Equifax Sacks 2 Executives, Turns Devious to Stop You from Demanding a Credit Freeze

They’re terrified a mass credit freeze will crush revenues.

Shares of Equifax dropped another 4% today, including after-hours, to $92.70. They’re now down 35%, or $50, from the happier era that ended at 5pm EST on September 7, with the confession that it had found out six weeks earlier that the most crucial personal data – “primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers” – of 143 million consumers had been stolen.

This was promptly followed by chaos and egregious missteps, such as trying to profit from its victims. So far, at 120.4 million shares outstanding as of June 30, the six trading days have cost investors $6 billion. No one cares about consumers. They’re just the product. But $6 billion matter.

Now heads are rolling. Oh no, not CEO Richard Smith. He is not leaving the company to spend more time with his family. Instead, Equifax announced Friday evening that it sacked two lower level executives. I mean, not sacked. Chief information officer, David Webb, and chief security officer, Susan Mauldin, “are retiring,” it said, “effective immediately.”

And they had it coming.

Much was made of Mauldin’s degrees in music. But for a person her age, and with as much corporate experience as she had, college is irrelevant. Gates, Jobs, and Zuckerberg didn’t even graduate from college. What matters is how they perform their work.

And they failed to patch a vulnerability in Apache Struts, an open-source and therefore free software. The vulnerability had been “identified in early March” but wasn’t patched. The hack occurred from May 13 through July 30, 2017.

According to Equifax Friday evening:

The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.

Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.

While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing.

ArsTechnica was a little clearer:

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

After this software fiasco, two other people were promoted into those slots, both from within Equifax’s vaunted IT operations, now best known for not patching their Apache Struts software. The statement:

Mark Rohrwasser has been appointed interim Chief Information Officer. Mr. Rohrwasser joined Equifax in 2016 and has led Equifax’s International IT operations since that time.

Russ Ayres has been appointed interim Chief Security Officer. Mr. Ayres most recently served as a Vice President in the IT organization at Equifax. He will report directly to the Chief Information Officer.

The statement also said that the company “is fully committed to proactively supporting consumers who may have been impacted by the cybersecurity incident.”

Yup. So a day or two ago, Equifax changed its page for initiating a “security freeze” to make it a lot harder for consumers to get a security freeze (aka credit freeze).

Credit bureaus are required to offer a security freeze. But they’re not required to make it easy. Credit bureaus sell consumer data to other companies. When you try to open an account at a bank or credit card company, that company will check your credit worthiness via the data obtained from credit bureaus. If someone obtains your data that was stolen from Equifax, he can open an account in your name and borrow money in your name, and you get to fend off the creditors when they chase after their money, and your credit will be ruined too.

Identity theft is a nightmare to resolve. The best prevention is putting a security freeze at the three major credit bureaus: Equifax, TransUnion, and Experian.

A credit freeze makes this form of identity theft nearly impossible because banks and credit card companies that cannot verify the applicant’s credit history will not open a new account. And since your stolen data will be out there forever, you need to protect yourself for the rest of your life.

But to make it even harder to obtain a security freeze, Equifax put a huge distracting red button on the top center of the security-freeze page. It takes you to a page full of other stuff where a security freeze is mentioned only at the bottom, but without link.

This is what the devious button looks like that you do not want to click:

Instead, scroll past the devious red button. Now the security-freeze section appears that used to be at the top. And it provides the appropriate link. But most people will never see it because they were deceived by the devious red button.

Under withering pressure and allegations of profiteering from its victims’ plight, Equifax announced that credit freezes will be free until November 21, and that consumers who paid for it starting at 5pm EST on September 7 will receive a refund.

TransUnion has become even more devious in trying to prevent consumers from initiating a security freeze and denting its revenues. Its old credit-freeze page that I’d linked in my September 7 article — and that subsequently major media outlets and State Attorneys General linked in their communications – was changed a couple of days ago.

Now that page goes through all kinds of blah-blah-blah. You have to scroll all the way down to get to the very last paragraph to find the first mention of a “credit freeze” and the new link where you can initiate the credit freeze. But even on that “credit-freeze2” page, TransUnion is trying to talk you into a “security lock” instead.

Experian has not yet changed its security freeze page.

This deviousness is a sign these companies are terrified that a mass credit freeze will hit their revenues and shares. And this isn’t a short-term blip. This is for life.

Banks, credit card companies, and other Equifax customers squeal. Consumers (the product) squeal. Congress squeals. Investors squeal. Read… The Crushing of Equifax

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.



  170 comments for “Equifax Sacks 2 Executives, Turns Devious to Stop You from Demanding a Credit Freeze

  1. Paulo says:

    Imagine, customers expecting accountability. The nerve.

    I wonder what kind (size) of retirement benefit the ‘departed’ received?

    Question from a non-borrower. What is the purpose of these rating companies, anyway. The last time I borrowed money to buy some property all I did was go over my finances with the loans officer. They wanted me to mortgage our house to buy the property, but I held out and they gave me the loan on the balance outstanding. I did have to provide property tax assesments on what we were buying, but that was all. note: we were not big salary earners at that time, either. We just didn’t owe any money. It seems to me these agencies are just a needless middle man. Plus, look what was missed in 2007 and 2008. (everything).

    If credit is based on what these agencies report, then what is the purpose of the loan department and loanjs officers? Paperwork and filing?

    regards

    In the States, does everyone need a credit rating score to get financing? I see adds on tv for Credit scores updated daily. Why don’t banks and credit unions do their own customer assessments?

    • Wolf Richter says:

      You cannot take out a loan or mortgage, get cellphone service (unless it’s prepaid), rent an apartment, apply for a credit card, lease a car, or do any number of things without these credit bureaus. They made our easy-debt-slave society possible.

      • WheresOurTeddy says:

        and impossible to not participate in if you’re not already well-off (or live in the wilderness with no amenities)

        We are the product. Mooo

      • DaveP says:

        A sincere Thank You Wolf for having the security freeze links up so soon after the press release on security breach. I was able to freeze all 3 with ease that day.

        • Wolf Richter says:

          You experienced what is called the first-mover advantage. This is also an iron-clad rule for investors in open-end bond funds when they get in trouble, hurricane evacuations — “get out early or stay put” — and some other situations.

      • Mark says:

        Thanks! Great coverage of the Equifax incident. I appreciate it. One question: are there any possible unintended consequences from doing a credit freeze- or is it a total no-brained to do?

        • Wolf Richter says:

          With a credit freeze in place, you cannot open a bank account at a new bank, get a new credit card, not even from Macy’s, lease or finance a car, get a mortgage, open an account with a wireless or cable service provider, rent an apartment….

          For any of these things, you have to lift your credit freeze first, then open the new account or rent the apartment and set up the utilities, etc., then reactive the credit freeze. If you’re a young person just starting out to “establish” your credit, and you move around a lot, this is a real hassle. I’m not sure I would recommend a credit freeze for young people just starting out.

        • safe as milk says:

          “With a credit freeze in place, you cannot open a bank account at a new bank, get a new credit card, not even from Macy’s, lease or finance a car, get a mortgage, open an account with a wireless or cable service provider, rent an apartment….”

          yes, they really have us. last summer, i SOLD a property and i was informed by title company the day before the closing that i had to provide a copy of my full credit report. i’m like what the hell… but i did it and paid for it.

      • It may be somebody thinks consumer credit is overheating and this is their way of handling it

      • Jones says:

        If the credit hack occurred weeks before public knew, what was to prevent the information from being used to place a credit freeze on an account by the thief BEFORE the real person does?…thereby locking out the real person. The freeze can then be lifted and reinstated at will by the crook.

      • Pat Coutur says:

        Can I sue THEM ? For punitive, compensatory and actual damages?

        • d says:

          You would probably get further suing the IRS. Without a class action suit.

          They have a larger and more aggressive attack lawyer department than the IRS.

      • chris Hauser says:

        i feel like the hippie dude in robocop 1.

        you can’t make this stuff up: Equifax online dispute portal web application.

    • Harris says:

      The customers of Equifax are not the people whose personal data they maintain in their computer databases.

      Their customers are the financial institutions that purchase the data. There is no evidence that the financial institutions are demanding accountability from Equifax.

    • Gary says:

      Government ruins everything. We need to let private enterprise run these things so this kind of scam doesn’t happen… OH WAIT!!

    • Paul Woodfield says:

      Experian will not let you put a freeze on your account online. The web page will deny you are requested to mail everything to Aen TX.

      • TXRancher says:

        Experian Security Freeze
        PO Box 9554
        Allen, TX 75013

      • Todos Santos says:

        Just did mine online. All three. got charged $10 for two of them.
        I now want to send a bill for $20 plus my time to Equifax.

