September 29, 2017

Richard Smith — who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers — is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I’d ask when Mr. Smith goes to Washington.

capitol

Before we delve into the questions, a bit of background is probably in order. The new interim CEO of Equifax — Paulino do Rego Barros Jr. — took to The Wall Street Journal and other media outlets this week to publish a mea culpa on all the ways Equifax failed in responding to this breach (the title of the op-ed in The Journal was literally “I’m sorry”).

“We were hacked,” Barros wrote. “That’s the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldn’t manage the volume of calls we received. Answers to key consumer questions were too often delayed, incomplete or both.”

Barros stated that Equifax was working to roll out a new system by Jan. 31, 2018 that would let consumers “easily lock and unlock access to their Equifax credit files.”

“You will be able to do this at will,” he continued. “It will be reliable, safe, and simple. Most significantly, the service will be offered free, for life.”

I have argued for years that all of the data points needed for identity thieves to open new lines of credit in your name and otherwise ruin your credit score are available for sale in the cybercrime underground. To be certain, the Equifax breach holds the prospect that ID thieves could update all that stolen data with newer records. I’ve argued that the only sane response to this sorry state of affairs is for consumers to freeze their files at the bureaus, which blocks potential creditors — and ID thieves — from trashing your credit file and credit score.

Equifax is not the only bureau promoting one of these lock services. Since Equifax announced its breach on Sept. 7, big-three credit bureaus Trans Union and Experian have worked feverishly to steer consumers seeking freezes toward these locks instead, arguing that they are easier to use and allow consumers to lock and unlock their credit files with little more than the press of a button on a mobile phone app. Oh, and the locks are free, whereas the bureaus can (and do) charge consumers for placing and/or thawing a freeze (the laws freeze fee laws differ from state to state).

CREDIT FREEZE VS. CREDIT LOCK

My first group of questions would center around security freezes or credit freezes, and the difference between those and these credit lock services being pushed hard by the bureaus.

Currently, even consumer watchdog groups say they are uncertain about the difference between a freeze and a lock. See this press release from Thursday by U.S. PIRG, the federation of state Public Interest Research Groups, for one such example.

Also, I’m curious to know what percentage of Americans had a freeze prior to the breach, and how many froze their credit files (or attempted to do so) after Equifax announced the breach. The answers to these questions may help explain why the bureaus are now massively pushing their new credit lock offerings (i.e., perhaps they’re worried about the revenue hit they’ll take should a significant percentage of Americans decide to freeze their credit files).

I suspect the pre-breach number is less than one percent. I base this guess loosely on some data I received from the head of security at Dropbox, who told KrebsOnSecurity last year that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. This extra security step can block thieves from accessing your account even if they steal your password, but many consumers simply don’t take advantage of such offerings because either they don’t know about them or they find them inconvenient.

Bear in mind that while most two-factor offerings are free, most freezes involve fees, so I’d expect the number of pre-breach freezers to be a fraction of one percent. However, if only one half of one percent of Americans chose to freeze their credit files before Equifax announced its breach — and if the total number of Americans requesting a freeze post-breach rose to, say, one percent — that would still be a huge jump (and potentially a painful financial hit to Equifax and the other bureaus).

creditfreeze

So without further ado, here are some questions I’d ask on the topic of credit locks and freezes:

-Approximately how many credit files on Americans does Equifax currently maintain?

-Prior to the Equifax breach, approximately how many Americans had chosen to freeze their credit files at Equifax?

-Approximately how many total Americans today have requested a freeze from Equifax? This should include the company’s best estimate on the number of people who have requested a freeze but — because of the many failings of Equifax’s public response cited by Barros — were unable to do so via phone or the Internet.

-Approximately how much does Equifax charge each time the company sells a credit check (i.e., a bank or other potential creditor performs a “pull” on a consumer credit file)?

-On average, how many times per year does Equifax sell access to consumer’s credit file to a potential creditor?

-Mr. Barros said Equifax will extend its offer of free credit freezes until the end of January 2018. Why not make them free indefinitely, just as the company says it plans to do with its credit lock service?

-In what way does a consumer placing a freeze on their credit file limit Equifax’s ability to do business?

-In what way does a consumer placing a lock on their credit file limit Equifax’s ability to do business?

-If a lock accomplishes the same as a freeze, why create more terminology that only confuses consumers?

