The Crushing of Equifax

Banks, credit card companies, and other Equifax customers squeal. Consumers (the product) squeal. Congress squeals. Investors squeal.

Equifax shares dropped another 16% during the day and after-hours on Wednesday to $97.51. They’ve now plunged 31%, or $44.82, in the four trading days since Equifax confessed that 143 million consumers had their data crown-jewels stolen when it was hacked. The stolen data is perfect for identity theft, such as getting a loan in your name, and tax fraud, such as getting a tax refund from the IRS in your name, with Kafkaesque consequences for you.

Investors, seeing what this might do to the company, have voted with their sell-button. Based on the 120.4 million shares outstanding as of June 30, the four-trading-day loss amounts to $5.4 billion.

The stink has been enormous, with Equifax having to back down from some of its most egregious solutions to this problem, including forcing consumers to give away their legal right to sue in order to sign up for its credit protection services. Buckling under scathing criticism, Equifax rescinded this requirement over the weekend.

Equifax will still try to twist this offer of “free” credit protection into a profit opportunity. Once your social security number, date of birth, and other data that hackers obtained is out there, you’re vulnerable to identity theft for the rest of your life, and you need to protect yourself for the rest of your life. But Equifax is just offering the first year for free, hoping that you’ll continue the service and pay its annual fee for the rest of your life.

Dozens of lawsuits have already been filed. Equifax will be attacked from all directions, including shareholder class-action lawsuits and consumer lawsuits. Congress has gotten interested in it, and two committees are planning hearings.

But the Wall Street hype continues. All 16 analysts tracked by Bloomberg that follow Equifax have either reiterated their bullish rating on the company, or have not altered their rating, and some have exhorted their clients to buy more.

JP Morgan Chase analyst Andrew Steinerman said that based on his conversation with Equifax executives, the financial impact would be isolated to the company’s business-to-consumer segment, which accounts for about 7% of total revenue. Based on the revenue consensus of $3.40 billion for 2017, it would impact only about $238 million in revenue, according to MarketWatch. So no big deal?

Alas, Steinerman also said that he is “somewhat concerned” about the potential impact to the company’s business-to-business segment.

And that’s exactly what’s happening with the big banks and credit card companies, Equifax’s largest customers. They’re buying your data (which makes you the product in this trade). For Equifax, this revenue is now vulnerable. Citing “people familiar with the firms,” the Wall Street Journal, explains their reactions:

Banks and other financial companies are considering the possibility of moving some business away from Equifax Inc. in the wake of its data breach and to some of the firm’s credit-reporting rivals.

Lenders are unlikely to take any immediate action and are seeking more information from Equifax about the hack….

Still, large banks, in particular, have expressed dismay privately that their customers’ information was compromised, that they received no advance warning of the breach announcement, and that they still have little insight into what went wrong, these people said.

Some of it has spilled into the public. On Tuesday, JP Morgan Chase CEO Jamie Dimon – in 2014, his bank had suffered the biggest hack of any financial institution in US history – told a conference that he wants to find out if the hack could have happened to any company or if it was based on something that Equifax didn’t do correctly.

“All that will matter, it’s obviously important,” he said, according to the Journal. “It depends what happened and how it happened, whether they could’ve or should’ve.”

On Monday, Capital One CEO Richard Fairbank explained to a conference who exactly would bear the costs of the hack: “A bunch of our customers are affected,” he said. “It’s going to be costly to them and to us.”

The Journal added:

It is unlikely that financial firms would cease doing business with Equifax altogether. But, as contracts with the company come up for renewal, they might look to shift some of their business to rivals such as TransUnion or Experian PLC, the people familiar with the matter said.

So a loss in revenue and market share in Equifax’s business-to-business segment.

There is another hiccup for Equifax. I have strongly recommended on Thursday, when Equifax announced that hack, that consumers, whether their data was stolen or not, put a security freeze on the three major credit bureaus. A security freeze makes it very difficult for anyone to open a credit account in your name. Here are the details, including links to the three major credit bureaus. Since then, numerous readers have done so. Some have shared their experiences in the comment section.

(You may also consider putting a security freeze on lesser credit bureaus, such as Innovis. But they might not yet have your social security number, which would be a good thing. So you’d give it to them unnecessarily; I have no recommendation on this.)

Then the New York Times, the Wall Street Journal, other major media outlets, state attorneys general, radio and TV programs including my interview on WNHN with Arie Arnesen (starts at minute 7:00) have strongly recommended a security freeze on the three major credit bureaus — with the effect that many people have done so, and many more will do so.

For Equifax and other credit bureaus, the reality is this: When millions of consumers put a security freeze on their accounts, credit bureaus can no longer sell this consumer data to financial firms, marketers, promoters, and others. If millions of consumers do this, it adds up to a noticeable loss in revenues. And it would be long-term — because consumers whose data has been compromised will need life-long protection going forward. As a result of this fiasco, and as a result of nearly everyone with a public voice telling consumers to put a security freeze on their accounts, the industry as we know it might finally change.