  2. Stephen Mapes says:

    When I filled out the freeze for at Experian this is the message I got. These people should all be fired and so in jail.

  3. Stephen Mapes says:

    We were unable to honor your request to place a security freeze on your personal credit report based on the information you entered

    When I tried to freeze at Experian and all the info was correct.

    Trans Union said I already had an account which I never had and to enter my user and password.

    They are making it as difficult as possible. This should be illegal!

    • Guido says:

      Trans union is indeed a mess. I entered various pieces of info, including choosing a username and password. And then the webpage died.

      So I tried again. This time, it looked through its database and said I had an account. I tried the username and password that I had entered in the previous attempt when the webpage just died. It carried on from where it had left off before. I could complete the freezing process.

      I can even tell you the page where it died. It was trying to verify my identity by posing some association questions.

      Equifax page also died for me. It gave a message that I pasted in DuckDuckGo. Sure enough, the message came from Apache struts. This is an ancient technology that I don’t see being used anymore.

      I see all kinds of crappy programmers in Bay Area pretending to be God’s gift to mankind. As badly as they suck, the programmers for both Equifax and Transunion take the cake.

      • Tom says:

        I had a problem with TransUnion too. I wound up calling them this morning ( Thanks to this article, I have made the credit freeze move) and am awaiting a package in the mail from them. I was able to to the others on line.

      • Maximus Minimus says:

        It gets worse; Apache struts cannot be blamed for breach that occurred in the database. Patching Struts? Who provides support for an open source framework that is more than a decade old?
        More likely, the execs got some tech buzzwords thrown at them and regurgitated it in some random fashion.

      • alex in san jose AKA digital Detroit says:

        Guido – You can thank some H1B making the same wage as in India and living in a “dorm” sleeping on a bunk bed … occasionally companies get caught doing this, probably the ones who get behind paying their bribes.

        There are very very few jobs for competent programmers here and generally I’d discourage people from going into the field.

    • RoseN says:

      I had the same problem with Experian. I had to mail in the information with a check, but I waited a couple of days because Experian had charged my credit card, and I wanted to ensure they deleted the CC charge. (They did.) I pine for the long-gone, simpler days when people saved up to make big purchases.

      • Rates says:

        Bravo. You nailed the point. But muppets are crazy. The Equifaxes of the world are filled with psychopaths, but none are crazier than the muppets. They want to have their cake and eat it too.

        Just like how the War on Drugs will end in literally in one minute if the consumers don’t buy, so will these firms be unnecessary if Muppets don’t get into debt.

        Fully deserved!!!

      • JR says:

        Same experience here- Experian gave me an “unable to honor your request” reply with the mailing address (send us ALL THE THINGS) – and charged my credit card anyway. That is pretty incompetent. Other two agencies were OK – Equifax was free and TransUnion demanded and got their $10. Thank you Wolf for putting this info and updated links together!!!

        • JR says:

          * Experian did refund the $10 immediately. So no damage done – except for lost time filling out online forms (normal in the New Normal). Will try again online in a couple of weeks with Experian to see if they have fixed things.

      • Johnny A says:

        Those days are returning.
        The Boomers generation allowed all this credit/SS/401/stock/funds capital to pile up and be used against us. There’s no money to replace our income. Other generations will find new ways to solve their problem.s I rented cars using my utility bills for 6 years while in credit fail. It was ok. Less convenient, but then so what? What we have now pretends to be easy but the hidden costs are huge.

        BTW, I use a flip phone. Works just fine.

        • chip javert says:

          Johnny A

          Boomers did this to you?

          The oldest Millennials are now 36 and out-number boomers. Wake up and start taking responsibility.

          Go be a victim about something else.

  4. Panamabob says:

    Wolf thanks for the posts on this preposterous and dangerous mess. I froze the criminal agency the night of your first post but stopped with transunion as I had to pay.
    That was a mistake as now they are stalling but I will call tomorrow and follow up.
    I’m not sure why I balked at $10 when I freely sent money in the past to you…must have to do with principles.

  5. LT says:

    I’m livid over this Equifax ordeal, where it does look like our personal data was among the ones that were leaked.

    So, a company collects sensitive data about us without our permission and then said company is wholly inept at securing it properly. Then they expect us to pay them to monitor the very data that they let someone steal. How is this not EXTORTION?!

    Personally I think this is much bigger than Equifax. All big business that profits by collecting data on us (credit bureaus but including Google, Facebook and the like) are a risk. I’m not a fan of big government, but it’s long overdue for the government to step up and protect it’s citizens from the harm that occurs because of reckless bartering of peoples private information without their consent or knowledge.

    • Emanon says:

      I held a security clearance from the government a long time ago, and was notified two years ago that the personal data I had given them to get the security clearance was stolen.

      https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

      The Chinese now have even my fingerprints.

      If the government can’t secure personal data from its own security clearance investigations, what hope is there that they are competent enough to secure any other sort of personal data?

      • LT says:

        My expectation is not that the government be the marketer of our data. But rather there be more strict regulation that protects our privacy and our data from companies that profit from selling it.

        The fingerprint unlock features on phones already has me leery. Now we have facial recognition. Now what the hell happens when that data is leaked? We’ve been much too complacent as a citizenry with regard to protecting our most important asset, our identity. We’ve willfully given away our identities for the sake of convenience or free services where we are the product.

        • Jas says:

          I posted this once before, but it’s more relevant than ever. The information all of the tech companies collect combined with all of the info gleaned from the credit union hack could/would give an all encompassing, complete profile of your entire life!! https://motherboard.vice.com/en_us/article/mg9vvn/how-our-likes-helped-trump-win

        • Troy Ounce says:

          “Everything a government touches turns to crap” – Ringo Star

        • Nathan Brazil says:

          Anyone reading this who uses GMail or Yahoo mail is disallowed from complaining about evil companies collecting data.
          I know, its *such* a pain to change your email address that you just can’t be bothered, and of course an email service where you are the customer instead of the product actually costs money! (About $4/mo, get over it) Protonmail for the win.

        • d says:

          You think your private mail server is safe.?????? and nodody copies it ????????

          FOOL the Spies of every state copy them all. the issue is do, they read them all.

          what you dont do with the Free mail services is use them for anything important or PRIVATE.

          in fact you dont use @Mail for anything important or PRIVATE as somebody somewhere, unauthorized, is or can, read it.

          Try communicating with peopel in and out of Mainland china, or russia Mongolia Etc, and you will learn about Security related time lags, between sending and delivery times. Sometimes its days.

      • Johnny A says:

        I applied for a job that required a security clearance. I didn’t get the job, but now my phone is tapped all the time. I can hear the echoes. My friends and family all notice it. I can’t tell you all how much I regret that job application that required fingerprints, extensive background info and such.

    • E says:

      If you know your information has been part of the leak. Go FTC website identity theft and fill out the form it long. They will give you a number. Then go to the police station and file a police report and cross reference your FTC number on the police report. When you go to freeze your account with the credit agencies it should be free. They are more helpful knowing you have filed with the FTC and police

  6. Stephen Mapes says:

    when I finally was able to get to the freeze page and completed the info, it also said I could not freeze my account and I would have to call or write. I suppose they want you to call so they can try and talk you out of freezing.

    I will be forwarding this difficulty with copies to Sen. Rubio and Rep Buchanan in Florida

  7. LT says:

    Still livid, sorry!

    The # to freeze with Equifax isn’t even on their website. If you need to call, here it is 1-888-298-0045. I share here because I had to go to great lengths to find out how to call them.

  8. d says:

    Lizzy now has her war bonnet, on they all have serious trouble coming.

    The data breech is SO BIG, basically everybody currently in the system, need to freeze for life which kills revenues almost entirely.

  9. Harris says:

    The Equifax data dump probably contains all the information needed to file your taxes with the IRS. I expect the IRS will see a huge amount of fraudulent returns next year.

    • fajensen says:

      Why so much work? In Denmark those foreign “investors” could just fills out a form and ask for the taxes back on stock dividends – the Danish IRS didn’t bother to actually check stuff like:

      1) taxes were paid in the first place,
      2) the stock paid dividends at all,
      3) the total claims did not exceeding the total dividends …

      and

      4) the single person, who got nailed for tax fraud, approving those claims “was not at it again”!

      The admitted loss is about 1.2 Billion EUR – but, what the rumours say, more like 10 Billion or about 30% of one years tax collections!

      Amateurs, Frauds and Clowns now have authority everywhere, because there is no accountability, no enforcement as long as crooked management and neoliberal politicians enablers (and players) totally agree on the virtues of “Smash & Grab” economics.

