 2 years ago but forgot to rename it for current year. Somehow the mistake was caught and a letter followed, telling people the PIN was good for current year… Typical government work.

  15. Seems like cryptographic personal identifiers (something akin to Civic by Vinny Lingham) are the eventual solution to the ID debate. Just curious how (and how long until) we arrive at said solution

Leave a Reply

Your email address will not be published. Required fields are marked *