Here’s what you can do to protect yourself after the hack, and Equifax doesn’t want you to do it. Read… Worst US Consumer Data Hack Ever? Equifax Confesses

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  115 comments for “The Crushing of Equifax

  1. Danny says:

    What pisses me off, is that the Suite C boys sold a bunch of their stock before letting anybody know that the hack happened a month ago.

  2. Joan of Arc says:

    Oh my stars! First Hurricane Harvey, then Hurricane Irma, now this. Throw in Kim Jong of North Korea, and maybe the world is going to end after all.

    • TJ Martin says:

      “THE End of the world ” ? Not likely

      But ” … the End of the World as We Know It ” ? Most definitely . That one was settled on both sides of the pond last fall . But I kind of doubt any of us ” .. Feel Fine ” about it in the slightest .

    • Dogstar says:

      It’s even worse than that. A top story on drudge (yeah, I know) last week told of swarms of flying ants in the Philadelphia area. Clearly, something is afoot.

  3. Lars says:

    Yesterday I put a credit freeze on my account at Equifax, and at Experian.
    Transunion is today still saying that:

    “We are temporarily unable to complete your request. Looks like we are experiencing a problem.
    We are sorry, but we are unable to fulfill your request at this time.
    What to do now:
    If the problem persists, please contact our Customer Service Team for assistance.”

    LOL, they are either swamped or faking, in the attempt to the the ‘last credit bureau standing’ !

    • Wolf Richter says:

      They’re all swamped. This is a groundswell of consumers trying to protect themselves. This will go on for a while. But keep trying. Eventually it’ll work.

      • Wayne Grube says:

        Wolf –

        I started complaining to the Arizona Governor, Attorney General, and all my state legislators about the OUTRAGEOUS $5 fee they are charging in this state for a credit freeze per credit bureau. I hear in California it is $10.

        • Wolf Richter says:

          Thanks for sharing. Great. I hope a lot of people are doing this everywhere.

          Yes, it is truly outrageous that Equifax is charging us when we ask it to stop selling OUR data to some promoters after Equifax was hacked and OUR data got stolen. There are so many twisted elements in this, it gives me vertigo.

        • Dave Burke says:

          Here in PA, Equifax charged me $10 for the Credit Freeze. TransUnion charged $0. Last year in August, someone from Baltimore,Md tried to open line of credit under my name / info with CitiBank. Never did get Equifax to label that in their system as Fraud. Twice, even with Experian on the line with me.

        • Matt P says:

          Complain to the Consumer financial protection bureau, they get results quickly.

        • Arizona Slim says:

          In my not-so-humble opinion, credit freezes and unfreezes should be free in this state and all of the others.

      • And at the end of the day more people will be paying attention to what the credit agencies are doing. This is why it has the sniff of a false flag or an inner industry cyber hack. Its like 9/11, was a great advertisement for the War on Terror.

      • Lars says:

        Thank You, Wolf, for posting these two articles about Equifax to begin with !!! You’re the best !!!

        Was later thinking, remember when there used to be “The Big 8” accounting firms ? Then Arthur Anderson got busted for ‘cooking the books’ (for I forget who) and went ‘belly up’ ! Now it’s down to what, “The big 4” ?
        I suspect TransUnion and Experian are hoping, and maybe helping, Equifax to go the way of Arthur Anderson !! So they can take over Equifax’s business !! and be the last credit bureaus standing.

      • Trena L Bristol says:

        I can’t even check for my own number. I have tried several times. I wonder if they are going to extend deadlines for people who may have been blocked due to high traffice

    • Jas says:

      I was not able to complete transunion freeze either, but at the very end they didn’t “like” my answer to one of their remarkably intrusive questions and have to submit my reuest to them in writing.

      • thelocalpragmatist says:

        With all respect to those on this site…

        I do not deal with the credit agencies…Equifax or otherwise. I have never given them permission to use my information. I have never aided nor abetted their gathering of said information. I do not share in the proceeds of the sale of my information.

        Further, I will not pay a single dime to this company to mitigate their mistakes. and further, will demand damages should any harm come to my financial well-being, as a result of their carelessness.

        To the requirement that I pay this ridiculous company for any modicum of safety they might now provide, I would invite them to (metaphorically) kiss my big black portfolio of assets.

    • Bob says:

      I, too, have placed a credit freeze on my Equifax and Experian accounts. But Transunion offers a second option. They offer free and unlimited credit monitoring and identity protection called “TrueIdentity”.
      https://membership.trueidentity.com/tucm/orderStep1_form.page?PLACE_CTA=home:center:ti

      But they note that if you sign up with TrueIdentity, you cannot simultaneously have a credit freeze. And if you do, you get the message that you placed here. I know; I did sign up for TrueIdentity and got this message upon attempting to also create a credit freeze. I am not completely certain as to the difference; I will attempt to contact them at some point and decide if the credit freeze may improve my safety.

    • number1gi says:

      After the Target hack a few years ago, I successfully placed a freeze on my Transunion and Experian accounts via the online process. However, Equifax gave the following rejection notice:

      ” Additional Information Required
      We’re sorry…we cannot process your online request concerning an Equifax security freeze. To assist us in processing your request please
      submit in writing the required items outlined below.”