-By agreeing to use Equifax’s lock service, will consumers also be opting in to any additional marketing arrangements, either via Equifax or any of its partners?

BREACH RESPONSE

Equifax could hardly have bungled their breach response more if they tried. It is said that one should never attribute to malice what can more easily be explained by incompetence, but Equifax surely should have known that how they handled their public response would be paramount to their ability to quickly put this incident behind them and get back to business as usual.

dumpsterfire

Equifax has come under heavy criticism for waiting too long to disclose this breach. It has said that the company became aware of the intrusion on July 29, and yet it did not publicly disclose the breach until Sept. 7.However, when Equifax did disclose, it seemed like everything about the response was rushed and ill-conceived.

One theory that I simply cannot get out of my head is that perhaps Equifax rushed preparations for is breach disclosure and response because it was given a deadline by extortionists who were threatening to disclose the breach on their own if the company did not comply with some kind of demand.

-I’d ask a question of mine that Equifax refused to answer shortly after the breach: Whether the company was the target of extortionists over this data breach *before* the breach was officially announced on Sept. 7.

-Equifax said the attackers abused a vulnerability in Apache Struts to break in to the company’s Web applications. That Struts flaw was patched by the Apache Foundation on March 8, 2017, but Equifax waited until after July 30, 2017 — after it learned of the breach — to patch the vulnerability. Why did Equifax decide to wait four and a half months to apply this critical update?

-How did Equifax become aware of this breach? Was it from an external source, such as law enforcement?

-Assuming Equifax learned about this breach from law enforcement agencies, what did those agencies say regarding how they learned about the breach?

FRAUD AND ABUSE

Multiple news organizations have reported that companies which track crimes related to identity theft — such as account takeovers, new account fraud, and e-commerce fraud — saw huge upticks in all of these areas corresponding to two periods that are central to Equifax’s breach timeline; the first in mid-May, when Equifax said the intruders began abusing their access to the company, and the second late July/early August, when Equifax said it learned about the breach.

This chart shows spikes in various forms of identity abuse — including account takeovers and new account fraud — as tracked by ThreatMetrix, a San Jose, Calif. firm that helps businesses prevent fraud.

-Has Equifax performed any analysis on consumer credit reports to determine if there has been any pattern of consumer harm as a result of this breach?

-Assuming the answer to the previous question is yes, did the company see any spikes in applications for new lines of consumer credit corresponding to these two time periods in 2017?

Many fraud experts report that a fast-growing area of identity theft involves so-called “synthetic ID theft,” in which fraudsters take data points from multiple established consumer identities and merge them together to form a new identity. This type of fraud often takes years to result in negative consequences for consumers, and very often the debt collection agencies will go after whoever legitimately owns the Social Security number used by that identity, regardless of who owns the other data points.

-Is Equifax aware of a noticeable increase in synthetic identity theft in recent months or years?

-What steps, if any, does Equifax take to ensure that multiple credit files are not using the same Social Security number?

-Prior to its breach disclosure, Equifax spent more than a half million dollars in the first half of 2017 lobbying Congress to pass legislation that would limit the legal liability of credit bureaus in connection with data security lapses. Do you still believe such legislation is necessary? Why or why not?

What questions did I leave out, Dear Readers? Or is there a way to make a question above more succinct? Sound off in the comments below, and I may just add yours to the list!

In the meantime, here are the committees at which Former Equifax CEO Richard Smith will be testifying next week on Capitol Hill. Some of these committees will no doubt be live-streaming the hearings. Check back at the links below on the morning-of for more information on that. Also, C-SPAN almost certainly will be streaming some of these as well:

-Tuesday, Oct. 3, 10:00 a.m., House Energy and Commerce Committee. Rayburn House Office Bldg. Room 2123.

-Wednesday, Oct. 4, 10:00 a.m., Senate Committee on Banking, Housing, & Urban Affairs. Dirksen Senate Office Bldg., Room 538.

-Wednesday, Oct. 4, 2:30 p.m., Senate Judiciary Subcommittee on Privacy, Technology and the Law. Dirksen Senate Office Bldg., Room 226.

-Thursday, Oct. 5, 9:15 a.m., House Financial Services Committee. Rayburn House Office Bldg., Room 2128.


178 thoughts on “Here’s What to Ask the Former Equifax CEO

  1. rgBoulder

    Based largely on your urging that we lock our credit reports I did this with all 3 bureaus in 2015.

