September 20, 2017

Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.

equihaxIn my initial Sept. 7 story about the Equifax breach affecting more than 140 million Americans, I noted that this was hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans.

On May 17, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

That story was about how Equifax’s TALX division let customers who use the firm’s payroll management services authenticate to the service with little more than a 4-digit personal identification number (PIN).

Identity thieves who specialize in perpetrating tax refund fraud figured out that they could reset the PINs of payroll managers at various companies just by answering some multiple-guess questions — known as “knowledge-based authentication” or KBA questions — such as previous addresses and dates that past home or car loans were granted.

On Tuesday, Sept. 18, Bloomberg ran a piece with reporting from no fewer than five journalists there who relied on information provided by three anonymous sources. Those sources reportedly spoke in broad terms about an earlier breach at Equifax, and told the publication that these two incidents were thought to have been perpetrated by the same group of hackers.

The Bloomberg story did not name TALX. Only post-publication did Bloomberg reporters update the piece to include a statement from Equifax saying the breach was unrelated to the hack announced on Sept. 7, and that it had to do with a security incident involving a payroll-related service during the 2016 tax year.

I have thus far seen zero evidence that these two incidents are related. Equifax has said the unauthorized access to customers’ employee tax records (we’ll call this “the March breach” from here on) happened between April 17, 2016 and March 29, 2017.

The criminals responsible for unauthorized activity in the March breach were participating in an insidious but common form of cybercrime known as tax refund fraud, which involves filing phony tax refund requests with the IRS and state tax authorities using the personal information from identity theft victims.

My original report on the March breach was based on public breach disclosures that Equifax was required by law to file with several state attorneys general.

Because the TALX incident exposed the tax and payroll records of its customers’ employees, the victim customers were in turn required to notify their employees as well. That story referenced public breach disclosures from five companies that used TALX, including defense contractor giant Northrop Grumman; staffing firm Allegis GroupSaint-Gobain Corp.; Erickson Living; and the University of Louisville.

When asked Tuesday about previous media coverage of the March breach, Equifax pointed National Public Radio (NPR) to coverage in KrebsonSecurity.

One more thing before I move on to the analysis. For more information on why KBA is a woefully ineffective method of stopping fraudsters, see this story from 2013 about how some of the biggest vendors of these KBA questions were all hacked by criminals running an identity theft service online.

Or, check out these stories about how tax refund fraudsters used weak KBA questions to steal personal data on hundreds of thousands of taxpayers directly from the Internal Revenue Service‘s own Web site. It’s probably worth mentioning that Equifax provided those KBA questions as well.

ANALYSIS

Over the past two weeks, KrebsOnSecurity has received an unusually large number of inquiries from reporters at major publications who were seeking background interviews so that they could get up to speed on Equifax’s spotty security history (sadly, Bloomberg was not among them).

These informational interviews — in which I agree to provide context and am asked to speak mainly on background — are not unusual; I sometimes field two or three of these requests a month, and very often more when time permits. And for the most part I am always happy to help fellow journalists make sure they get the facts straight before publishing them.

But I do find it slightly disturbing that there appear to be so many reporters on the tech and security beats who apparently lack basic knowledge about what these companies do and their roles in perpetuating — not fighting — identity theft.

It seems to me that some of the world’s most influential publications have for too long given Equifax and the rest of the credit reporting industry a free pass — perhaps because of the complexities involved in succinctly explaining the issues to consumers. Indeed, I would argue the mainstream media has largely failed to hold these companies’ feet to the fire over a pattern of lax security and a complete disregard for securing the very sensitive consumer data that drives their core businesses.

To be sure, Equifax has dug themselves into a giant public relations hole, and they just keep right on digging. On Sept. 8, I published a story equating Equifax’s breach response to a dumpster fire, noting that it could hardly have been more haphazard and ill-conceived.

But I couldn’t have been more wrong. Since then, Equifax’s response to this incident has been even more astonishingly poor.