  10. Joan of Arc says:

    This is more Horrible news on Equifax. Between mega hurricanes and threats of nuclear war this Equifax thing completes the triage. I understand that hurricanes can’t be stopped by man (they haven’t invented a hurricane dance yet) however, the other two forks of the triage are definitely in man’s power to stop. Someone’s got to sit down and reason with Kim jong-un first, and then move on and reason with Equifax.

    • RoseN says:

      And if you believe that global warming exacerbates natural disasters and that human activity is the main cause of global warming, then all three angles of your triangle are at least partly under man’s control.

      • alex in san jose AKA digital Detroit says:

        Hurricanes can be moderated, at least, by keeping “barrier islands” and wetlands intact, not building in flood zones, and not cooking the damn planet.

  11. James R. Chaillet, Jr., MD says:

    I went through this process back in May when I found out that I was a victim of identity theft. I was able to put a freeze on with TransUnion through the web site. With Experian an Equifax I did it through the mail after failures on the web site.::

    I learned that to get it done, you need patience and persistence. Remember: “Don’t let the bastards get you down.”

    • alex in san jose AKA digital Detroit says:

      J. R. C. Jr. MD – this is why I always want to have one foot in the black market. Because anyone, even myself, can have ID theft or some damn thing happen and then you’re only as good as your black market skills whether they’re being a street musician, selling crafts, pickpocketing, what have you. I don’t tend to favor the illegal things, to my financial detriment.

  12. John says:

    Hmmm, here I was under the impression that this was just a very MINOR thing to the Equifax company. Have a look at there stock price. Tose with the real money sure don’t value our opinion I guess.

  13. Guido says:

    @Wolf,
    Since pretty much everybody will freeze their accounts now, will it not hurt revenues of all three credit rating agencies, i.e Equifax, TransUnion, and Experian?

    So this should be a disaster of epic proportions for all of them in this sector, no? Not to mention that the Russians and Chinese that will be locked out as well.

    Mueller should probably be repurposed to look into how much foreign hackers stole by way of personal information.

    • Wolf Richter says:

      It will hurt revenues. But they have other revenue sources. So I don’t know how big the overall impact will be. If there is a general slowdown in consumers opening new accounts and applying for all kinds of credit, it would have a much broader impact, beyond the credit bureaus.

      Many consumers have still not heard of “Equifax” or the hack or anything related to it, as amazing as that seems — I know some of them — and they’ll do whatever they would have done before.

      • RoseN says:

        I know I’ve decided not to apply for credit at retail stores just for a discount. Getting 15% off a $150 Gap purchase is just not worth it to me anymore!

  14. Michael Gorback says:

    What’s wrong with choosing a security lock?

    • Wolf Richter says:

      It’s not a credit freeze?

      • Michael Gorback says:

        It is a credit freeze. The difference is that you can easily lock and unlock it yourself as needed without going through the ID verification process.

        • Wolf Richter says:

          TransUnion: “Credit Lock is a new credit monitoring protection feature offered by TransUnion. With a swipe or a click, your report is locked. You get to control who has access to your credit report.”

          It only says that it locks the “credit report.” It does NOT say that TransUnion cannot and will not sell your data to other companies. That’s what a credit freeze prevents it from doing. If it a credit “lock” did that, TransUnion could spell it out more broadly. But it doesn’t. I have not found a clear definition of what this “credit lock” does. But a credit freeze is defined by law.

        • Michael Gorback says:

          If the goal is to prevent someone from opening an account in your name the lock is fine and often faster than thawing a freeze. Depending on in which state you reside it could take several days for a thaw.

          You’ve wandered off into sharing or selling data, which is a different issue.

  15. fajensen says:

    Would a recorded letter work?

    I sometimes use that to mess with companies who chose to piss me off because they have to sign for it and then scan & archive the thing in order to handle it.

    They cannot deny receiving it since someone signed – and often this is enough to win the case in small-claims court or whatever.

    Digital communications can so easily get “lost”.

  16. Mike says:

    Wolf,
    After a few unsuccessful attempts last week, I gave it a go again with your newly provided links and froze my Equifax (free) and Transunion ($10) credit files. Experian won’t let me process on the initial submittal nor the download system so I will call them next week. Thanks for looking out for the little guys in the world. Best regards!

  17. RD Blakeslee says:

    We’ve managed to get security freezes put on 5 out of our six accounts – all of mine and two of my wife’s.

    Experian has stumped her. She gets all the way through the online application process, then the freeze acknowledgement page come up blank. It happened on multiple tries, ever since she filled out a questions about her past economic events. She may have given a wrong answer: She’s 76 years old and memory of events years earlier might have failed.

    Two questions: What would be the motivation of an imposter to freeze somebody’s credit? I should think accessing the account would be the only logical thing they would want. If so, why should it be so hard for legitimate applicants?

    Second: Is five of six freezes “good enough”?

    • MsMolly says:

      A friend who is “non-technical” had a similar experience with Equifax. What she didn’t realize was that when the blank screen was displayed a PDF was downloading. Check the downloads folder (where downloaded documents are stored on your computer). You might have a PDF that acknowledges the freeze.

    • Wolf Richter says:

      You’re doing good so far. Five down, one more to go. I’ll give your questions a shot.

      1. I don’t think anyone else would want to freeze your wife’s account. These systems have enormous problems right now because so many people are trying to put a credit freeze on their accounts. So maybe it’s time to get on the phone. Some commenters have reported that they were able to get it done by phone.

      This is the Experian number: 877-284-7942.

      A commenter also said this: “To get a real person: 888-379-3742 but you have to have your Experian account #”

      2. No, five out of six is not enough. You really need to do the three major credit bureaus for each person.

      Keep trying. Many commenters have reported that the combination of persistence and phone finally worked out.

    • Wolf Richter says:

      Just a guess to troubleshoot this issue: if your wife is using Internet Explorer as browser, she may run into trouble simply because IE is no longer supported and malfunctions with numerous websites. If she is using IE, she may need to switch to a different browser.

  18. Marco says:

    Don’t worry –

    I’m sure that Deep State and their friendly corporations have all our best interests at heart.

  19. cdr says:

    https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

    I got this link from google for an Eqifax security freeze. Google found it immediately.

    I placed freezes on all four agencies last Sunday morning. Fast and easy. All but one was free while they each could have charged $10 in my state. A couple asked security questions. One I had to guess on because it was so obscure (credit limit on a credit card I use mostly for gas and hotels because of the high # of points offered for gas and hotels … ?????) None of the above was the correct answer for a lot of questions.

    If one million people, more or less, art hitting the web site at the same time, service will be slow.

  20. panamabob says:

    After numerous attempts aimed at Transunion I found this phone number
    866-744-8221
    Good Luck to All

    • Wolf Richter says:

      Commenters have also reported that they were able to initiate a credit freeze with TransUnion via this number: 888-909-8872.

      • Panamabob says:

        Wolf, you might want to post the number for transunion 866-744-8221
        in your next article concerning this fiasco, mild choice of word, I mean F-up. My call took only 5 minutes though it was conducted with an Indian that I barely understood. I checked my bank account and found a $10 charge indicating success.
        You are running a wonderful site with great comments from cool followers unlike other alternative sources e.g. (ZH).

    • Mary says:

      Thank you! This number WORKS. The number I was given in my failed attempts to do a credit freeze online with Transunion (888 909 8872) does NOT work.

      • Panamabob says:

        Mary, I’m glad to help. Everyone needs to pitch in all areas, we are all in the fight of our lives against the powerful entities that are destroying our once great Country through greed and unbridled corruption.

  21. wkevinw says:

    Have to disagree or qualify the statement about education not mattering after a while. At least two of the people you mentioned (Jobs, Gates) are geniuses at their niches. Zuckerberg is evidently good at something, but I have yet to figure that one out.

    I can tell you that certain technical fields require some kind of education to be good at (unless you are the rare genius). Some medical fields, certain physical sciences, etc.- maybe including computer science/security.

    I would be very unlikely to have put a person with a music education in charge of my company’s computer security- no matter how well they had done at a previous work assignment. Also unlike FB, MSFT, AAPL, Equifax is an old company- with lots of administrative/bureaucratic management ladder climbers. I think they found a couple.

    A lot of big, old “technical” companies have actually suffered because of this type of promotion process. Forming “partnerships” of various types with foreign entities is a business activity. The non-technical business types too often then give away the technical secrets- because they don’t recognize their technical value. Then your foreign partner spawns foreign competition.

    Even technical companies suffer from this: see AAPL vs MSFT and the Windows product story.

    • d says:

      Gates

      Is not and never was a genius.

      he is just a not very good thief who knows how to hire and lie.

