Return to Commentary

Equifax Breach

By Richard Tomes September 15, 2017 Community Watch

Likely all of our clients are affected by the data breach at Equifax.  This posting will attempt to deal with some of the background, issues and steps you might wish to consider taking.  First, let me disclose that I am not an attorney and none of this commentary should be considered legal advice.  Also, TWPM has no business or other relationships with any companies or websites mentioned herein.  This discussion is not intended to be a scholarly research report on the subject and all opinions expressed are those of Richard Tomes alone and subject to change without notice.  While the information is thought to be accurate, no warranty is given.

 

Background

In the United States there are four main “Credit Bureaus” or “Consumer Reporting Agencies” (“CRA”) that deal with individuals as opposed to business.  These are Equifax, Experian, TransUnion and Innovis.  These CRA’s are partially governed under the Fair Credit Reporting Act (“FCRA); cf. https://www.consumer.ftc.gov/articles/pdf-0111-fair-credit-reporting-act.pdf .

Most are familiar with these companies, if not by name by interaction.  Every time you apply for a car loan or lease, a mortgage, a credit card, etc., you fill out paperwork that is then submitted to one or more of these agencies “to pull your credit.”  The loan approval and often the interest rate is determine by what the lender gets back from your file at one or more of these CRA’s.  

Many are also familiar with their credit score, a score that is sometimes disclosed when you make a loan application and provided by some credit card companies and other services.  The common term used for this is, “FICO® score,” which is an abbreviation for the Fair Isaac Corporation that invented the score.  FICO is used by about 90% of CRA’s.  The score is calculated by each CRA based on the information that CRA has in its own files about the consumer and, therefore, differs from CRA to CRA for the same individual.  Most are surprised to learn that the credit score generally supplied to the consumer is not necessarily the same credit score that may be provided to lenders.  The score provided to consumers directly is referred to by some in the industry as an “educational score.”  The scores range from 350 to 850 and the higher the score the less likely the lender is to expect the consumer might default.  This may result in the lender offering a lower interest rate.

Because of the possibility of easier approval for credit when needed and the potential for lower interest rates resulting in lower payments, it is good to know your credit score and to manage it to raise it and to keep it high.  A “good” credit score depends to some degree on individual lenders and their own internal lending standards and concerns.  Generally speaking, a score above 720 is good and a score above 800 is excellent.  There is more to the FICO score and actually various versions of it that may be used in various situations, but that is beyond the scope of this article.

Since credit score is so important for modern consumers and managing it may result in better credit outcomes (i.e. approvals, lower rates), it would be good to know how the score is calculated, correct?  Yes, but unfortunately it is a closely guarded secret much like the original recipe for Kentucky Fried Chicken and the Coca Cola formula.  As the individual consumer is so affected by this score it seems that it should be public information, but it is not.  Congress strangely has not acted on this, nor have other Government agencies that might be concerned with the oversight of fair and equal credit practices.  Therefore, it is impossible to know exactly how your own score is deduced.  Yet, there are several things that are known to be factors.  These are (with their approximate importance weighting):  payment history (35%), total amount of debt (30%), your average length of credit history with each account (15%), new credit (10%) and the mix of your credit (10%).  You may read more here:  http://www.myfico.com/Downloads/Files/myFICO_UYFS_Booklet.pdf .  There are strategies that may help and we would be happy to discuss these with our clients, but that is beyond the scope of this current article.

 

CRA’s are For Profit Institutions – And They Do Make Money

CRA’s collect information.  In today’s modern world they may have many ways of gathering that information, including from a person’s social media sites (Facebook, Twitter, etc.) and “for free” email services (gmail, yahoo mail, etc.), big data services, etc.  Traditionally, when a consumer filled out an application for credit (car loan, credit card, mortgage, etc.) the seller (car) or potential lender (mortgage, credit card) sends that application to one or more CRA’s.  Essentially, that information is sent to the CRA for free.  The fee paid by the submitter actually pays for the verification of the information submitted and the analysis of all the data collected about the applicant on file at the CRA.  In some cases, the fee is actually paid by the applicant.  The sellers and lenders voluntarily, as they see fit and on their internal time scale, report the borrower’s payment history (is the borrower on time or not with payments) and account balances back to the CRA’s.