EQUIPHISH

On Tuesday, the official Equifax account on Twitter replied to a tweet requesting the Web address of the site that the company set up to give away its free one-year of credit monitoring service. That site is https://www.equifaxsecurity2017.com, but the company’s Twitter account told users to instead visit securityequifax2017[dot]com, which is currently blocked by multiple browsers as a phishing site.

equiphish

FREEZING UP

Under intense public pressure from federal lawmakers and regulators, Equifax said that for 30 days it would waive the fee it charges for placing a security freeze on one’s credit file (for more on what a security freeze entails and why you and your family should be freezing their files, please see The Equifax Breach: What You Should Know).

Unfortunately, the free freeze offer from Equifax doesn’t mean much if consumers can’t actually request one via the company’s freeze page; I have lost count of how many comments have been left here by readers over the past week complaining of being unable to load the site, let alone successfully obtain a freeze. Instead, consumers have been told to submit the requests and freeze fees in writing and to include copies of identity documents to validate the requests.

Sen. Elizabeth Warren (D-Mass) recently introduced a measure that would force the bureaus to eliminate the freeze fees and to streamline the entire process. To my mind, that bill could not get passed soon enough.

Understand that each credit bureau has a legal right to charge up to $20 in some states to freeze a credit file, and in many states they are allowed to charge additional fees if consumers later wish to lift or temporarily thaw a freeze. This is especially rich given that credit bureaus earn roughly $1 every time a potential creditor (or identity thief) inquires about your creditworthiness, according to Avivah Litan, a fraud analyst with Gartner Inc.

In light of this, it’s difficult to view these freeze fees as anything other than a bid to discourage consumers from filing them.

The Web sites where consumers can go to file freezes at the other major bureaus — including TransUnion and Experian — have hardly fared any better since Equifax announced the breach on Sept. 7. Currently, if you attempt to freeze your credit file at TransUnion, the company’s site is relentless in trying to steer you away from a freeze and toward the company’s free “credit lock” service.

That service, called TrueIdentity, claims to allow consumers to lock or unlock their credit files for free as often as they like with the touch of a button. But readers who take the bait probably won’t notice or read the terms of service for TrueIdentity, which has the consumer agree to a class action waiver, a mandatory arbitration clause, and something called ‘targeted marketing’ from TransUnion and their myriad partners.

The agreement also states TransUnion may share the data with other companies:

“If you indicated to us when you registered, placed an order or updated your account that you were interested in receiving information about products and services provided by TransUnion Interactive and its marketing partners, or if you opted for the free membership option, your name and email address may be shared with a third party in order to present these offers to you. These entities are only allowed to use shared information for the intended purpose only and will be monitored in accordance with our security and confidentiality policies. In the event you indicate that you want to receive offers from TransUnion Interactive and its marketing partners, your information may be used to serve relevant ads to you when you visit the site and to send you targeted offers.  For the avoidance of doubt, you understand that in order to receive the free membership, you must agree to receive targeted offers.

TransUnion then encourages consumers who are persuaded to use the “free” service to subscribe to “premium” services for a monthly fee with a perpetual auto-renewal.

In short, TransUnion’s credit lock service (and a similarly named service from Experian) doesn’t prevent potential creditors from accessing your files, and these dubious services allow the credit bureaus to keep selling your credit history to lenders (or identity thieves) as they see fit.

As I wrote in a Sept. 11 Q&A about the Equifax breach, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to divert people away from freezes. Their motives for saddling consumers with even more confusing terminology are suspect, and I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

Experian’s freeze Web site has performed little better since Sept. 7. Several readers pinged KrebsOnSecurity via email and Twitter to complain that while Experian’s freeze site repeatedly returned error messages stating that the freeze did not go through, these readers’ credit cards were nonetheless charged $15 freeze fees multiple times.

If the above facts are not enough to make your blood boil, consider that Equifax and other bureaus have been lobbying lawmakers in Congress to pass legislation that would dramatically limit the ability of consumers to sue credit bureaus for sloppy security, and cap damages in related class action lawsuits to $500,000.

If ever there was an industry that deserved obsolescence or at least more regulation, it is the credit bureaus. If either of those outcomes are to become reality, it is going to take much more attentive and relentless coverage on the part of the world’s top news publications. That’s because there’s a lot at stake here for an industry that lobbies heavily (and successfully) against any new laws that may restrict their businesses.

Here’s hoping the media can get up to speed quickly on this vitally important topic, and help lead the debate over legal and regulatory changes that are sorely needed.