      He tricked IBM into using his incomplete beta wear obtaining that much money through anticompetitive trade practices. That he is now unstoppable. Misco$oft will go the way of HP Ect after he is gone.

      Unless it finds anotherr mind as devious as his. To keep the Monopoly Monstter That is Micro$oft going. No monopoly entity lasts for ever.

      Micro$oft has fallen off of a l most Anti competative regulator radars due to teh )* Banking issue staht are still not over.

      When the Eu runs out of other targets and Issues they will return to Micro$oft. Brexit and the Conflict over more Euro less Euro states will slow the Eu down for a while.

      • alex in san jose AKA digital Detroit says:

        Gates was an upper-middle-class kid who was destined to become a corporate lawyer. His family was/is very prominent in his home town and a Gates could shoot a little old lady dead at high noon and no one would blink. Little Bill got into these computer things because his dad had a computer terminal installed in their house for little Bill to play with. Billy might fall off a polo pony, so this probably seemed like a better toy. Programming in that time was really simple, BASIC or assembler code. So Billy could look like a superstar with a letter effort. And being raised to be a lawyer, he grew up with the idea that ethics are an expensive and un-neccessary frill.

        Billy only dropped out of school when he sensed a LOT of money to be made with everyone and their dog getting a “home computer”.

        He did it lawyer-style: Make it so everyone HAS to use his software.

        He was essentially a lawyer who learned how to program; the opposite of Richard Stallman, a programmer who’s learned to lawyer, a bit, in self-defense. Stallman’s the “free software for everyone” guy.

        But Gates is a classic example of how a pinch of IQ and a wheelbarrow full of money will always beat a pinch of money and a wheelbarrow of IQ under our system.

        • wkevinw says:

          I generally agree with the Gates story. However, he did have a spark of genius to get into the business with the right model, right time, etc. It wasn’t only Stallman who was into the free software idea- that was the prevailing “wisdom”. Gates/MSFT disrupted that for sure.

          That’s what genius is- there is also a LOT of luck involved for anybody who is financially successful. There are a lot of very smart people around who struggle financially.

        • d says:

          “But Gates is a classic example of how a pinch of IQ and a wheelbarrow full of money will always beat a pinch of money and a wheelbarrow of IQ under our system.”

          Yep

          He is also a thief.

          https://en.wikipedia.org/wiki/Pirates_of_Silicon_Valley.

          If you can still get it on DVD/Stream.

    • wkevinz says:

      Zuckerberg is related to David Rockefeller.

  22. Kent says:

    If hackers have all of your data, and you’ve never set up an account with any of these companies, what’s to stop the hackers from setting one up in your name? Thereby stopping you from ever setting one up and putting on a security freeze. And they can do it in an automated way for millions of users.

    • cdr says:

      Social Security recommends people sign up on line and secure their accounts to prevent exactly that. A good identity thief or just plain SOB could lock you out of your own account by beating you to the online site.

      • Wolf Richter says:

        Yes, this is important.

        But: If you have a credit freeze in place with the three major bureaus, no one including you can set up an online account with Social Security because it checks the credit bureaus to verify your identity. I know this from personal experience. So that should keep it out of harm’s way.

        In order to set up an online account with Social Security if you already have a credit freeze in place, you need to lift your credit freeze first.

    • Wolf Richter says:

      These credit bureaus obtain their data on you from their client companies (banks, credit card companies, utilities, etc., where consumers open accounts). They’re in a two-way relationship. They report your data to the credit bureaus, and the credit bureaus gather up this data from thousands of companies and then sell it to companies that want it.

      So consumers are never asked about this, and they never set up an account with them. Most Americans don’t even know what these credit bureaus are though they know their own FICO score, which is based on credit bureau data.

      So if you have a FICO score, it means that the credit bureaus have voluminous data on you.

      There are some people that don’t have any kind of credit and may not be in the credit-bureau data base (young people just getting started, illegal immigrants, the unbanked, etc.). But since these people have no established credit, and/or no SS#, and cannot be used for borrowing money in their name, they have no monetary value to hackers.

      So if I understand your question correctly, I don’t think that scenario is something I would worry about.

  23. Lycolector says:

    1. Does anyone know the status of pre-breach security-freeze “lift PINs” that had been established with Equifax? (Google not helpful so far)
    2. Why would not a credit-issuing institution now itself not be liable or negligent if could only claim a credit check with Equifax?

    • Lycolector says:

      Please excuse double negative! Why would a credit-issuer now not itself be liable or negligent if it claimed only a credit check with Equifax? How could that now represent any adequate “due diligence”?

  24. Bobber says:

    This does go way beyond Equifax. Now that social security numbers are out in the open, lending institutions need a new way to validate information provided with new account applications. They can’t continue what they’ve been doing because of the fraud risk. Dealing with stolen identities is a hassle for the lending institutions too. The industry needs to come up with a new validation standard, and quick. Maybe you’ll have to open new accounts in person, with picture ID. This is how the airlines verify passenger information.

    The bad side is the credit industry may use this as an excuse to get even more personal information from you. Maybe they’ll want your eyes scanned or your face scanned for easy digital verification. I think that’s where this is going.

    • Petunia says:

      I get asked if I want to open an account at almost every store I shop in. They don’t do credit checks, they open a new account with a picture id and a major credit card. The freeze won’t stop these accounts from being opened from what I can see.

  25. Mary says:

    I just managed to complete credit freezes on Equifax and Experien. Transunion another story. They have a very complicated process you have to decipher, making you “register”. Lots of odd questions to “verify” my identity. Asked about town and street where I live. They had information that was over 17 years out of date. I assumed it was a trick of some kind and clicked None of the Above, but apparently not. They froze the online form and directed me to a phone number that is probably ringing on Mars. Now I cannot get back on the site…Sheesh!

  26. David G LA says:

    I love the MSM headlines about the two execs fired. Like that’s supposed to resolve his total fiasco? “Throw the people something!” wink wink. Oh and here’s 10 million dollars hush hush money – oops – I mean “severance pay.”

    Re : feeeze. I’ve had them in place for 15 years. Had to unfreeze 5 or 6 times (car, mortgage, refi).
    TIP: to avoid paying the “unfreeze” fee for all 3 agencies, you can sometimes ask the creditor – “which agency do you use?” They won’t always tell you, but if they do, you only have to unfreeze the one report. saves you 10 or 20 bucks each time. (-and when they don’t tell me, I Google around – there are web sites that list which creditors use which agency)

  27. GSH says:

    Don’t relax once you succeeded freezing your credit info with all three companies. You need to TEST that your information is actually frozen. Try to open a new credit card account. It should get declined. But I would not be surprised if there was a “glitch” in their freeze protocol.

    • polecat says:

      With all the bs these credit …. uh …. ‘@gencie$’ have been doing ( sticking fingers AND toes in dike !!) to slow or stop the lowly mopes exodus, what’$ to say these credit criminal @gencie$ AREN’T even bothering to freeze as directed by the ‘product’ ??

      I mean, I really, at this juncture, wouldn’t put it past them to make such a malicious decision to maintain corporate viability !

  28. Sk says:

    I had no success with any of 3 even after trying several times for several days. Basically, they freeze you out by saying they could not verify my info or the system is unable to process but provide no specific reason. Instead, ask me to request the freeze by calling their number or mail request to a PO BOX with a whole bunch of documents. Both of them are useless because it will be impossible for their employees to process that many requests even if we wait in line for a year. Bottom line is, yes, they are making it difficult to freeze your files. … In my opinion, this entire credit collection system is like a criminal gang business meant to exploit people without their consent and SHOULD BE OUTLAWED. If nothing else, at least, the law should mandate that credit security freeze should be provided by default, at no cost to everyone…. Also, Don’t forget to WRITE YOUR CONGRESS REP AND SENATORS some blazing RECOMMENDATIONS while they are also pissed off about their files and perhaps want to do something.

  29. Maximus Minimus says:

    Equifax is now investigated in Canada, too. It will get more expensive to bribe it’s way out of this. It might be wise to guide the earnings lower? Maybe even…Canadians we will be able to freeze their accounts?

  30. Gershon says:

    Of course, in our crony capitalist wonderland complete with captured or criminally negligent regulators and enforcers, and with both political parties on the make and on the take, there will be much bloviation by “our” elected officials even as they pocket fat lobbyists’ checks from Equifax to ensure the guilty parties in the matter escape with the usual slap-on-the-wrist fines or minor administrative actions, while the worthless SEC and other captured regulators conduct their usual so-faux “investigations” that ensure no punishment for the guilty or justice for the victimized.