      Subsequently, every time I pulled my annual free credit report online, I attempted to place a freeze with the same result, a rejection notice. I intended to send a written request, but never got “a round tuit”.

      Late last week. after attempting once again to place a freeze online and getting the standard rejection notice above, I finally sent a written request on Monday. I included a check for the required fee. Yesterday I read that Equifax is waiving the fee effective Sept. 7th into November. It will be interesting to see if they activate the freeze and don’t cash my check.

    • Robert says:

      Call their phone number and follow the prompts. I did it Sunday with no problem.

  4. Gershon says:

    The CEO and top officials of this slipshod company should be squealing in the prison shower for failing to protect customer data.

  5. 2GeekRnot2Geek says:

    Really off topic here, but pertinent as a sub-plot.

    They just had to air a “Free Dark Web Scan” commercial so consumers can make sure their data really is safe.

    It hasn’t been on air more than a few weeks, and BOOM! A hack to the tune of 143 MM consumers data. They might as well have said “Hack us! We double-dog dare you!” Like waving a red cape at a bull!

  6. nick kelly says:

    I think they’re done. The law suits haven’t begun. The charges of insider trading are coming. (how any exec could be so stupid as to sell shares in the interlude is hard to imagine. I guess it’s a type of defense that I predict we’ll see: no guilty intent)

    All we need to hear now is that insiders were short.

    There is no comparison to say, Target, that also had a huge hack.
    But info wasn’t Target’s core biz.

    This outfit WAS its data base. If the data is in the hands of criminals it may be effectively gone.

    I doubt we”ll see Uncle Warren do a contrarian play here.

  7. Gershon says:

    Remember when we had honest, vigilant regulators, enforcers, and a judiciary that looked out for the public interest?

    Neither do I.

    • polecat says:

      What’s a ‘regulator’… ??
      … other then a ‘revovlving door pig wearing lipstick …

    • Gregg Armstrong says:

      Feral government regulators, like the SEC (US Swindler Enabling Commissars), exist solely to give the Feral government’s imprimatur of legitimacy to the various criminal enterprises (CON Street Swindlers being a notable example) and scams that they supposedly ‘regulate’.

  8. DJ says:

    This morning I was able to freeze my accounts with all but Equifax. May they rot in Hell. I will try again tomorrow. Thankfully I live in one of the three states that doesn’t let them charge to freeze and unfreeze accounts. Time for the other states to join the party.

  9. Chris R says:

    143,000,000 people’s data out there – how many adults are there in the US to begin with? You start subtracting say adults with severe disabilities & people who for other reasons have no credit, minors etc from the total US population & this is for all intents & purposes everyone.

    There’s a case to be made the easier & fairer thing to do is to wipe the previous system & start from scratch, new SS numbers & a whole new credit rating system, if we’re to have it at all.

  10. Dave says:

    I was trying to put a credit freeze on my account via the Equifax website and apparently the credit freeze option/feature doesn’t exist in Canada. Has anyone had the same or different experience?

    • MtlGooberDad says:

      Dave, I was just looking into it as well and nothing was evident. I will call them to see what options there are. Possible that our politicians are not extending us the right to put a credit freeze on our data. As always, if you can’t “opt out” you’re not free.

    • Jeremy says:

      There doesn’t seem to be a way of putting a credit freeze if you live outside the US, even if you are a US citizen subject to these reporting agencies. Does anyone know how to do this?

  11. Fred Greenwood says:

    Credit Karma automatically emails me when ANYTHING changes on my credit reports. I probably shouldn’t rely on this but for now I have to as I don’t have the time to call these companies and wait hours for my call to be next.

  12. Kent says:

    It is unconscionable that a company would leave its primary database system exposed to the Internet. We need to require basic IT security practices in this country and hold CEOs responsible for instituting and funding. Under penalty of criminal prosecution.

    • Gershon says:

      Welcome to the joys of crony capitalism. ‘Muricans sanctioned such systematic rip-offs by bending over for Wall Street with their votes for the Republicrat duopoly’s bought-and–paid-for corporate statist water carriers. “Your” representatives work solely for their billionaire donors and pass legislation drafted by corporate lobbyists to further enrich the already super-wealthy.

      You want accountability? Consequences for criminal negligence and law-breaking? Then vote out every single member of the captured, corrupt Republicrat duopoly and refuse to vote for any politician whose list of donors (go to Open Secrets dot org) reads like a who’s who of Wall Street and corporate grifters.

      • Frederick says:

        Pitchforks I tell ya The American people are going to have to go ” medieval” on their arses Can’t see any other way to be honest

    • polecat says:

      This is what happens when the wonderous effects of IT float into ‘cloudy’ weather …
      … sigh !

    • robt says:

      The whole idea of ‘security’ is similar to fighting the last war or making laws. Security, like the law, is developed by response to events. The response is based on the fact that ingenious criminals have outsmarted whatever measures have been already been put in place, so by definition the measures are always behind the curve.
      You can define everything forever but there’s always a new definition to add. Yes, it’s impossible.

  13. Reconsidering says:

    I am interested in estimating the potential cumulative cost of the several class actions that are developing. Is anyone aware of any estimates out there on the Web?