123 thoughts on “Equifax Breach: Setting the Record Straight

  1. Bertil Axelsson

    Thanks for doing a great job in clarifying and exposing how credit bureaus are getting away not guarding our information better….

  2. Joaquin Tall

    Brian,

    Thanks to your September 7th story, everyone here has now frozen their credit. We probably won’t be buying a new car or a home ever again.

    Yet, the very idea of some unscrupulous person or persons using our hard earned credit rating, and more, to benefit themselves became an anathema to us all.

    We’ve noticed that most of the Equifax breech articles mention only three agencies. There are FOUR…Experian, Equifax, Trans Union and Innovis.

  3. eok

    Brian, thanks for this. I *almost* fell for “credit lock” feature the credit bureaus are offering. Then I read the fine print.

    I personally categorize the bureaus line of business as predatory. I just can’t see any other way to view how they take UNFAIR advantage of consumers, profiting by using/abusing/mangling critical sensitive personal information.

    And then on top of that: the bureaus have complete control of consumer credit ratings. It’s just insane and ugly.

  4. Gerry

    Great article again Brian, my question; do you have any updated info on how to go about a freeze with the credit agencies in an easy manner without getting sucked into the credit lock scuffle or the typical bait-and-switch ?

    1. Matt

      It’s really not hard. Do a Google search for the credit bureau and “freeze” ( i.e. “transunion freeze”). Click the appropriate link from the results; it will be the first or second link. READ the words on the page. Yes, all of them. While it’s obvious that they would prefer the consumer to pay for their service, it’s also pretty obvious how to do the freeze. They don’t mince words IMHO. Look for the word “freeze”.

  5. Columbus_viaLA

    Thanks for the tip on Experian repeatedly charging applicants for online freezes that “did not go through.” I tried twice online, entering my card # each time, then got the error message. Same thing for my wife. We both then applied via snail mail.

    I will now check my credit card on its own site for bogus Experian charges.

    There is only one word for all of these bureaus: Predators.

  6. Robert.Walter

    Brian,

    thanks again for another great article. On the basis of what I have learned from you, we have done our best to crook-proof our accounts and info.

    Experian is advertising “experian (dot) com/scan” for “dark web searches”(!). I tried it, and it comes up with a list of sites (sent to your email address) that purportedly have your email address and password. It does not, however, tell you the site, or the password. It is rather useless, and is more or less a vehicle where they try to upsell you into buying additional coverage (SSN, etc).

    I would recommend against the experian scan scam.

    Regards.

    1. MM

      If you want to check if your email, usernames or passwords have every been part of a breach and are out there exposed, just use Troy Hunt’s page

      https://haveibeenpwned.com/

      It’s free and it will you the site where your information was exposed

  7. A Reader

    Thanks for publishing these great stories and educating me on the tactics of the ne’er-do-well’s. I followed your advice and in 2015 froze credit info at all 4 agencies. That advice is now paying off for me since I don’t need to put up with the slammed websites of these agencies.

    Still have never seen anything to indicate if frozen data was breached but I guess it most likely was breached.

  8. Hikin' Mike

    Brian — much thanks for the rock-solid coverage of this fiasco. Within 2 hours of this story breaking on Sept. 7, I had our freeze in place for each of the 4 credit bureaus (I finally took your advice!). But we didn’t use the agencies’ websites, as I deemed them all to be (potentially) insecure. Rather, I scoured their web sites for the 800 numbers to place a credit freeze. No surprise, these 800 numbers weren’t always easy to find, and each agency has several 800 numbers on their site. It took a good 20 minutes just to find the phone numbers and quickly test each number to see if I could in fact place a freeze using that particular 800 number. I also wanted a number that would allow me to use the touchpad on my phone to navigate an agency’s automated phone system, i.e., do it as quickly and securely as possible without ever speaking to a rep who would just want to sell me their “services.” Once I had a valid 800 number for each agency’s automated sytem, via our landline I placed 8 calls total (4 each for my wife & me), which took 35 minutes total. Within roughly 10 calendar days (about 7 business days) we received our freeze confirmation letters via U.S. mail from 3 of the 4 agencies — Equifax, of course, being the only letter we’ve yet to recive.