    Until We the People throw out en masse the corrupt, complicit political enablers and accomplices of these grifters, we better expect one DELIVERANCE-style reaming after another.

    • Winston says:

      Outstanding! Couldn’t have said it better myself.

      However, on the “Until We the People” part, six out of ten of “we the people” only read headlines and then pass them along as entirely factual without reading the article which MIGHT contain, on the rare occasions where the author is honest, facts which reduce the validity of the click-bait headline. A vastly higher percentage of “we the people” don’t know even basic economic theory nor anything about the Constitution or the Bill of Rights. They have also never learned the learned skills of critical thought and skeptical analysis.

      So, don’t hold your breath. I’m not. We live in an idiocracy.

  31. Gershon says:

    Hiring a music major with zero related experience or credentials to head up your IT security department seems like gross negligence on the part of Equifax, but who cares, as long as it’s only the proles who are getting ripped off – nobody important – and no company in our crony capitalist wonderland need ever fear being held criminally accountable and liable for its misdeeds and failures.

    http://www.zerohedge.com/news/2017-09-15/another-equifax-coverup-did-company-scrub-its-chief-security-officer-was-music-major

    • Wolf Richter says:

      Check her 15+ years of corporate employment history listed in the linked ZH article, including at IT companies EDS and HP. Plus at a bank, presumably at the IT department.

      Also a person her age is always advised to put no more than about 10-15 years of employment history on the resume to downplay your age. She looks to be older. She might have 25+ years corporate work experience in some kind of IT fashion. We don’t know.

      • cd says:

        Wolf,

        Your making excuses up for her age, previous employment etc. Just because you maybe did IT at EDS doesn’t mean anything. They don’t deal with credit files. She was inept,clueless and underqualified and this will be the undoing of Equifax. I expect them to be shut down. The most incompetent hire ever is how I see it. She was a child surrounded by wolves with no real world experience.

        My friend owns a credit agency and just went thru 3 months of hell on his security from Eqfx and yet they let the wolf guard the hen house. I look forward to the company going under. They deserve it.
        I bought ABS paper for years and used to look at 200 credit files a day so I understand the issue closely.

        This class action law suit will be like no other, its time to do away with the credit world to begin with. A bunch of sharks that swim around folks and take bites out when they see fit. I’m shorting them to zero

        No more excuses, the lady was an idiot

        • Wolf Richter says:

          Oh, I agree. And she should have been shown the door long ago. It’s just not the music degree from decades ago that bothers me. It’s the way she did her job.

          I also suspect that the company put a low priority on the security of its IT system, didn’t want to spend enough money on it, didn’t hire the right people, didn’t have an iron-fisted dedication to it…. That’s why I implied that the CEO should have been told by the board to leave so he can spend more time with his family. This kinds of stuff doesn’t happen because some IT manager screws up. It happens because this is a low priority for the company and it allowed it to happen. That’s the CEO’s job. His head needs to roll.

      • Petunia says:

        Wolf,

        I’m with cd on this one. Heading computer security at a big firm is a technical job. Had I held the job, I would have made it my business to know the nature of the other attacks that resulted in the patch. I would have also wanted to know the technical details of how the patch was created. I would have read the open source code line by line long before installing it on the system.

        I listen to conferences on computer security all the time and most of them are 99% crap. I’m sure the lady at Equifax attended them and thought she was on top of things.

        • Maximus Minimus says:

          Yep, I am sure she knew all the right buzzwords. Happens all the time. But it is professional negligence if in charge of IT security for a company collecting detailed personal data.

  32. StucKYProgressive says:

    Thank you Wolf for all you do, but especially this Equifax credit freeze story. I was so disturbed by it that I did all 3 for myself online early Saturday 9/9/17 and had no problems at all. In KY, it cost $10 each, but according the the KY Atty General’s website freezes only last 7 years.
    Starting Monday morning, I introduced the topic into my community college classes, just to get the words “credit freeze” out into the local population. The older students were freaked out immediately (properly so). These are mostly low-information citizens and at high risk of being exploited (blue collar, service workers, and retired military folks). I’m also helping my age 70+ parents because they aren’t online literate enough to do this stuff themselves.
    Wolf, do you think the banks are strong enough to deal with situations like having to resolve thousands of bogus charges (per day) that might result from this? Who is on the hook for those charges? Do retailers, for example, have to eat the cost of a bogus credit card order? (Are debit cards also at risk?)
    I fear the potential negative effects of this on the economy generally could be massive.

  33. Petunia says:

    This is yet another wake up call on our way to globalization, digitization, and a cashless society. How does it feel, all warm and fuzzy.

    Those hurricane victims in south Florida can’t get money out of an ATM or use their EBT cards. You guys are pulling out your hair over the Equifax breech, which is just another in a long list of similar breeches. Remember Target and the government employee breeches not too long ago. Even one of the security software companies lost their software to an attack some years ago.

    There is no such thing as privacy and there is also no such thing as computer security. I have some news for those of you who are not technical. The best way the tech industry has of dealing with computer security is to buy insurance. That’s right, they know they really can’t keep intruders out, and they want to be able to insure against the losses.
    So far that’s the best they can come up with as an industry.

    • polecat says:

      “warm and fuzzy” ….

      Wecome, Petunia, to your frigid, and sharply spiked, digital iron maiden …. as we all too await such a fait !

      Who in ‘Authority’ can one trust anymore ???
      I say … No One ! … certainly not CONgress, or the fine folk @t JU$T-U$ !

      • Petunia says:

        For Pete’s sake…just wait.

        • polecat says:

          I’ve been waiting for going on 8 years for sanity to make it’s appearance ….. to no avail ! … while our (Ha !) government dithers and dwaddles as they collect their vig … I’m at my limit !!

  34. Alex says:

    Where does Innovis fit in the CRA scheme, and do I need to be concerned?

    • Wolf Richter says:

      Here’s what I said about Innovis in my article a few days ago:

      “You may also consider putting a security freeze on lesser credit bureaus, such as Innovis, as some commenters have pointed out. But they might not yet have your social security number, which would be a good thing. So you’d give it to them unnecessarily; I have no recommendation on this.”

  35. Enquiring Mind says:

    Credit bureau former business client here.

    I had occasion to work with the three bureaus and some business-side vendors such as Dun & Bradstreet. When I tell you that those vendors are categorically inept, that is an understatement. They can not get out of their own way. I had to work with them so I developed persistence and patience, and learned to navigate their byzantine structures and try to understand their language. They did not communicate internally, so one department was at odds with another one and clients were left to try again and again to get them to understand, cooperate, acknowledge and complete what should have been simple tasks.

    Advice for consumer credit people: Always document everything you do, get names, dates, phone numbers, email addresses. Print out copies, check, verify, and set reminders to check again. Make them acknowledge in writing what they say that they are doing, and then confirm that independently.

    The sheer ineptitude and willful obtuseness of those institutions was maddening. Transparent they were not.

  36. Stephen Haust says:

    Wolf,

    Have you seen the conditions (Terms of Use) that TransUnion imposes on you if you use their web application to initiate a credit file security freeze?

    First, you have to “create an account”. I suppose that makes you their customer. In doing so, you agree to the following (Capitals theirs):

    “IN ADDITION, TRANSUNION AND ITS AFFILIATES DISCLAIM ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT AND INFORMATIONAL CONTENT. THEREFORE, YOU AGREE THAT YOUR ACCESS TO AND USE OF OUR SITE, PRODUCTS, SERVICES AND CONTENT ARE AT YOUR OWN RISK. BY USING OUR SITE, YOU ACKNOWLEDGE AND AGREE THAT NEITHER TRANSUNION, ITS DOMESTIC SUBSIDIARIES, NOR ITS AFFILIATES HAVE ANY LIABILITY TO YOU (WHETHER BASED IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE) FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES ARISING OUT OF OR IN ANY WAY CONNECTED WITH YOUR ACCESS TO OR USE OF OUR SITE, CONTENT, PRODUCTS OR SERVICES (EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), INCLUDING LIABILITY ASSOCIATED WITH ANY VIRUSES WHICH MAY INFECT YOUR COMPUTER EQUIPMENT.”

    In other words, these guys don’t even bother with mandatory
    arbitration. They go straight for the kill.

    Besides that, they make it difficult, maybe even impossible to get
    a freeze by mail. You cannot send certified mail to them that the
    Postal Service will guarantee because TransUnion provides false
    addresses:

    P.O. Box 2000
    Chester, PA 19016

    P.O. Box 2000
    Chester, PA 19016-2000

    do not exist. In the second case, even the zip code does not exist.
    I do not believe this to be accidental.

    Please file complaints with your state Attorneys-general and with the
    CFPB.