    • Arizona Slim says:

      I’d like to know how to join those suits.

      • Derek says:

        +1 to that!

      • Wolf Richter says:

        They’ll contact you, or you’ll see their ads. It’ll take time. The suits will take years. Then they settle. You’ll get a year’s worth of credit protection or something like it from Equifax, and the lawyers will get $1 billion in fees.

        I’ve been part of four class-action lawsuits over the decades. The only one where I ever got anything noticeable was when credit card companies were hounded over foreign transaction fees. I got several hundred bucks because I’d spent years overseas and I was using my cards all the time over the period. In the second-best settlement, I got a check for $0.34 from AT&T.

  14. Duke Stevenson says:

    Equifax Chief Security Officer is a music major. Affirmative action at its finest, folks.

    • Wolf Richter says:

      This lady – you can see photos of her in the various articles written about this – isn’t so young anymore. It doesn’t matter what you did in college decades ago. Some of the biggest tech gurus, including Jobs, Gates, and Zuckerberg, didn’t even graduate from college.

      What matters is what you did in the past 10 or 20 years. Even 20 years is probably too far in the past. So the focus should be on what she did over the past 10 years. Her major in college and grad school are irrelevant at this stage in her career.

      • Frederick says:

        Or who your connections / family members are

      • Arizona Slim says:

        Recall that Alan Greenspan was a music major. And Rahm Emmanuel majored in dance.

        It isn’t what you majored in that counts. It’s what you do with your life.

  15. Marco says:

    Laws are for the “little people” in The USA. Not for the 1% War Party Of The Rich, nor for their corporations and banks.

    Insider trading ? Forget it! The 1% completely own the regulators and the sickening politicians.

    How do you like your cake ? The Yellen cake?

    • polecat says:

      I hope these credit rating aholes get THEIR chance at being froze !! .. permanent like !

  16. cdr says:

    I put a freeze on my credit on at all four agencies. I did it on a Sunday morning about 8 AM. Fast and easy. For some reason, few people are thing about security freezes at that time.

    Also, it might be a good idea to go to Social Security on line and put a password on your account there so nobody else can do it later and freeze you out. They also offer 2 factor authentication.

    • Kent says:

      Do the same for your banks and credit cards accounts.

    • gunner451 says:

      Be aware that you can’t set up an account with Social Security if you have a freeze at Experian as the SSA for some unknown reason goes through them before they will let you set up the account.

  17. DK says:

    You want to destabilize the USA, screw up the credit system.

    • d says:

      Finally somebody is thinking ,who how, and WHY.

      Well at least, WHY.

      Are the Criminals in question private or state sponsored deniable Criminals.

      Like the deniable Russian troll farms.

      Run by “Patriotic Citicen’s” who just happen to be FSB clan members.

    • Ethan in NoVA says:

      Do you watch the television show Mr. Robot? The premise of the mainstream television show is nuking the databases that hold all debt records.

      The show is fairly tech accurate.

  18. Gadi says:

    The B2B and B2C business of Equifax may suffer a little or a lot, but the big problem for Equfax is the lawsuits. They are probably already bankrupt, they just don’t know it yet.

    • Bobby Dale says:

      It seems to me that all three CRA’s revenues will suffer as hundreds of millions freeze their reports, depriving them of revenue.
      This will also impact sectors reliant on instant consumer credit, think of a car dealership where keeping a hot customer in the shop is critical, lest they cool off while lifting the credit freeze. Online instant credit will dry up. Fintech will get mauled. The tails get fatter and fatter.

      • robt says:

        Online credit authorization is usually credit card based, even if it’s PayPal, so it would seem the authorization mechanism is based on proprietary data of the credit card issuer, not universal credit data.

        • Bobby Dale says:

          I should have written “new online credit”, thinking of affiliated card offers.

  19. kato Nokto says:

    We are failing to understand the full impact of this event. Some of us have experienced being questioned about our personal histories (names of relatives, past addresses, etc.) and were quite surprised that so much was known. That begs the question.  Where was this information stored? What if it became public?

    We would no longer be uniquely identifiable…

    While it is still a best practice to obtain a ‘Credit Freeze’ we need to accept that we are standing incredibly thin ice.

    P.S. It is interesting that the timing of the revelation coincided with a major weather event. Almost as if…(fill in the blank) :)

  20. James says:

    Do you have to do a credit freeze with all three services or can you do it with just one service and be safe?

  21. Winston says:

    WHERE ARE THE DAMNED HANDCUFFS?
    Karl Denninger

    https://market-ticker.org/akcs-www?post=232369

    Excerpt:

    …the Congress and Executive allow effective extortion of every consumer in the nation by allowing these companies to charge you to freeze your credit, thus denying scammers access, they can charge you again to “unfreeze” it temporarily if you wish to obtain new credit and they deem said data “theirs” instead of “yours” which means you can’t insist that they either not collect and store it or delete it.

    See, proper security costs money and can be inconvenient. Having access to such data only when properly-secure machine certificates are used to encrypt same and all communication all the way back to a traceably-secure device would mean that “instant credit” decisions at millions of cash registers (e.g. to sell you a credit card while in the checkout line) could not be made.