    But there doesn’t seem to be a way to confirm that the freeze continues to be active. The only way that I’ve found to confirm this is to attempt to place a freeze and allow the system to inform me that a freeze is already in place. It’s the same with each bureau.

    And now, upon logging into Experian’s site I’m informed that my credit report is unlocked, with no mention of the freeze. I called them to confirm that the freeze is indeed active, but what am I supposed to believe? What does it all mean except that once again they’re only concerned with their own best interests.

    1. Henry Winokur

      The only way to find out if your freeze is still active is to apply for credit. If your account is frozen, it will be turned down. Our recent experience has been that you will get a letter that tells you which Bureau turned the request down.

  2. Greg Irvin

    not gospel, but I did read this:

    Perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, according to Christina Tetreault, a staff attorney on the financial services team at Consumers Union, the policy and mobilization arm of Consumer Reports.

    In contrast, a credit lock is simply an agreement between you and the credit monitoring company.

    “Having a contractual agreement is not as strong as having protections under law,” Tetreault says. “The contract may be unclear, may include provisions that allow the other party to change it, or include provisions that you may be better off not agreeing to, such as an arbitration agreement,” she says.

  3. Scott

    – Does Equifax have an internal estimate for the cost of one case of identity theft, or does Equifax acknowledge/endorse any specific external estimate of this cost?

    – If victims of this breach suffer from identity theft in the future, will Equifax provide financial compensation to those victims?

    – Will rights to that compensation, if any, be waived or otherwise affected by a victim’s use of Equifax services in the aftermath of the breach?

    I know the answers to these questions, but it’s the type of information that we should be forcing these people to acknowledge in public. They clearly consider all of us nothing more than data points to be collected as cheaply as possible, then packaged and sold as often as possible.

  4. Another Bank Employee

    How are the bureaus going to loose money if a consumer places a freeze on file? Our FI is charged for requesting a credit report regardless if it’s frozen or not – so we risk being dinged TWICE (or more) for every frozen report if the consumer doesn’t unfreeze it beforehand.

    There is a [disturbing] workaround: the bureau we primarily use will provide a frozen credit report at no [additional] cost if we forward the customer’s unfreeze PIN to the bureau within 24 hours of requesting a report that comes back frozen. So much for security.

  5. Steve

    Thinking out loud on this — I understand the convenience of a credit record from a lender perspective, but what if credit agencies were done away with altogether? I think another approach is where credit lenders are responsible for their own due-diligence. Perhaps creditors could provide a customer with direct affirmation that may help the customer to show credit worthiness to others; if this information was standardized, that would be helpful. I also wonder if credit worthiness is something best kept sort of like a general ledger or blockchain…. Thoughts?

    1. Another Bank Employee

      Time is money – buying a report is a lot less ‘costly’ for an FI than more paperwork or training customers [to fill out more paperwork].

      Blockchain…very neat idea. Legal ramifications – how would you hide [negative] history that legally can’t be used outside of a certain time period? Missed payments, bankruptcies, etc.?

  6. Steve

    Good fun with Equifax. I did the TrustedIDPremier last week. The Activation email arrived. Went to the link provided and voila a Tomcat 405 error POST not supported appears.
    Called the number for question, got through and provided all my information.
    What do you know, I’m not in the system. Then he indicated the system is rebooting, is really slow, try again in two hours, call us back, blah, blah, blah.

    This is really scary!

  7. Steve R

    The bureaus want you to do a credit lock because it will drive you to their paid site. Whereas when you do a file freeze they can’t market to you, when you do a credit lock they can. Its as simple as that. The credit lock is an opportunity to drive consumers to the bureaus revenue generating sites.

    1. Craig

      I don’t think offering a “lock” is a way of generating a new revenue stream by driving you to their sites. Its really a last ditch attempt to method of maintaining revenue.
      – We are the product.
      – Our Lives generate the information the credit bureaus sell and trade

      What is the financial impact if all 145Million people put a freeze on their accounts that prevents the bureaus from monetize that information? Even at $0.01 a person it would be a huge loss.

      A Freeze is a legal thing. It keeps them from selling and trading in your information. They still collect it and maintain it but it makes it virtually impossible for them to monetize the information.

      If you look at the terms and conditions on the “locks” that all the bureaus are peddling you can see there are an attempt to maintain their business model, nothing more.