    • Wolf Richter says:

      This looks like the standard you’re-screwed-if-anything-goes-wrong corporate language that you see whenever you sign up for anything.

      • Gershon says:

        It’s a shame that “our” elected officials serve only their corporate and oligarch donors instead of their constituents. As far as I can tell, there is literally nobody in this country looking out for the public interest. Not the politicians, not the (captured) regulators and enforcers, not the so-faux self-proclaimed “champions of the middle class” like Elizabeth “Fauxahontus” Warren, not the media, not the judiciary – nobody. The corporations can screw you over with impunity, and there’s not a damn thing you can do about it.

      • Stephen HAust says:

        Yes, of course it is. I agree but:

        1) How is it that they get to add this to a legally mandated
        operation that they have to perform. They are not voluntarily
        offering a product here and the parameters of what they have
        to do are pretty clearly stipulated. Except that, at least in PA,
        they have the choice of offering a “secure internet connection”
        and there they evidently consider that as they are doing a bit
        more than legally required, this gives them the right to
        include such garbage and gives us the need to fight it.

        I do wonder whether it could stick, not being familiar with
        courts’ view of such thuggery. Also in light of the heat Equifax
        has taken over their mandated arbitration requirement, is it
        likely that anyone will stand up to TransUnion over language
        that is even worse. Then a question arises over whether they
        would back down or not. Given that their Corporate General
        Counsel, John Blenke, held a variety of positions with Household International, Inc. (predecessor to HSBC North America), we
        pretty much know where they are coming from.

        2) Is this why they make it difficult to request a security freeze
        using certified mail by promulgating addresses that do not
        exist? These two addresses are what they provide on their
        “Contact-Us” page and I believe they know them to be false.
        Upon taking my requests, already prepared for certified
        mailing to my local Post Office, I was informed that even they
        know these to be fake. Not only that, but these are the
        addresses you will be given if you ask the CFPB or your state’s
        attorney-general.
        I ended up putting my requests into an overnight Fedex mailer
        and even then TransUnion declined to accept them on the
        first attempt. The item was delivered the next day, according
        to Fedex tracking, but who knows what obstacles TransUnion
        will put in place or if they will simply deny having received
        anything. This is what I anticipate.

        3) I also wonder whether they will attempt to add these terms
        to a request received in hand at their physical premises and
        anticipate that they will. That is, supposing they don’t simply
        deny receipt. ( Hmmm, where have we seen this movie
        before? )

        These people are scum and a disgrace to the entire financial
        services industry, so please file complaints with your state
        Attorneys-general and with the CFPB. And do it again and again,
        each time they add a new layer of obfuscation and recalcitrance.

    • Jeff says:

      Always call the toll free number and record the call, with notification to them of course. Get the name and the employee number of whomever you are talking to, add the date, day and time of the call to the recording.

      Never deal with them online, that just hands them your I.P. address.

    • Nathan Brazil says:

      I wonder how you decided that address does not exist?
      In the reverse lookup I did19016 is listed as Chester, PA in Delaware county.
      http://www.areacode.com

    • The next step in the process is Congressional hearings and knowing how much consumer credit affects the economy do you think the elected officials are going to find anything?

      • d says:

        They better “Find Something including a new model for credit applications probaly negative reporting and more due dilligence by lenders.

        The old credit score model is dead in the water The private data of 150 Million + Americans, has been compromised FOR LIFE NO PAROLE.

        If Congress looks into it they may actually find, economic warfare, not crime is the Culprit here.

        How to hurt Americas Economy simply.

        Kill its credit system. Which runs on Credit reporting agencies.

        Which this Hack/Intrusion/Data breach, has just effectively done.

        So the first this a that should be established is WHO from WHERE.

        That much data does not move around the net without leaving traces.

        A responsible POTUS would already have instructed various agencies FIND YESTERDAY LAST YEAR.

        But wait America does not have a POTUS.

        So nothing will be done from there.

  37. Stephen Haust says:

    I had not read all these comments before making the above comment. Now, I have done so and I am simply stunned. I do not understand why anyone would do all these things and particularly why they would not look at the terms.

    These security freezes are mandated by state laws. It is not federal. I got a copy of my state’s law (PA). It’s simple. They have to do it. They have a deadline – five days. They have to provide a working toll-free phone number to allow a consumer to receive information about how to request a security freeze. They have to designate an address to which you can send certified mail. They have another deadline too. In ten days they have to send a written confirmation with a unique personal identification number. There is no allowance in the law for them to impose additional legal conditions.

    On the other hand, when did anyone ever expect these people to be normal, law-abiding citizens?

    By the way, my local post office informs me that I am the only one in the community who has bothered to do all that (certified, etc.) although in another post office I overheard a clerk tell someone, “Oh yes, it’s been the week for certified mail”.

  38. mtnwoman says:

    I froze all three a week or so back.

    I am about to pay off my mortgage. Anyone know if I’ll have to unfreeze (one, or all?) to process my upcoming mortgage pay off?

    • Petunia says:

      Your mortgage is with your lender, the lender reports your payments to the credit bureaus. This does not affect your payoff. But if the credit bureau gets hacked again it could affect the accuracy of what is in your credit file.

    • Wolf Richter says:

      Paying off a mortgage shouldn’t be a problem with a credit freeze. But if you want to get a new mortgage, you’ll first have to life the credit freeze.

  39. Stephen Mapes says:

    been on hold waiting for equifax to freeze for over 30 minutes to no avail. the ceo should be indited.

  40. Jim Davey says:

    Just tried to register with Equifax, it took my social security number, dob, etc .. And then sent me a message that says “We are currently unable to service your request. Please try again later.”
    I think I got “serviced” by Equifax deeply and without a prophylactic …. AGAIN. And in Americant … I’m stuck with their “service” in my financial bottom. BofA screwed me once by forcing me to stop making payment s to get a mortgage reduction then my FICO went from 810 to 526) and it took me ten years now to slightly recover; no Bk, no foreclosure … moved out of US to pay-off all debt; moved back and now this. This system is predatory. It is also not sustainable. When the 1% have no one left with “good credit” … meaning ability to enslave themselves more, then what? I just read everyone’s FICO in Houston & Florida just went down.

  41. Thomas says:

    Is security freeze with one credit bureau enough to freeze it all, or you have to ask for security freeze from each separately?

  42. Davis says:

    Company’s working with ancient technologies still use Struts because it requires to redo the work and move to something modern and secure. I’ve seen Struts in job descriptions from some big companies such as Cisco; amazing that big companies still use such an archaic tool.

    Also, note that each developer that these companies hire is expected to perform the job of 2-4 people. So, not only there is no loyalty to the job or the company, but the developers are simply burnt out day in, day out. If the developer tries to perform a decent coding and decent research to make sure his/her code is not problematic, he will be kicked out in no time because he will seem too slow.

    They want to pay for one developer, but expect him to perform tasks which were carried out by 4 people in the old day; they want proper development, they better pay for it.

  43. Jim H says:

    When trying to do security freezes with the big 3, I found it easy with Experian, difficult with the other two. (This was between Friday 9/8 and Monday 9/11. The ground apparently has shifted so this may not apply.)
    What finally worked for me with Equifax & Trans Union were the automated phone numbers linked in the FTC page linked here:
    https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

  44. MC says:

    A good part of the US economy is built on useless middlemen. Consider how drugs get to you via pharmacy, there is a whole industry worth of middlemen taking their cut in the name of reducing cost, what they are doing is leeching off the consumers.

    The main problem is that we (as a society) are stuck with not being able to effectively prevent our information from being shared in the first place. The problems started with the banks, then tech decided that people were good products, and we get the don’t be evil, but we are truly the evilest bastards in the world digital ad firms. (I refuse to call Facebook and Google tech companies, technology is not how they generate revenue)

  45. Boiled Coffee says:

    A simple, easy solution would be to just have consumers be able to request a credit freeze from all 3 bureaus at once via the FTC, exactly through the same avenue that you can request your free annual credit report.

    • Mike says:

      I couldn’t agree more! The whoe credit agency system is broken. It’s supposedly covered by federal law and then each state decides if you get charges as well?

  46. DZ says:

    Hmmm- Equifax stops credits freezes now??

    System Currently Unavailable – Error 500

    We’re sorry. We cannot process your security freeze request online at this time. Please try back later.

    To make a security freeze request with the other national consumer credit reporting agencies, please contact Experian and TransUnion:
    Experian,P.O Box 9554, Allen, TX 75013 (888)397-3742
    TransUnion, http://www.transunion.com ,P.O. Box 2000, Chester, PA 19016 (888)909-8872

    Thank you for giving Equifax the opportunity to assist you.