    I have yet to see any mention anywhere of the idea of avoiding the credit agencies’ web sites and try using the 800 numbers for a quicker, more secure approach to this mess. I figure at this point it very well could take longer to process the freeze and send out letters via mail, due to the massive volume of requests. But as of Thursday Sept. 21, 2:15am E.T., I was able to quickly get through on the following 800 numbers and navigate the automated system to the point where I would enter my S.S. number to set up a freeze.

    **READERS: PLEASE, PLEASE, take the time to go to each agency’s web site and confirm that these are the valid 800 numbers — do NOT trust some random commenter (me). Confirm these numbers as valid, then it seems you’ll be able to proceed quickly and efficiently. The 4 agencies’ 800 number for placing a freeze:
    (Brian – to eliminate any possible appearance of me being a fraudster, can you confirm these as valid numbers for your readers?)

    Innovis 800-540-2505
    Experian 888-397-3742
    TransUnion 888-909-8872
    Equifax 866-349-5191

    Notes for each freeze request:
    –Innovis will give you a confirmation number, but will mail you your PIN.
    –Experian will NOT give a confirmation number, but will mail you your PIN.
    –TransUnion asks you to create a 6-digit PIN and enter it, and they will mail you a confirmation letter.
    –Equifax…. uhhh yeah, Equifax — be PREPARED to write quickly, as Equifax’s automated system will QUICKLY give you a 10-digit PIN. Then it will QUICKLY give you a 10-digit confirmation number. Supposedly they will mail you a confirmation letter, but after 13 calendar days we haven’t received one. Listen very closely as you go — after being given your 10-digit PIN and your 10-digit confirmation number, the Equifax system allows you to choose from a number of different options, and near the end of that list of options, you can PRESS STAR TO REPEAT YOUR PIN AND CONFIRMATION NUMBER (this is hypercritical, as I doubt I will see a confirmation letter containing my PIN, from Equifax, in the US mail).

    1. Hikin' Mike

      To verify the above Transunion 800 number:
      on the Transunion home page, scroll to the bottom & click “Contact Us”. Half way down that page you’ll see “Place a Freeze on my TransUnion credit report Phone: 888-909-8872”

    2. Hikin' Mike

      To verify the above Innovis 800 number:
      Google “Innovis”.
      The first search result is
      innovis.com/personal/securityFreeze.
      In 2 places on that page you’ll see
      Phone: 1-800-540-2505.

    3. Hikin' Mike

      To confirm the Experian 800 number above:
      (this one is buried on their site)
      –on the Experian home page, at the top, click on “Credit Report Assistance”
      –on that page click “Contact Us”
      –click “Fraud and identity theft”
      –you’ll see “Call us at 888-397-3742”

    4. Hikin' Mike

      To verify the above Equifax 800 number:
      (this one is a bit convoluted – they make it seem like the only way to place a freeze is online, but it can be done via their 800 number)
      –in the upper right part of the Equifax home page, click on “Support”
      –the second sub-heading on that page is “Dispute information in my credit report.” Under this you’ll see “Phone
      866 349-5191”.
      ***When you call, press 3 for a “Security Freeze”
      ***The Equifax system QUICKLY spits out your PIN and confrmation number, so be ready to QUICKLY write them down; afterwards you can PRESS STAR TO REPEAT YOUR PIN AND CONFIRMATION NUMBER
      (see my original comment above)

      NOTE:
      –Again, all of these 800 numbers are for the companies’ automated phone systems; you *never* speak to a customer service rep, you *never* wait on hold. You only use your phone’s keypad, with the exception of one of them that asks you to speak the state you’re calling from
      –Repeatedly over the past 6 hrs. I have called each of these 4 numbers at least twice and have been able to get through *immediately*. And I’ve been able to quickly navigate the menus to get to where I’m prompted for my information
      –See my original comment above for additional notes on what to expect when calling each agency. Once you have the 800 numbers and you know what to expect, the whole process is rather easy
      –Lastly, share this info with anyone who will listen. My 80 yr. old parents/uncles/neighbors have a much easier time of it when someone walks them through it!

    5. Harry Pelles

      Thank you, Hikin’ Mike, for posting your experience and advice/notes for others who want to follow your route. It’s encouraging to see how often this community reaches out to help each other and share experiences.

