The Equifax Breach
In May 2017, credit bureau giant Equifax had virtually its entire database of consumer credit reports stolen by hackers – more than 148 million in all.
The attack occurred because Equifax failed to patch a software vulnerability it had known about months before the breach occurred.
I was one of the victims. If you’re an adult living in the United States, your files were likely compromised as well.
But unlike many of the victims, I wasn’t especially concerned about the breach. A big reason was that in response to previous attempts to steal my identity, I had placed a security freeze on my credit files.
Here you can find more information on how to put a security freeze on your credit files.
The Power of Security Freezes
A security freeze limits access to your credit report to companies that already have you as a customer.
If you have a security freeze in effect and a hacker succeeds in impersonating you, they’ll find it almost impossible to benefit financially from having your information.
Credit bureaus hate security freezes. They can no longer sell your data to the highest bidder.
The Illusion of Protection: Say No to Credit Locks
Credit bureaus will try to persuade you to sign up for a “credit lock” and credit monitoring services. Essentially, you pay a monthly or annual fee, which is often waived, for the privilege of having the company that should be keeping your data safe notify you when they fail to do so.
Don’t be fooled. A credit lock is only an agreement between you and the credit bureau. You’re bound by the restrictions in the fine print of the agreement, rather than by your state’s security freeze law. All 50 states have such laws in effect.
But once you set up a security freeze, you might discover that hackers have unfrozen it without the credit bureau informing you.
Experian’s Security Flaw
That’s the case with Experian, which doesn’t confirm you’ve lifted a security freeze unless you subscribe to the company’s credit lock service. This service costs $24.99 per month.
One victim, named John, only found out that the security freeze on his account had been lifted after receiving an email from Experian informing him that the email address on his account had been changed.
A hacker used Experian’s automated “forgot email/username” feature and was able to convince the credit bureau that they were John after correctly answering a handful of questions drawn from public records. The hacker then changed John’s email address, password, and PIN, locking him out of his own account. They also removed the security freeze.
John could not reset his Experian password because the reset links he requested were sent to the hacker’s email address. He regained access to his credit account and reimposed the freeze only after a lengthy authentication process over the telephone.
This vulnerability appears to be specific to Experian.
Both Equifax and TransUnion, the other two big consumer credit reporting bureaus, send emails to the address on file asking to validate account changes.
The absence of multi-factor authentication for resetting a security freeze at Experian in 2022 raises concerns. The company compounds the problem by “verifying” your identity using data from public records that can often be easily guessed by identity thieves.
Data Ownership, Lawsuits, and Legal Realities
But this should hardly be a surprise. You do not own the data in your credit records. The credit bureaus do. These companies make billions of dollars in profits annually by selling your data.
In the meantime, a class-action lawsuit has been filed against Experian in California. The lawsuit alleges that Experian’s inadequate security practices violate the Fair Credit Reporting Act. This law, enacted in 1970, regulates data collected by consumer reporting agencies, such as credit bureaus, medical information companies, and tenant screening services.
We wish the plaintiffs the best in their fight to force Experian to change its attitude of depraved indifference to data security. But we are not anticipating any significant legal breakthroughs. As is usual in lawsuits of this kind, the only people who are likely to receive any money are the attorneys who filed it – assuming the lawsuit is not dismissed entirely.
Taking Control of Your Data
In the meantime, we suggest that you adopt the attitude we have regarding computer security in general. Instead of assuming our data is safe in the hands of third parties, we take it for granted that it is not safe.
We understand that hackers have access to data that we once believed was private, and it might as well be pasted on the front page of The New York Times. And we grudgingly accept the fact that every database that stores this information has likely been compromised.
This status will not change until lawmakers recognize that everyone has an ownership right to their own data, including data held by third parties. Ownership over your own data would give you the right, but not the obligation, to share it with others.
Your data has value. If you owned it, you would receive a tiny royalty every time someone accesses it. You could also restrict your data flow if you choose. The blockchain technology that underpins cryptocurrencies could pave the way for secure markets for personal data, making credit bureaus obsolete and putting you in control of your data.
Getting Started: Protecting Your Credit
But until then, your only recourse is to take steps to protect yourself. And a security freeze – one that in Experian’s case you have to periodically reconfirm is still in effect – should be at the top of your list.
Follow these links to get started:
Need Help?
Since 1984, we’ve helped more than 15,000 customers and clients protect their wealth using proven, low-risk domestic and offshore planning. To see if our planning is right for you, please book in a free no-obligation call with one of our Associates. You can do that here.