      For example If you look at the “lock” service that Experian offers you can see that are quite a few exceptions when it comes to who can see your data:

      “When locked, your Experian Credit Report is accessible to:
      – You,
      – Potential employers or insurance companies during the application process
      – Companies that have an existing credit relationship with you
      – Collection agencies acting on behalf of companies you may owe
      – Government agencies in connection to a Child Support claim
      – Personalized offers from Experian, such as credit card offers, if you choose to receive them
      – Companies providing pre-screened credit card offers”

      They have built in exception’s that are primarily there to allow them to still monetize your information. For example the last one. If I have my credit locked, the last thing I want it to see people sending out preapproved credit offers. As it Kind of negates the point of a lock.

      The industries new campaign of discouraging a Credit Freeze and encouraging a “lock” instead, is nothing more than an attempt to salvaging their horribly broken business model.

      1. Another Bank Employee

        Craig – how is it that people believe credit reporting bureaus will loose credit report revenue if reports are frozen? It costs money to pull a report whether it’s frozen or not; in fact, they may make double or more because a company would pay to pull credit, see there is a freeze, contact the customer to lift the freeze, and pay to pull the report a second time (or third or fourth time if the customer can’t get it unfrozen).

        As far as other revenue from reports, this is from our Attorney General’s website:

        Can anyone see my credit file if it is frozen?

        Your credit report can still be released to your existing creditors or to collection agencies acting on their behalf. They can use it to review or collect on your account. Other creditors may also use your information to make offers of credit-unless you opt out of receiving such offers. See below for how to opt out of pre-approved credit offers. Government agencies may have access for collecting child support payments, taxes, or in the course of a legal proceeding.

        1. Craig

          @Another Bank Employee

          So technically you are correct based on my wording above. Let me clarify as I lost some things when I edited for length.

          A lock is being sold by CRA’s as better than a freeze, but they don’t even provide as much protection as a freeze let alone raising the bar.

          Can anyone see your credit report if its frozen? Technically yes, but will they? Answer is more complicated that most sites lead you to believe. A freeze is a legal thing under law FCRA and as such does directly effects things like prescreen offers are managed under FCRA-604C (and FACTA-168b).

          It is true that an OPT out is the best way to keep from keeping from getting prescreened offers. But with the way prescreened data is sold a freeze limits your data’s marketability. As all but the bottom dredgers in the industry will put in a query for say all people in Orange County, with credit scores over 550 AND who’s accounts aren’t frozen.

          Prescreened offers can’t target an individual just a criteria and organizations know that individuals with a freeze could be subject to identify theft and by definition are high risk. The whole point of a prescreen query is to maximize profit and minimize risk when sending out offers. Its important to note that the “lock” field doesn’t currently appear to be available as a filter criteria on prescreened offer queries. Not sure if that will change.

          Depending on contract the prescreen contract will define it at a query or a record volume rate. Usually the more records you receive the more you pay. So in practice people with freeze’s are getting excluded from prescreen offers as you are viewed at high risk and more often than not are intentionally excluded from prescreened offers.

          Just like the idea of soft vs hard query, a “lock” is new term or category made up by the CRA’s. It would appear to be a campaign to side step regulation. Its doing so by establishing a contract between you and the CRA and agreeing on what a “lock” means. A definition that may in some states supersede or nullify some protections under the FCRA/FACTA and state law. Many states (Washington, California, New York?) have additional regulations limiting what is disclosed during a precreen/”soft pull” if the individual has a freeze or red Flag but under a “lock” its assumed those protections would not apply.

          Its the opinion of many legal experts smarter than I (see consumer reports, economist,etc) that the offering of a Lock is a method of sidestepping regulations by entering into a contractually defined relationship with you, the product, that will help maintain the profitability of your data.

          For example:
          – A hard pull on a frozen account from a bank you have an ongoing relationship – most always blocked.
          – A hard pull on a “locked” account from a bank you have an ongoing relationship – allowed

          Reason a hard pull is blocked under a freeze is a freeze does more than keeping credit from being issued. It keeps certain types of information on your account from being updated with out you being notified of the change first. Changes in name, address, social security number, accounts as well as potentially derogatory information can only be updated during a freeze under certain conditions that include notifying you first. Since a hard pull is logged as being a potential opening of a credit account its viewed as being potentially derogatory and is usually blocked under a freeze.