    6. Hikin' Mike

      SPECIFIC PHONE MENU OPTIONS TO SELECT:

      Innovis 800-540-2505
      –Press 1 for English
      –Press 3 “to place or manage an active duty alert
      or a SECURITY FREEZE”
      –Press 2 “to place or manage a SECURITY
      FREEZE”
      –enter your info when prompted

      Experian 888-397-3742
      –Press 2 “To learn about fraud or ADD A
      SECURITY FREEZE”
      –Press 2 “for security freeze options”
      –Press 1 “to place a security freeze”
      –Press 2 “…for all others”
      –enter your info when prompted

      Transunion: 888-909-8872 choose option 3, you’ll be prompted to enter your SS #

      Equifax: 866-349-5191 choose option 3 for a “Security Freeze”

    7. JCitizen

      I checked my site adviser for those number and they all seemed legit, although Equifax has had to hire case load workers to handle the call volume and they also list a new number there.

      With thousands of phishing sites going up each day, it pays to be careful what links and site suggestions one follows. Especially now that the crooks know folks will be searching the web for help, and may type the wrong information in the search bar and land right on one of those illegal sites! :O

    8. Gloria

      Unfortunately I froze all 4 of mine online before I read this. The next day I started getting phishing emails. What’s the best way to verify that the freezes actually went through? I pulled my 3 credit reports a couple days before I froze them and they were good. Thx in advance.

      1. JCitizen

        You could try calling one of the numbers Mike listed, as they check as legitimate to my best knowledge. Maybe one of them could follow up to establish your attempt to get a freeze. I’d save Equifax for last, as they are being pounded with requests about now.

  9. Hikin' Mike

    One more note: each agency’s 800 number automated system will try to push you to the company’s website. IGNORE IT! Some even make it sound as if you must go to their website to set up a credit freeze. But be patient, and you will soon hear an option to set up a credit freeze. As Brian pointed out, don’t fall for their “credit lock” trick; be sure you hear the word “FREEZE”, as in “credit freeze”, or “security freeze” (or, I think one agency’s automated system said “To place a freeze on your credit report/on your account” or something similar, but they did use the word “freeze”).

    1. Emel

      Thanks for your detailed and helpful post, Mike. And of course thanks to Brian for his hard work and great blog.

    2. Sarah

      A TON of good work there, Hikin’ Mike! Thanks!!

      Question: Is the SSN the only information to be supplied, or do they rely upon the Knowledge Based Answers that one uses when obtaining the free credit report? I’m going to be going through this huge mess with my parents, both in their late 80s, and I am currently 1000 miles away. I need to make sure they retain copies and records of all transactions they initiate, and have all their info at hand before we enter into the fray.

      Thanks again!

      1. Hikin' Mike

        Sarah — my folks are 2000 miles away, so I hear ya!

        Not much knowledge-based info is needed, one only needs one’s SS# and zip code. There are NO security questions, etc. to answer. Once you start the process and have all the 800 numbers in front of you & know what to expect, I’m sure you’ll be *stunned* how *easy* it is to place a freeze.

        Just have pen & paper ready, and, as I pointed out, be ready to write quick as the Equifax sytem throws your PIN & confirmation number at you very quickly — after which you can PRESS STAR TO REPEAT YOUR PIN AND CONFIRMATION NUMBER

      2. Hikin' Mike

        …a parent/executor/care-giver could easily place the freeze from far away. Just make sure someone is near your folks to ensure that they get the confirmation letters in the mail. Again, for Innovis & Experian, the confirmation letter is the ONLY way to receive one’s PIN.

        I have my folks photocopying their enitre confirmation letter/information packet and keeping an extra copy at my sister’s house (she’s nearby) and another extra copy in their safe-deposit box. Depending on your folks’ medical conditions etc., it may be advantageous to NOT keep a copy in their house so that they don’t mistakenly thaw or remove a freeze without your knowledge.

    3. David_

      Huge thank you Mike for such valuable and lengthy comments!!, just haven’t had the stomach for it til seeing all you’ve posted just now.

