Recently, it was revealed that Equifax, one of the big three credit reporting agencies, had been hacked, potentially compromising the data of 143 million Americans, which is more than 40 percent of the entire U.S. population.
The stolen data includes names, Social Security numbers, birthdates, addresses and some driver's license numbers. One fraud expert told the New York Times, "On a scale of 1 to 10 in terms of risk to consumers, this is a 10."
The major credit bureaus—Equifax, TransUnion and Experian—compile the financial and personal data on consumers from creditors and other sources, create profiles on borrowing and repayment histories, and sell the data to banks, credit card companies and other businesses. Their business model is based on collecting our financial data—typically without our permission.
This is not the first time the credit agency has been hacked; hackers gained access to Equifax's system twice before, prompting questions of why security was not improved to prevent a third attack.
But not only is the hack a serious financial threat to consumers, the actions of Equifax itself are disturbing:
· It’s been reported that Equifax took six weeks to disclose the hack. The company says it discovered the breach, which it reports began in mid-May, on July 29. However, the public disclosure of the hack occurred in early September, a full six weeks after the fact, which left consumers at risk without knowing it.
· Bloomberg News reported that three Equifax executives sold shares in the company after it discovered the hack but before its public disclosure. Those three reportedly collected $1.8 million from the sales. The sales were made on Aug. 1 and 2, the third and fourth days after the breach was discovered. Equifax says the executives were unaware of the breach at the time of their sales. But one of the executives is the Number 2 at Equifax, if he wasn’t told of the theft of data within days of the company’s discovery, that’s a big problem. Predictably, once Equifax publicly disclosed the hack, its stock shares tumbled 13 percent.
It’s pretty clear that Equifax should also answer why it took so long to alert the public about the breach. Equifax discovered the breach on July 29, leaving people vulnerable to new account identity theft for over a month while it conducted its investigation. That's a problem -- people should have been alerted sooner and been given clear explanations about their options.
In New York, Attorney General Schneiderman has announced his own investigation and offered consumers tangible steps that they should take to protect themselves. Here’s his advice:
· To check whether your information was compromised, you can go to a website set up by Equifax.
· Check your credit reports from Equifax, Experian, and TransUnion by visiting annualcreditreport.com. This is a free service. Accounts or activity that you do not recognize could indicate identity theft.
· Consider placing a credit freeze on your files. It will not prevent a thief from using any of your existing accounts, but a credit freeze makes it harder for someone to open a new account in your name.
· Monitor your existing credit card and bank accounts closely for unauthorized charges. Call the credit card company or bank immediately about any charges you do not recognize.
· Since Social Security numbers were affected, there is risk of tax fraud. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Consider filing your taxes early and pay close attention to correspondence from the IRS.
Since this isn’t the first hack of Equifax, and it isn’t even the biggest cyber attack – that distinction goes to Yahoo.com – it’s shocking how lax the company has been. Equifax, and the other credit bureaus, make money by collecting our personal data without our permission. You would hope that they would have the most aggressive anti-hacking programs in the world.
Clearly, that’s not the case.
Equifax and other credit bureaus are long overdue for more oversight from regulators and lawmakers. Consumers will have to monitor their credit activity for a long time. And voters should demand actions from federal and state regulators. At a minimum, Americans should expect that all credit reporting companies offer free credit freezes; and, for consumers who choose not to freeze their credit report, unlimited credit monitoring -- not just for one year. After all, there's no expiration date on when thieves can use stolen personal information.
Blair Horner is executive director of the New York Public Interest Research Group.
The views expressed by commentators are solely those of the authors.They do not necessarily reflect the views of this station or its management.