    Forcing these companies to allow consumers to turn “on” and “off” access to their credit files whenever they want, without cost, would mean that these companies couldn’t sell your data to anyone and everyone who has a few bucks, and they’d have much smaller businesses than they have now. And prosecuting and jailing the executives of firms who put convenience for their customers, which are businesses — not consumers — ahead of security would mean they’d have no business at all. But at the same time it would make defending against someone opening a credit account in your name and stealing your identity very easy since you could disable access to your credit information any time you wish without having to pay to turn it on and off.

    Because of how these firms operate and their business practices, choices they have voluntarily made, you get screwed — again. This breach is so large and so egregious that no amount of “monitoring” and “credit watching” will do a damn thing. You’re going to get ****ed as a consequence of this and your obsession with posting crap on Facesucker, Twatwaffle and Instrascrew instead of immediately demanding that strong, effective action be taken to put a stop to this crap.

    The solution is to force Equifax to eat the cost of ANY fraud that ensues and all costs of its cleanup including liquidated damages for your time and effort on a permanent basis since they, and not you, decided to use an identifier never intended for that purpose and in addition they, and not you, were grossly negligent in failing to secure said data. In addition forcing all of these firms to allow no-cost lock and unlock options for consumers where locking your file at one bureau does so at all of them and can be done at zero cost at any time for any reason on a permanent basis would actually mitigate said risk. Finally, deeming any credit opened while you have locked your file as conclusively fraudulent and uncollectable with liquidated damages payable to you if someone does it anyway would shift the burden from you for said incidents to them.

    But instead of doing the right thing what we get is more mealy-mouthed bull****, and you, America, sit for it.

    The breach is Equifax’s fault.

    The lack of immediate prosecutorial and policy response by the government is your fault, America, because you refuse to demand that it happen right damn now backed up by immediate and no-holds-barred protest, up to and including destroying all credit-issuing businesses through lawful economic action until the above occurs.

    • Winston says:

      HANDCUFFS!!!

      https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

      Excerpt:

      Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

      It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

  22. Wilbur58 says:

    I’m glad to read that so many hear froze their credit, but keep this in mind. Your freeze lasts for 6 months. This problem is permanent. Your info is out there. 6 months is nothing.

    Our system is too FICO score-driven. There should be different identification processes beyond one’s retirement claims number. It’s really odd if you think about it.

    A similar situation is employer-based healthcare. It really makes no sense now that most people no longer work in factories, where the concept developed, justifiably.

    • raoul says:

      to Mr. Richter:

      Is this true – six (6) months of coverage only? I was under the impression that a freeze is a freeze until lifted by oneself.

      I know you are busy and that moderating comments takes a lot of time/energy, but this SERIOUS, man!

      Please advise.

      • Wolf Richter says:

        Your impression is correct. My credit freezes are permanent until I lift them.

        I’m not sure what Wilbur saw… the credit bureau website might have pushed him in that direction.

      • bill says:

        I think that Wilbur is talking about a fraud alert.

    • Wolf Richter says:

      You should put a permanent freeze on your account and lift it when you need to.

      • Winston says:

        And be charged every time by the REAL perps, the security incompetent credit agencies who collect and -sell- MY critical data WITHOUT my explicit permission.

        I’m far beyond totally fed up with this CRAP. Equifax needs to be SUED OUT OF EXISTENCE.

        Next, I want LEGISLATION mandating jail time for such incompetence, TOTAL credit agency liability for any and all fraud as a result of such incompetence, and -SINGLE POINT- and EASY ON/OFF control of the creation of new credit using MY info. This having to contact each agency separately is pure BS.

        Of course, with a bought government and an ignorant/apathetic public I don’t expect any of that.

  23. J.henderson says:

    And to think of all the internet billionaires living in the United.S.A. that can’t solve these problems.

  24. Petunia says:

    I find the entire discussion here about protecting your identity and credit rating rather humorous. There is no privacy anymore anywhere. Almost every piece of information about all of us is for sale at some data company or other. All of it can be bought for a small fee.

    A more important discussion is about who really owns your data. It should be you and you should be notified when it is given out or used. Financial security is important, but we are at the point where our lives can be endangered by tracking and the sale of that data.

    Reliance on the accuracy of data is also an issue. Your life is at the mercy of a bit flipped on a disk, either on purpose or by failure of design. Do you really want the data to be the final arbiter of who you are and what you are worth.

    These are the issues that should be under discussion. If companies are relying on data to lend people money or give out credit, that’s their problem if a mistake occurs, not ours. Make them live with the consequences of the business choices they make.

    • Kent says:

      A simple law that states “all information about a citizen of the United States is the property of that citizen, unless the data is in relation to crimes committed by the citizen” should be a decent starting point. Of course, the entire financial structure of the Internet completely collapses. Not that that would be a bad thing. I’d have no problem paying a small fee for access to wolfstreet.

      • Petunia says:

        The structure of the internet will/does not collapse and you should know better being a tech professional.

        When they capture the data they usually store it in at least two places and sending out a third notification, at that point is no big deal. When data is retrieved they can also send a notification detailing the request.