  10. TaffyOutlaneUK

    Thankfully I use a different credit monitoring site so thought I was safe. But now, there are reports that UK Price Comparison websites use Equifax – eg if you ask for a price comparison for car insurance, they will get a credit rating on you so that if you switch to a new car insurer via them (they get commission I presume) the new insurer will already know what your credit rating is. So my question Mr Krebs is ‘might Equifax INDIRECT customers (i.e. the consumer) be at risk if a Price Comparison website uses Equifax?’ Thanks, and again well done.

    1. Ollie Jones

      We, householders, car-drivers, credit-card-users are NOT the customers of the credit bureaus. Not even indirectly. We are their PRODUCT.

      1. nulldev

        Actually no we are not their product; we are an asset! Products are something you make. Assets are something of value you possess or control (and not necessarily even legally at that).

  11. Clyde Tolson

    I don’t understand how anyone wouldn’t have immediately frozen their credit after your stellar reporting on the the Hieu Minh Ngo arrest by the fbi. How did experian skate on that one? Didn’t they link that compromise directly to the bad guys website that sold data to other bad guys? I hope the fbi has more magic up their sleeve with this one too.

  12. P-C - A Reader

    So with this being said, Bruce what do you recommend we do?

    Do we place a fraud alert on all of our credit bureau records or do we place a freeze on them?

    Do you know if the breached bureau will be contacting people and when that will happen?

    I am monitoring my financial records daily-very closely/and signed up for Alerts of every type to be sent to me. I also have one of the 3 credit bureau reports already, plus I have ID Theft and Credit Card Monitoring already. I also have the H&R Block tax protection for tax records/SSN issue. I have Mailwasher (by Fire Trust) for my email account plus I do not open email from questionable sources/people/etc.

    I plan on ordering a credit report (one each quarter/from each bureau one at a time) to see a quarterly “picture” of anything “fishy” going on! We can obtain one from each bureau free each year through the freecreditreport people/site.

    What else should we do?

    1. JCitizen

      Bruce? Don’t you mean Brian?
      A fraud alert is better than monitoring, but only lasts – what – 60 to 90 days? A freexe is best, but I’m sure not paying for it – so I can’t tell you how to avoid those charges. I place a fraud alert on mine for free, because of another breach in the news. At least I know they are for free.

      Monitoring is almost worthless, as there are many ID theft activities that never show up there in time , if ever.

    2. David_

      FYI , Brian addressed your Q in this article: https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

      Excerpt : ”Q: Why would I pay for a security freeze when a fraud alert is free?
      A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this

  13. Jan

    Thanks Brian. This article echos my own frustration with Equifax. After the September breach I could place a credit freeze for my data on the other 3 major credit bureaus, through their web sites. With Equifax I got the errors you mentioned – it reported some problems and required a mail in ID verification.

  14. Steve

    It seems with this breach that issues related to Social Security and Medicare manipulation and abuse have gotten a lot of attention Mass Media Monotony.
    I was wondering what your perception was of the dangers are in this area not from a theoretical point of view but from the perspective of someone who has an insight into how the hackers/criminals prioritize this an opportunity.
    I was also wondering why with their $11Billion budget the NSA knows nothing and has done nothing as usual, given their supposed global all encompassing reach.

  15. Josh

    When I try to contact the number Transunion provides for a credit freeze (I moved recently and apparently that makes me unable to verify myself via the website), I get a busy signal. I have now been trying to contact them for a week.

    Any backup ideas for how to get a freeze if neither the website or the phone number work?

    1. Hikin' Mike

      Josh – are you trying 888-909-8872 ? I just called it & was able to get through immediately (see my lengthy comment above), and then I chose option 3 and was prompted to enter my SS #

      I obtained that number from the Transunion web site;
      on the home page, scroll to the bottom & click “Contact Us”. Half way down that page you’ll see “Place a Freeze on my TransUnion credit report Phone: 888-909-8872”

      1. Josh

        Mike, that’s the number I’ve been calling… I’ll try option 3.

  16. Bill

    This situation gives me the mental image of a bunch of fat old bankers sitting around over cocktails joking about new ways to screw their customers.

    Keep the pressure on, Brian. I’m not a fan of more legislation but if the industry can’t clean up their own dirty pants then forced action will be needed.

  17. rayy

    Maybe they should be banned from using anyone’s social security numbers in the first place.