    • Nathan Brazil says:

      It took me half a dozen tries to get past that screen, I imagine the site is simply overwhelmed. It’s almost a credit to them that it is still working at all.
      Be persistent and try after midnight.

  47. Thomas says:

    Based on the Links that Wolf provided in the article, I was able to freeze all 3 easily. I think you have to be very careful and provide the correct info; don’t rush. Also, use Firefox or Chrome to perform the freeze. I used Firefox.

  48. Anon1970 says:

    I have had a credit freeze in place at all three companies since 2005, soon after they became available in California. I completed the process via certified mail. Check with your state attorney-general’s web site for current tips on placing freezes on your reports.

    You can request copies of all three of your credit reports for free by calling 1-877-322-8228. You are entitled to one free report from each agency once a year. If you have never seen your credit reports, be prepared for errors and obsolete information on the first set of reports.

    Although you can request all three reports at once, starting the second year of reviewing them, I would space them out and request one report every four months.

  49. Caralda says:

    I haven’t seen this in any of the articles or comments—but if I freeze my credit, how does my auto insurance calculate my premium? They base it off of my credit score, which they occasionally look at. Wouldn’t this sound off alarm bells to them? sigh…

    • Wolf Richter says:

      I’ve had a credit freeze in place for many years, and my auto insurance has no problem with it.

      There are two things to note:

      1. A credit freeze doesn’t impact an existing relationship. So your current insurer will continue to get the data it needs from the credit bureaus.

      2. You may have to temporarily lift the credit freeze if you want to change insurance companies or need a new insurer.

      • Carlada says:

        OK, thanks for the reply/info. I like to take advantage of new credit card offers (0%, sign-up bonus, etc.) so am a bit leery of freezing my credit, but good to know it shouldn’t affect my car insurance—I have a pretty good rate and don’t want it getting whacked!
        P.S. Cleared my cookies and spelled my name wrong ;) haha!

  50. salamander says:

    Thank you for the good advice. I agree that it represents the best possible response to a situation beyond our control.

    Question for you and the crowd, however.

    As I did this, one agency asked for account creation, and one asked for creation of a pin. If I recall correctly, Equifax and Innovis merely used my personal data to confirm my identity.

    So here’s the thing:

    If an identity thief stole that data, then he/she has all the information needed to lift the freeze, as well. No?

    So are we counting on simply being harder targets? This is like adding a lock to your front door or an alarm on your car… we’re hoping thieves move on to the millions that won’t bother taking this step?

    Because here’s what I’m wondering – for the security experts out there: I’m guessing data thieves of this class, stealing this volume, don’t directly try to exploit the data. I’m thinking they go darknet, and sell it off in tranches, likely to organized crime. Imagine an entire division of the Triad, the Russian mob, pick your bad actor… working this data like a nine-to-five job.

    Won’t it eventually trickle down to a “case officer” working a handful of identities, more than willing to invest an extra twenty minutes to lift a credit freeze in order to steal tens of thousands of dollars in the victim’s name?

    Somebody please tell me how I’m wrong…

    Hell of a world we’ve built.

  51. Jeff says:

    I detect seething rage in the working class. Of course, every interaction I have with retail clerks and service people is an opportunity to repeat the simplified details of the latest outrage. ;-)

    Every one of these headlines adds fuel to the fire. We will know that America is not based on fraud when one of these CEOs, Wells Fargo, Equifax, Sears etc. is arrested, tried, convicted and sent to federal prison.

    Until then, we are in a rigged carnival con game masquerading as a democracy.

  52. Rates says:

    Paid 20 bucks to place a freeze for TU and Experian. Would like to thank Wolf for compiling all the info.

  53. Anon1970 says:

    If you have never been a victim of Identity Theft and think it is not a big deal, read this story from Bloomberg:
    https://www.bloomberg.com/news/articles/2017-09-13/my-three-years-in-identity-theft-hell

    • alex in san jose AKA digital Detroit says:

      Anon1970 – I know a guy who’d experienced identity theft a few years before I met him. He paid for everything cash. He was into ham radio and once every couple of years he’d fork over a few thousand, cash, for the latest and greatest radio, and sell his old one on consignment. He drove an older car, typically a rental he’d buy from a rental company, paid for in cash. He had no computer hooked up to the internet at his house. He was completely “unwired” – he’d only use a computer that was online at places other than his house. Except for the expensive radios he was pretty damn frugal and very damn paranoid.

      It changes your life. Wises you up very fast, I’d say.

      • d says:

        “It changes your life. Wises you up very fast, I’d say.”

        When some A hole comes to your property produce handcuffs and tells you are going with him as you owe offenses, commited by vehicles you have never owned committing offenses in places you have never heard of and will not listen to then truth.

        IT REALLY DOES.

        What rerally bites is when you finally prove them wrong they will never admitted it. Always claiming you lied your way out of your liabilities.

        Its a little easier with Debt collectors as they back off when you tell them I will sue you and prove I have never been to that town to get credit for anything and am not a participant in the industry that uses those thing’s.

        Thats 1 reason why i own nothing everything is in trust’d or entities owned by trusts. When the state or debt collectors come calling I simoply tell the bring it on. I own nothing these arent my liabilities.

        Judges have a real problem with peopel a who tell them I own nothing these aren’t my liabilities. So lock me it will coast you 1000 plus a week to keep me locked up and a lot of grief when I finally make you understand I am telling the truth, these liabilities are not mine.

        Last time it was 35K’s worth, the judge said to the prosecutor, you cant prove who is truly responsible for these liabilities, I am rescinding all of them. Highly pissed Prosecutor and revenuers ,who didnt get paid, again.

        Identity theft is FOR EVER. Been happening to me for over 37 years now.

  54. mean chicken says:

    Morality doesn’t exist at the corporate level.

  55. Mark says:

    I just placed a security freeze with Equifax; however, Experian and TransUnion both give me the “unable to process your request at this time messages.”

    Experian even has the gall to ask for all my personal information plus “one copy of a government issued identification card, such as a driver’s license, state ID card, etc., and one copy of a utility bill, bank or insurance statement, etc” by US Mail, AND a check for $11.01.

    Wrote both my senators tonight about this bullshit. I am furious…

  56. Old Farmer says:

    I’m an early riser. I got online at 4:30 a.m. Sunday and placed all three freezes quickly and without incident.

  57. Mike says:

    WTF I have to setup an account now at Transunion to apply a freeze? Equifax site crashes and times out and Experian’s site rejected my freeze.

    These scum bags are doing everything to make it near impossible to apply a freeze!

  58. Bill Murphree says:

    This may have been covered, if so I apologize:

    Is the thought that a company like Lifelock cannot protect you?
    Also: Does a corporation need to make the same protected measures?

  59. Bobber says:

    When people apply for a credit card or loan, I suppose there is a provision in fine print saying you must allow the credit provider to transmit your data to credit rating agencies such as Equifax.

    I wonder if this means the credit companies and banks are ultimately responsible for securing that information and liable for damages. Maybe CEO’s like Jamie Dimon should spend less time in political posturing, and more time on banking’s basic responsibilities.

    • Mike says:

      The same thing was crossing my mind but I was thinking about my banking institution. Each month they provide my mortgage payment and balance history to each of the credit agencies (I can see it reported on my credit report). What redress do I have against my bank for supplying information to a company that has not taken prudent to protect my personal information? Did my bank obtain a copy of the SSAE 16 (SAS 70) audit evidence that Equifax had the necessary controls in place to protect the said data? Did Equifax obtain an independent audit of its controls to protect data and the IT change management and emergency code migration processes and procedures?

      • d says:

        THis will come out in lizzies enquiry.

        The whole model of the agencies collecting and holding all these identity #’s and data for free then selling their conclusions may be challenged.

        Wehavea BAd cedit system in our country.

        they only list you if you are bad. then it is up to the lender to do theri due diligence and decide.

        These agencies are not allowed to hold or release DL, SS, bank #, or march them to credit card #’s, The system is based on Ability to pay and history of non payment so Liar loans are much harder to obtain. As is credit (apart from the stores that give credit to anybody to obtain market share) which is good.

        Living on Credit is expensive, the system in the US encourages peopel to do that.

  60. Bill says:

    The TransUnion address given via my state’s PDF with security freeze instructions was wrong. The PDF says it’s Trans Union Security Freeze, P.O. Box 6790, Fullerton, CA 92834-6790.

    But when I called TransUnion, a pre-recorded message said it is: TransUnion LLC, P.O. Box 2000, Chester, PA 19016.