        The banks and credit card companies already consider the risk of identity theft in their business models. This is why they usually cover the losses incurred when it happens.

      • NoEasyDay says:

        These “data aggregators” need to be held to a higher standard.

    • +one:) Consumers are upset when the data gateway balks, how come this website doesn’t remember my password?
      Anything short of 0% operating error is not enough, we are completely reliant on the system. It is like our faith in a religion.

    • d says:

      THE PROBLEM THERE IS, THEY LEND TO FAKE GUY, THEN TRY AND COLLECT FROM REAL GUY. VERY VERY AGGRESSIVELY.

      Got that tee-shirt, its very expensive to defend. They wont compensate you for your costs when you prov them wrong either.

      • Petunia says:

        You can sue them too for using your information without your knowledge. That includes the lender and the collection agency.

        • d says:

          Sue them. Yes.

          Which is all costs that feed lawyers and waste MY/ The innocent consumers time.

          Suing banks/financial entity’s is like suing the Govt. Very rarely do you actually recover all costs let alone gain anything, most times. The only people who gain anything are the lawyers.

        • NoEasyDay says:

          Is EquiFax the next Arthur Andersen?

  25. Bobber says:

    I foresee the Fed using this as an excuse to keep the dovish stance alive. “Recent disruptions in the credit rating function may impact the growth rate of loan originations and secondary activities, which may be temporal or permanent in nature.”

    That has a better chance than “I’m…to sexy for this skirt….too sexy for these shoes…”

  26. Ambrose Bierce says:

    The consumer has to put a freeze on ALL the credit agencies, good news is its not that hard, and when you are no longer of an age where you think you will need new lines of credit, its really the right thing to do. Or you can sign up for Lifelock and pay a monthly fee to have them manage it for you.

  27. nick kelly says:

    WR: interesting bit in Globe biz section (9, 14)
    A doc film ‘The China Hustle’ is premiering at the Toronto International Film Festival. An exec producer is Mark Cuban.
    One guy interviewed is short seller Carson Block whose outfit Muddy Waters blew the whistle on Sino-Forest at one time the most valuable forestry company listed in TO ( We have some big forest outfits)
    How it got its listing via a back door is another topic but Block figured out that a lot of the China forests didn’t exist.
    A guy investigating a mineral deposit in China of a TO listed outfit Silvercorp recently got two years in jail.
    Apparently the point of the film is that fraud by Chinese outfits with NA listings is endemic and headed for crash.

  28. robt says:

    This whole episode has made me think back to when there were no credit agencies – each lender was responsible for generating its own credit data base. It’s easy to see that they could be burned, because it would be impossible to find out all national data about past transgressions by a borrower. But at the same time, lenders were more conservative, and relied on local credit history, supplied by borrowers, in the same way that job references are willingly supplied to prospective employers. The lenders exercised caution by limiting their exposure until the borrower established themselves, (know your borrower, establish relationship) and in the case of large loans like mortgages, the loan is secured by the property anyway. Intermediate loans, or chattel loans such as vehicles, are also secured by charges against title. Most people are fairly responsible, but the argument really comes down to individual responsibility from both parties as opposed to mass centralized systems.
    Was it even really necessary to have these mega-information-centralized agencies anyway? By definition, with any centralized system, the information is more vulnerable, and the whole credit agency system is just a way to defer individual responsibility, while at the same time, often unjustly penalizing borrowers because of incorrect data, often just about impossible to correct because the consumer is assumed to be a liar.
    As a final thought, this whole business of mass credit and personal data collection has the taint of violation of privacy, though today I suppose the idea of privacy is moot – even the term ‘privacy’ is equated with ‘secrecy’, which has the taint of nefariousness about it. Welcome to 1984 …

  29. George McDuffee says:

    RE: …or if it was based on something that Equifax didn’t do correctly.
    —–
    I have seen reports that a branch of Equifax [Argentina IIRC] used an open source operating system [Linux] and left the super user/root account name and password set to the start-up default “admin.” As all the Equifax branches are connected, this quickly compromised their entire network.

    • George McDuffee says:

      More on this
      http://www.bbc.com/news/technology-41257576
      now appears to be two separate breaches.

      • Winston says:

        “appears to be two separate breaches”

        No, that sloppy reporting from the BBC is incorrect. It was not a “breach”, it was a potential breach pathway because of the following. This ABSOLUTELY INEXCUSABLY SLOPPY “security” is why people need to go to JAIL and Equifax needs to be SUED OUT OF EXISTENCE:

        https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

        Excerpt:

        Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

        It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

        • Petunia says:

          Looks like an inside job. The company had a patch for the security problem and didn’t use it. I read they had it for 4 months.

        • George McDuffee says:

          Indeed, but only in the sense that it is most likely the the individual(s) who was tasked with, and had been, applying the security patches was replaced with a cheaper overworked H1b. The updates/patches were then skipped or “deferred” as the system was working.

  30. Sporkfed says:

    This should have a negative impact on the money supply as it should reduce borrowing .
    Even if fewer than 10 percent of the consumers
    place a freeze on their credit reports it will have an outsized impact.