    1. Winston

      There’s an ad running quite often on TV now (it must be or I wouldn’t keep accidentally hitting it as I scan by commercials on my DVR) from Medicare bragging about how they’re not including your social security number on their ID card any more to protect your personal information.

      What a laugh!

  18. Robert.Walter

    Experian is trying to make hay out of the Equifax breach. They are offering a free deep web scan. My scan returned 4 results each saying my email had been found but would not disclose either the site or password, so there was nothing actionable. Then they offered a subscription for other info found like ssn. I found the scan to be a useless sales lead in and a back door opt in to receive Experian’s marketing emails.

  19. A. Schneider

    I’ve used Transunion fraud alerts for four years (renewing every 90 days) and froze my account for 2 years – unfroze it for $0 for 2 weeks – froze it again with no problems. Then again; this was before Equifax hit the fan. (Currently have active fraud alert and a freeze)

  20. Chris

    I was fooled by the transunion credit lock thing – thank you for clarifying. My bad for not carefully reading the endless EULA (and I had been working through all four freezes, so I think it was freeze-fatigue!)
    For transunion – go to https://freeze.transunion.com – you have to create an account, which sucks, but it does eventually get you to a credit freeze section and will email you a receipt.

    1. Chris

      nope – my bad. I initially got a problem with my first attempt – the site gave me a number to call, and they gave me the correct number. Was doing this for my spouse, got an error (the web site is terrible but I didn’t want to talk to anyone anymore) which requires me to call. ugh. You just need to call.

  21. Rick Coke

    Thanks Brian, great information as always. Maybe I missed it, but thoughts on Innovis. Seems like security freeze on #4 should be done.

  22. Barbara Duck

    Thanks for the update that covers all that has occurred. I agree we need to regulate this industry as actually the entire personal data selling world should be regulated. I have been saying since 2010 that step one is to “identify” all of them. Yes we know the big guys but for every one of those there’s thousands that you never heard of that skirt regulations with just a simple description of what we do and how they interpret “what they do”. Ever hear of Argus Analytics? There’s a good example, they are buying and analyzing credit card data, even the CFPB is a client. Wrote about them 3 years ago and there’s more where they came from.

    http://ducknetweb.blogspot.com/2014/08/argus-analytics-produces-share-of.html

    I keep telling all we need to first of all identify who all the players are with requiring a license, and that creating another layer of software to monitor what they are doing is pretty much futile, we’ve had tons of those apps out there that have died.

    It’s a “One Trick Algo” world out there everywhere you turn. We’ll never get anywhere without step one as if you don’t identify all the players, you can’t regulate the personal data algo games. The flawed data is rising quickly and so much is used out of context as well.

    http://ducknetweb.blogspot.com/2017/04/one-trick-algo-world-needs-to-be.html

  23. 3rdandmain

    It is absolutely outrageous what these companies are getting away with. thank you Brian for putting all this information together into such a clear picture. your articles are highly educational… will be sharing this with several people.

  24. Donald

    Can you do a deep dive on Innovis? From what I have seen they are not a true credit reporting agency like the other 3.

  25. Donald

    Brian, can you do a deep dive on Innovis? From what I have seen I am not convinced it is a true credit reporting agency like the other 3.

  26. CJ

    Be careful about free freezes.

    A modest $10 fee will keep most punks from freezing other peoples accounts for fun and pranks. And maybe even real criminals from other more criminal mischief.

  27. DavidD

    Unfortunately, Senator Warren’s bill has little chance of passage in the Republican dominated Senate. Eliminate freeze fees! How does that benefit a key Republican Party constituency – the credit reporting agencies?

    BTW – One of the efforts to limit the ability of consumers to sue these agencies by capping damage awards was being led by Republican Representative Barry Loudermilk of Georgia with his “FCRA Liability Harmonization Act”.

    http://www.latimes.com/business/lazarus/la-fi-lazarus-republican-credit-agency-bills-20170919-story.html

    1. JCitizen

      I’m thinking of calling the CFPB. The director over there is a good junk yard guard dog for the consumers financial rights.

  28. Tony

    I think Equifax should have to pay the project cost for the IRS to issue new social security numbers for those affected

Comments are closed.