Between the information sent to the CRA’s directly and other more technologically sophisticated sources, the CRA’s amass huge amounts of information about an individual.  This information includes things like name, social security number, birth date, address (present and past), credit accounts, spending habits, preferences, social media accounts and likely such things even as Internet browsing habits, etc.  Through big data (cf. https://en.wikipedia.org/wiki/Big_data ) and other analytical techniques, the CRA’s package information in various groups, types, etc.  Now, this is where many consumers may get very angry:  Rather than keeping that information confidential, the CRA’s SELL, yes, SELL your information essentially to anyone willing to pay for it.  The CRA’s also have started selling to the individual consumers “credit monitoring services.”  It is like paying the cat to watch the bird; and the bird is the consumer.  Some data sold may lack certain things, like Social Security numbers.  But enough data is for sale legally to provide most of what the unscrupulous would need to steal someone’s identity.

Probably all of us receive unsolicited offers in the mail for credit cards, insurance, etc.  Few stop to question why they are receiving these offers “out of the blue.”  A very common reason is that the firm sending that mail has paid one or more of the CRA’s for information to “pre-approve” the consumer for the credit or service.  Such mailings may be just a nuisance; but many employers and potential employers also pay for information about you that can lead to no-hire and firing decisions.  It is up to the consumer to verify as much as possible about what is on their credit reports to avoid potentially bad situations.  The CRA’s, however, while reporting your credit accounts to you may not be telling you all the other information they have on you that they might sell to others, including your employer.

This selling of what, in this person’s opinion, should be private information is legal.  Oversight by the Government is done through the Federal Trade Commission and the Office of the Controller of the Currency.  The industry has a strong lobby group called the Consumer Data Industry Association; thus, users of credit are hardly likely to see substantial change for their benefit without a major legislative fight.  While Congress likes to talk about the importance of privacy and consumer protection, through the aforementioned agencies they regulate the dissemination for profit of their constituents’ information.

 

The Equifax Breach

Protecting personal and private information has become a major concern and a major industry.  It is expected of corporations and institutions that collect sensitive data to guard that information securely.  In the past, this might have meant controlling access to a building or room and locking filing cabinets.  Today, most data is collected and stored on computer systems (“cyber systems”).  Protecting these systems (“cyber security”) is now a multibillion dollar industry.  Any company, institution or organization that uses confidential information has an obligation (legal or moral, depending on the industry) to protect that information; CRA’s selling such information not withstanding.

Cyber security is very complex and difficult to manage.  Manage, not achieve, is the right word here.  The threats and the criminals are constantly changing and developing new strategies “to break into” secure systems.  Not only regular criminals, but even governments are behind significant data breaches.  Some notable breaches have been:  Cardsystems Solutions, Inc in 2005; US Department of Veteran Affairs, UK Revenue and Customs  and TJ Maxx in 2006;Stanford University in 2007; the US Military in 2008; US Federal Reserve Bank of Cleveland in 2009; Oregon Dept. of Motor Vehicles in 2010; Apple in 2011 and Yahoo in 2011 – 2012; Ebay, JP Morgan Chase, Target and Home Depot in 2013; Uber and MySpace in 2014; Anthem Health Insurance in 2015; Red Cross Blood Service and Instagram in 2016 -2017; etc., etc., etc.  (Cf. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ )

So, Equifax is just one of the latest.  It was not the first to lose all three of the most sensitive information -- name, SS number and birthdate -- all in one breach.  Yet, the scale and the nature of the business make it a very significant breach.  The self-reported number of those affected is about 143 million consumers.  One estimate that this writer has heard is that this number, after taking out of the US population those too young to use credit and those that simply do not, means that about 90% of all users of consumer credit may have been compromised.  Most of us should be expecting our credit card companies to be sending us new cards in the mail with new numbers, unfortunately, as a result of this breach.

 

What to Do?

Cyber security starts at home.  Here are some practical things you can do:

  1. Review all your credit accounts at least monthly for any activity that might not be yours and report it to your lender immediately.
  2. Buy a cross cut shredder and send anything through it that might have confidential information.  This includes those promotional credit offers you receive in the mail.  Often, the return information form has your name, address, other information and an electronic code specific to you.  Simply throwing these things away in the trash could result in someone else opening the offered account in your name.
  3. Do not answer personal information over the telephone to cold callers and people whose identity you do not know.  For example, if your credit card company calls you and asks to verify some charges tell them you will call them back and hang up.  Then, call the number on the back of your credit card to inquire.  This is not rude; it is wise.  Also, the IRS does not call tax payers to inquire about taxes or to initiate an audit; if someone calls you unexpectedly claiming to be from the IRS, it is most likely a scam.  The IRS will mail notices to you or send agents to visit you.
  4. Try to minimize the amount of account information sent to you by your lenders by signing up for online statements only.  Statements can be lost in the mail or simply stolen out of your mailbox.  If you are not comfortable with that, store them in a secure place and shred them instead of throwing them in the trash.
  5. Never email information that could be used to steal your identity, such as your SS number, account numbers, tax returns, etc.  Email is not secure and “free” email is not necessarily free.  The privacy policies for usage may allow the provider to scour your email to sell for marketing purposes, or, perhaps, to the CRA’s.  As with all Internet based services, it is highly recommended to read and know the privacy policy before using a service, including social media sites.  Ask yourself, “Am I really comfortable with that?”  Private information is best sent via fax, UPS, FedEx, Certified Mail or hand delivered.  Some services (such as Raymond James’ Vault) offer secure uploading and downloading of confidential information.
  6. Check your credit score regularly.  Some credit card companies now offer this as a monthly service.  Sharp drops in the score may indicate something is wrong and you should check your statements and/or call your lender accounts immediately.
  7. It is highly recommended that you sign up for at least the basic Lifelock service.  Lifelockis not a CRA, but actively works to protect your privacy (unlike similar services offered by the CRA’s themselves), informs you if credit and other sensitive information is found in criminals’ hands (electronically) and offers to spend up to $1,000,000 helping you resolve issues in case your identity is stolen.  TWPM cannot warrant their services, but it is recommended you investigate their services at:  https://www.lifelock.com/ .
  8. Go to:  https://www.fcc.gov/consumers/guides/stop-unwanted-calls-texts-and-faxes and sign up to limit the amount of unsolicited marketing calls you get.
  9. Go to:  https://www.optoutprescreen.com/?rf=t and opt-out from receiving unsolicitedoffers from credit card companies and other lenders.  This effectively prevents the CRA’s from selling your information to lenders.  You’ll still be able to apply for loans, but the unsolicited offers should stop.  You have a choice to opt-out for 5 years or permanently.  Permanently is recommended.  The same site gives you the ability to opt-in, should you ever wish to begin receiving such junk mail again and have the CRA’s begin selling your information again.
  10. Keep your computer software up-to-date.  When you are offered an update for programs you know you use or for your Windows or Apple operating system, make sure to do so.
  11. Ensure you are running up-to-date antivirus software on your computers and other devices.
  12. Don’t visit websites about which you are not sure and do not click on links unless you are certain where it is going to take you.  Generally, you should bock pop-ups to avoid accidentally clicking on ads, etc.
  13. Try to avoid using the same password and login ID for multiple accounts; especially for sensitive accounts.  Change passwords often, usually quarterly is good.  Don’t use easy to guess passwords like, “123itsme,” etc.  Try to make the passwords as complex as you can, including special characters, like:  * , ^, ! , ~, etc.  Avoid the obvious, though, like p@ssw0rd.  Phrases are better than single words and nonsense phrases that include special characters are preferable.  If a service you use, like Yahoo, FaceBook, Google, etc., reports a breach; change your password at once.  If your friends report to you that they are getting strange emails from you, you’ve likely been hacked and had your email password compromised; change it immediately.  If you’ve used the same password on any other accounts, make sure to change those, too.
  14. Do not open emails from people you do not recognize and do not click on links or attachments in an email unless you are sure you know the sender and are comfortable.  It is not rude to delete immediately unwanted or unknown emails.
  15. Go to https://www.annualcreditreport.com/index.action and get your free credit report.  You are allowed to do this once a year at no cost and it includes the information and accounts for the three major CRA’s.  Review it thoroughly to make sure you recognize accounts and that the information is accurate.  There are ways to contest and correct inaccuracies if found.
  16. File your tax returns as soon as possible.  If you are due a refund, the longer you wait, the longer criminals have to try to get your refund before you do.  TWPM generally recommends to clients to attempt to manage their income tax withholdings so as to owe at least a little each year, within legal limits, to avoid this and other potential issues with refunds.
  17. Before using ATM’s, pay-at-the-pump and other card readers, pull firmly on the sliding slot to ensure it is secure before using.  Some criminals place their own card readers over the legitimate slider.  Also, check for small cameras that might be observing your PIN inputs.  (Cf. https://www.youtube.com/watch?v=ghqbXhxFGp8 ).
  18. Open new accounts only when really necessary.  The fewer accounts you have, the easier it is to keep track of the activity.  Old, inactive accounts you may wish to close, but that could negatively affect your credit score, since part of your score is determined by account age.  If you leave old cards and accounts open, make sure to check them at least monthly for illicit activity.
  19. For TWPM clients, if you notice any breaches, or are informed of any, please, contact us immediately.  While it is highly unlikely any such breach could affect your accounts with Raymond James, there are extra security measures we can implement.

It is a dangerous informational world.  There is no way for an individual, company or even government to ensure there will never be a breach.  Much of it is out of our hands as individuals if we participate in the modern world.  But we should do what we can to protect ourselves.  Hopefully, this article will give you some helpful information.