    • Winston says:

      Exactly, which is why in a security forum I pointed out that this data along with all of the millions of dark web credit card numbers for sale, most of which I understand are never purchased and, therefore, never exposed as compromised, could be held in reserve and used in an automated fashion as an attack on our entire credit/financial infrastructure. Can you imagine what would happen after millions of Americans suddenly found that fraudulent transactions were attempted, let alone successfully carried out, on their credit cards?

  31. LT says:

    Working to get mine and my husbands frozen. I have teenage adults in college; I tried freezing theirs but they’re not showing up so I guess the credit bureau does not have a record yet of their SSNs. So should I give them their SSNs and freeze (by mail) as a proactive measure? Or not?

    • Wolf Richter says:

      I’m not going to make a recommendation here. But just some thoughts:

      1. If the credit bureaus don’t have their data, there is nothing to freeze, and their data couldn’t have been compromised, so there is no reason to give them your kids’ data.

      2. The credit bureaus WILL get their data over time from partner companies once your kids start opening accounts in their own names. And then it’s time to think about a freeze.

      ===> BUT for young people establishing themselves in the credit world, a credit freeze is a real hassle. Every time they get an apartment or sign up for a service (cellphone, utilities, etc.), they have to first lift the credit freeze, which takes time. So I don’t know if I would recommend a credit freeze for a young person just starting out.

      • LT says:

        Thank you Wolf. I decided against it. I’ll leave them be, at least for my kids.

  32. mean chicken says:

    I never agreed for them to collect or sell my data!

  33. Colorado Kid says:

    I knew there would come a day that having bad credit would come in handy, but I never guessed it would be like this. Just pay cash for everything.

  34. Winston says:

    Comments from an IT security oriented site:

    “The attacker accessed a storage table that contained historical credit card transaction related information”

    That sounds like they are admitting they store credit card transactions in plain text for at least 6 months.

    Pretty sure that’s against the Payment Card Industry (PCI) rules.

    ——

    Seems Equifax was storing credit card information inconsistant with the PCI data security standard. The hole appears to keep getting deeper and anticipated fines and losses are ever increasing.

    ——

    Oh, please let them get excommunicated by the PCI!

    ——

    Equifax is listed as a member of the PCI Standards Council group.

    ——

    Appreciate the irony…

    • Enrique Bermudez says:

      QUOTE:

      “Pretty sure that’s against the Payment Card Industry rules”

      Just this. Read this after posting my own comment below. The whole industry is rotten to the core and pervasively breaks its own rules. This is exactly why I would never provide them with verified info for purposes of a “security freeze.”

      They will just sell/allow to be stolen and sold everything you give them. Verified info like this is invaluable.

  35. Enrique Bermudez says:

    Wolf,
    As to the issue of requesting a security freeze. Haven’t read all comments, etc, but I am wondering if I am the only one who is bringing up the following:

    1) All three of these credit bureaus require you to provide additional identification data to do so (usually a copy of one’s driver’s licence) – you are then giving them verified info on your address at this particular date

    2) If you are doing so by phone, you are giving them a good, essentially self-verified contact phone number

    3) If you are in a state where you have to pay to do this, you are most likely giving them verified info on a good bank/credit card account for yourself.

    My point being – you have given these same bastards PERFECT, VERIFIED info. Which they will store, allow to get hacked at some point, “share with affiliates” and quite likely out and out sell without your consent. This last happens all the time – data brokers tend to operate on the “how is anyone going to catch us/prove that we did.” Even when specifically promising not to (trust me as one with some inside info from the data-harvesting industry.)

    My own background/occupation has involved extensive work in terms of investigation, big data, etc. There is an absolute mountain of incorrect info in everyone’s file (say, for example at Accurint). VERIFIED info is like gold – why just hand all that over to the three fountainheads of evil here?

    Also, it is my personal opinion that “identity theft” as a threat is far overblown. Professionally I have dealt with these issues quite frequently. They are not THAT difficult to deal with. Maybe so for me with access to/knowledge of the system and less so for someone who would be more terrified of, say “third party commits tax fraud in my name.” (i.e. not really a “Kafkaesque” nightmare in that I have my lawyers deal with it. Granted.

    Anyway, sorry for the wall of text but my own recommendation to myself and family members has been: do NOT freeze your credit. Just keep an eye on it periodically and in particular 60 days before you might want to access it.

    • Wolf Richter says:

      Let me just address one point because this is important in understanding the relationship credit bureaus have with other companies: They have a two-way relationship.

      Your bank reports your data to the credit bureau (including account numbers, amounts, money movements, loan balances, late payments, and the like), and all your credit card companies, and your utilities, and everyone major you have credit with reports to them. In return, they can buy the entire credit data file on individuals.

      In other words, the major credit bureaus already have EVERYTHING. The reason they ask you for some data points is to verify who you are.

      The minor credit bureaus may not have everything, and I’d be careful with them.

  36. alex in san jose says:

    Hm, I guess I’m glad my credit is … nonexistent.

    I just have a debit card.

    I talked with my bank about establishing credit, and I can do it with a secured card with them. But I told them I’ll have to do it, but later, since I don’t have the money right now.