    A friend who is a cybersecurity expert said that one of the best programmers that he ever worked with was someone who started out as hairdresser. So, Ms. Maudlin’s music background certainly doesn’t discredit her outright. In fact, musicians tend to have very strong math/science skills. Or, she may have screwed up. I don’t know. But saying she was in the wrong position just because is speculative.

    I can think of one reason why the hackers might want to freeze victim’s account first: ransom. It’s effectively the same thing as ransomware.

    • Stephen Haust says:

      @Bill:
      How did you find out? I knew also that the Fullerton address was
      floating around but did not know that it too is fake.

      Box 2000 in Chester, PA does not exist. just go to your post
      office with a certified mailpiece addressed there and you will
      be told this. They will likely suggest you alter the zip code to
      19022. There is apparently a P.O Box 2000 there but P.O.
      does not know to whom it belongs.

      If you are really daring, you can try a physical location:

      1510 Chester Pike
      Crum Lynne, PA 19022

      I have had a request actually delivered there but who knows what
      will become of it.

      Please file complaints with the CFPB and your state’s
      attorney-general. Let’s at least keep them on the hop.

      • Bill says:

        Stephen,

        The P.O. Box 2000 address is listed on the transunion.com website. If I had to guess, TransUnion made a recent (or last-minute) change that was very poorly publicized.

        https://www.transunion.com/customer-support/contact-us-consumers

        Scroll down to “Place a Freeze on my TransUnion credit report”

        The PO told me that the P.O. Box 2000 address wasn’t in the system, but in the interest of time, I told them to send it there anyway. If even 0.1% of the affected people freeze their credit, the bureaus will be overwhelmed.

        BTW, I tried to do it online and was blocked. Others on this blog are saying they got all three bureaus to freeze their accounts in no time. Must be a state-by-state thing?? Equifax charged me first before notifying me that I had to submit the request by snail mail. A minor inconvenience if I actually get my accounts frozen like I want to.

        • Stephen Haust says:

          Nope, not last minute. It’s been that way for at least
          several years. That is, the box 2000. Fullerton, I don’t
          know how long.

          As far as sending it anyway, I also had that option. The P.O.
          will dispatch it for you but without any guarantee. Then,
          supposing someone signs for it, how do you know who
          that is. They are not going to acknowledge that it is or
          is not TransUnion. Equally with the other zip code. You
          can make those changes but they are your own and
          whatever happens, TransUnion is going to disavow having
          anything to do with it. They might get it or might not.
          How do you know? In any case an army of lawyers is
          waiting to crawl all over you denying everything.

          The purpose of all this is deliberate – to defeat the
          reason for certified mail which is to prove that they
          received what you sent them. Well, that’s my opinion.
          Others may attribute it to sheer, massive incompetence.
          Except that it cannot be just that. In PA, for instance
          the law requires them to establish an address where
          certified mail to them will be accepted. They have not
          done so. It equally requires you (us) to use certified
          mail for this purpose. But we can’t.

          Incidentally, from what I am hearing, if you send regular
          mail to “box 2000” they will probably get it. After all,
          what else would the Post Office do with all that stuff.

          No, the real reason is to eliminate what you really need,
          which is proof that you communicated with them. You
          cannot follow up any claim against them or anyone else
          without that.

          Of course, you could also just walk into their building
          at 1510 Chester Pike and hand them your stuff. I bet
          they would refuse to give you a receipt.

  61. Panamabob says:

    ‘Johnny A Personality” I’ve met a few of those in my 68 years on the planet, and have befriended a few. They have been crapped on in their jobs, screwed over by their family, wife cheated, dog died, and they lost their $300 jalopy due to repossession. They have dismissed long known friends or scared them away.
    Poor lost souls beyond help from even the givers in this world. Everyone has downs during their life, some can’t get up and give up trying.

  62. Stephen Haust says:

    Truly bizarre behavior now. At TransUnion!

    I had prepared my freeze requests (1 for me, 1 for my wife) for
    certified mail before taking them to the P.O. and being told the
    addresses don’t exist. At a loss as to what to do, I took them to
    FedEx and put both in one envelope, still with the certified mail
    labels and return receipt attached, and sent them to the
    physical location at 1510 Chester Pike, Crum Lynne, PA, 19022.

    Today, I got back the return receipts in the mail. They have
    received the requests, stripped off the postal stationery and
    mailed them back to me. They paid no postage and neither
    did I.

    Each one of them, still bearing the P.O. Box address where I had
    entered it, has been stamped “Received” and dated Sep 14 2017
    in the space which asks “Is delivery address different from
    item 1?” There is no signature of any person.

    Obviously, these are not valid certified mail receipts but I guess
    they are adequate evidence that the requests have been received.

    Of course we all know that the fine for using government franked
    stationery without actually paying the postage is $300 each. Isn’t
    it? Don’t we know that?

  63. Todd says:

    Thank you all (Wolf especially) for your guidance. I was able to freeze our (wife & me) credit with Experian and Equifax online yesterday in the middle of the morning (eastern time). Just now completed the freeze online for TransUnion.

    Be persistent and try at different times!

  64. I have just one thought and I hope everyone here gets their credit freeze. If its this difficult to put the freeze in place, how hard will it be to lift it? I am your doctor, Mr Jones you need an operation or you will die. Okay Okay here’s my credit card.

  65. chris Hauser says:

    y’all may consider me simple, but this about sums it up for me:

    https://www.youtube.com/watch?v=nn04q2qwraY

  66. Jim says:

    Hopefully my experience can help others. I just went through the security freeze for each credit bureau for myself and my wife. Did anyone notice Equifax was the easiest to do? They did not request further verification information on their website and did not charge. Perhaps this is one indication for why they were compromised and they others were not, at least not yet.

    Had one question from Experian that could have gone either way. Ended up not being successful. They gave similar notice to send info in by mail. That looked ridiculous and uncertain. So I started the online form over again and got new questions and got through successfully on the 2nd try. This might actually not be a good thing as it would allow someone multiple tries to get answers right.

    Trans Union needed to register an account but ended up saying my wife already had one and to login with that. But we don’t have one and the username and password just created wouldn’t work. Called the automated phone line number given by Wolf, went through the prompts, entered CC info and was successful but now need to wait for letter by mail to my address. It was not difficult to do by phone and had less verification information requested.

    • Stephen Haust says:

      Yes, I did notice that, I suppose. I did all my requests by mail
      because I just am not going to give any of these guys a pass on
      possible liability by using their websites. The first one to come
      back with written confirmation and a PIN is Equifax, but only one.
      I have the return receipt for my wife’s request but none for mine
      and hers is the freeze that came in. Mine is… well, whatever…
      we’ll see.

      TransUnion, on the other hand is still playing the stupidest games
      one can imagine. They got the requests (see my post above) and
      I have proof in several forms, Fedex tracking, the “certified mail”
      receipts that they sent back to me and, most persuasively, images
      of both checks that they cashed. The letter is clear about what I
      want; my identity documents are solid gold and the checks show
      clearly in the memo space that they are payment of the fee for a
      “credit file security freeze”.

      So what did they do? There is a cover letter and this is how it
      begins:

      “Enclosed is the TransUnion Personal Credit Report that you
      requested. As a trusted leader in the consumer credit……”

      Egad! These people can’t even read and they expect to be
      regarded as trusted leaders. I’m not sure what the next step
      will be. Maybe a certified letter to the CEO pointing out very
      subtly what a jerk he is. I already have complaints on file at the
      CFPB and PA Atty. Gen. Those will have to be updated, etc..

      C’est la vie. One commenter in this thread had it exactly right
      when he pointed out that they are “categorically inept”.

  67. Stephen Haust says:

    …..Aaaaand the winner is….

    You guessed it and fair’s fair. TransUnion breaks the tape with two
    fully confirmed freezes in black and white in the mail yesterday.
    Equifax was in the lead from mid-last week with one out of two and
    one each arrived yesterday from Experian and Innovis. So five in
    hand out of eight and waiting for one more each from the other
    three bureaus. But TransUnion breaks the tape with completion of
    the requests and even an extra credit report, for what reason I
    don’t know.

    Still, considering the way they did it, I have to conclude that their
    company is run by a bunch of goofs. In a way, almost like
    Pistorius winning a 1500M run against a herd of crocodiles. Weird,
    very weird.

    In hindsight, I believe I would do it just about the same way again.
    I would use certified mail to their premises at 1510 Chester Pike,
    Crum Lynne, PA 19022. The P.O. Boxes are still fake and can’t be
    used reliably.

    The advantage of certified mail is that any “account” created is
    their doing and not mine. Although burdensome, by doing it the
    “official” way as called for by the legislation I have avoided
    succumbing to the boilerplate imposed by their website and
    still have some protection against potential liability.

    Yeee..Haw..

Comments are closed.