    Yeah debit cards are supposedly less secure, but I doubt anyone’s going to go after the less than $200 I have in the bank right now. Normally I keep cash in the mattress and that’s my real savings, but I don’t even have that right now.

  37. LT says:

    I’ve spent the better part of the afternoon trying to get our reports with Equifax frozen (my husband and I both are potentially affected per their website). After spending most of the day trying to freeze our accounts with Equifax online, I continually received this notice below on their site. Notice what’s missing? They tell you their competitors #s to call but they don’t give you their own #. How pitiful is that? I eventually found their # in case anyone needs to call for freezing its 1-888-298-0045. Just be prepared to be on hold for a long time. Given how dreadfully this company has handled this incident (wordpress sites to handle a massive response, unpatched servers, poor passwords, failure to provide their own friggin phone number), they do not deserve to be in business nor do they have the skill to safeguard the sensitive data for so many Americans. Their stock deserves to go to zero because they are worthless.

    ==========

    System Currently Unavailable – Error 500
    We’re sorry. We cannot process your security freeze request online at this time. Please try back later.
    To make a security freeze request with the other national consumer credit reporting agencies, please contact Experian and TransUnion:
    Experian,P.O Box 9554, Allen, TX 75013 (888)379-3742
    TransUnion,P.O Box 6790, Fullerton, CA 92834 (888)909-8872
    Thank you for giving Equifax the opportunity to assist you.
    Equifax Information Services, LLC

  38. Robert Murphy says:

    As of 6:39 PM 9/14/2017 the equifax website for “security freeze” is non-functional. Only response is:

    We are currently unable to service your request.
    Please try again later.

    • DJ says:

      I lucked out around 6:30PM EST and was able to freeze my account with Equifax online. However, I have 3 unsuccessful attempts to freeze my wife’s account. Will try again early tomorrow morning when the west coast is still asleep.

  39. Dimitri says:

    Just a thought on the whole “credit” thing in the US. As a European I had no credit when I came here and got married. The funny thing to me was that credit here seems to be defined as your performance in paying off loans. In Europe, it ‘s based on the ability of paying off loans. Perfect example of this was when I tried to increase my limit on my credit card at my bank. They would not raise my limit although I had no debts, and had enough cash in that bank to cover the limit 30 times. The response of the person at the bank was : Well just because you have the money in your account, it does not mean you will pay us back!

  40. tony says:

    Have you ever had your info stolen let me tell you.When it happens or you realize it credit card companies and others want a police report so cops come to your house already annoyed because you either cut into donut time or writing speeding tickets, no money in id theft, now you wait two weeks to get a copy of the report which you have to go down and pick up in some cases they charge you. So now i call attorney general in my state his office tells you to call FBI they tell you a bunch of somolians in texas are running the scam nothing they can do about it, guess who they tell me to call the secret service i tell them i thought they guarded the president oh no that’s their job to. So silly me i call the secret service would i like to file a compliant and fill out a form, they do tell me however it will go no where as they cannot stop it, i pass on the form.You can do whatever you like put a freeze on shred all paper work by a cover for your credit cards but the bottom line is that some con artist will find someone in a company with access to your info and who needs money, he will pay them per each good account he gets.All the things you did are fine and good but con artist still wins. I do not know who all these great agents are who solve crimes but i wish one of these men or women would figure out how to stop all this.

    • d says:

      “I do not know who all these great agents are who solve crimes but i wish one of these men or women would figure out how to stop all this.’

      Stopping it is easy, Make it illegal for these entities to hold SS, Dl passport, Etc numbers, and data match them, but then a bunch of American corporates credit-card companies and Poloticians will need new revenue stream’s in the US, which effect employment numbers.

      Personal information in the us is a commodity, if you are on the correct side of the deal. Just like humans in china commodities/resources to be consumed at will by the Corporates/CCP.

      The US credit score system only works for those who manage and milk the sheeple.

      If you are not one of the Sheeple you dont have these problem, You will also have much less or nothing on credit which has many advantages.

      US Loan companies are to lazy to do their own research instead they charge the consumer to access the consumers data at some private Data store. Which makes a flawed assumption based on flawed algoes.

  41. Kevin Beck says:

    IF I were in the business of having to rely upon credit reports, or a business that filed them, the first thing I would do is completely cut off Equifax from access to any data from my customers.

    Not that their competitors are automatically better; they just haven’t proven themselves to be incompetent with the handling of customer data yet.

  42. CARL says:

    FREEZE ONE = FREEZE THEM ALL?

    This is a world that has purposefully created layer upon layer of complexity. Remember, all LIFELOCK does is place a freeze on your reports (all 3) every 3 months (back before this the longest was 3 months.) That for $100 a year…..

    Time to fix this permanently. All accounts remain LOCKED until the user opens them up by submitting an individual request for ONE review for ONE provider. LOCKED by default.

  43. George McDuffee says:

    Commentary on STRUTS and Equifax failure to install patches [update]
    https://www.themandarin.com.au/83707-dont-blame-open-source-software-poor-security-practices/

Comments are closed.