          So yes a freeze does impact the marketability of your data.

          Contrary to popular belief, under contract most companies aren’t charged twice (if at all) when a pull it denied due to a freeze. Usually transaction is delayed up to 15 days to allow freeze to be removed. If transaction failed due to freeze not being removed there is rarely a charge. If you work for an institution that does pay for failed pulls…..you need to talk to your contract folks.

          Still don’t believe me that freeze’s are going to impact their bottom lines? Just check our the Investor Relations pages.

      2. Jim R

        And if enough people do freezes, and if a big chunk of the credit reporters’ income is lost, how soon do we see them breaking the law with excuses like “computer problems prevented the freeze from working and we inadvertently continued to sell consumer information”?

    2. acorn

      Steve R; Craig:
      I question the precedence as to the ability to continue to spam-market unsolicited credit or insurance, Opt-Out or credit bureau terms of service.

      Unsolicited credit or insurance opt out: To opt out for five years; or, permanently with a signed Permanent Opt-Out Election form that is returned: Call 1-888-567-8688 or visit http://www.optoutprescreen.com

      krebsonsecurity.com/tag/optoutprescreen-com

      Optoutprescreen.com, “official Consumer Credit Reporting Industry website to accept and process requests from consumers to Opt-In or Opt-Out of firm offers of credit or insurance.”

      Yet, without reading the Fair Credit Reporting Act–FCRA–it seems the act would take precedence over any credit bureau terms of service to spam-market, if the consumer-product has opted-out.

  8. Frank

    A credit ALERT is free. Any incident of someone trying to access it avpjnt. You are alerted and need to approve. Or not.

  9. Heron

    I sent a link to this to one of my elected representatives, and asked him to pass it on to someone on the committee that will hold the hearing.

  10. John

    I would like to add a question and discussion around retention policies, specifically does Equifax have a retention policy related to personal information and sensitive personal information (e.g. DOB, SSN, etc.)? If so, is the policy to retain data indefinitely? I can’t think of any other reason why they would have that much information in a single system. Like many of your readers, I froze my credit files back in 2015 and I have never thawed them, yet according to the Equifax web site, my information was included in the breach.

  11. Bill F.

    Q: Where does Equifax store the answers to its knowledge-based authentication” (KBA) questions? Are they stored in the same database as the Name, Address and SSN information? Is Equifax aware of any hacker access to the KBA answers?

  12. Peter Riviera

    From Mr. Smith’s prepared testimony (http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf) Equifax got the March 9th CERT on the Apache Struts vulnerability and circulated it internally for remediation. On March 15th their “security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT. Unfortunately, however, the scans did not identify the Apache Struts vulnerability.”

    Although not all blame can be shifted to the scanning company for failing to detect the vulnerability as Equifax acknowledged that they were aware of the vulnerability previously through the CERT notice. Regardless, a witch hunt needs to be formed – the scanning company needs to be outed and held accountable as well. Any insights as to whom they used?

  13. Peter Riviera

    From Mr. Smith’s prepared testimony (http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf) Equifax got the March 9th CERT on the Apache Struts vulnerability and circulated it internally for remediation. On March 15th their “security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT. Unfortunately, however, the scans did not identify the Apache Struts vulnerability.”

    Although not all blame can be shifted to the scanning company for failing to detect the vulnerability as Equifax acknowledged that they were aware of the vulnerability previously through the CERT notice. Regardless, a witch hunt needs to be formed – the scanning company needs to be outed and held accountable as well. Any insights as to which vendor was used here so we can get them to comment as well?

  14. FunnyBits

    Watched the Mr. Smith Questioning today. He mad an incorrect statement about Credit Lock vs Credit freeze. (he said they were the same). One congressmen mentioned that these bureaus need to have ‘skin in the game’ and if you are keeping information that is as sensitive as this and have an issue that there should be a $ amount attached that they have to pay consumers if their data was compromised. (I agree) And future costs covered to correct the issue. Because this can have such a long term affect.

    I’d like to know based on this huge screw-up on Equifax’s Security Team.

    ***What are the Other Credit Bureau’s doing PROACTIVELY to make sure they don’t have exploits/holes/Security patching to ensure we don’t have a cascading affect??***

    Put in place an OPT-OUT rule allowing the consumers to have our info removed from their databases. And allow the consumer to control this info.

    1. Richard A Parry

      Evidently the IRS is completely tone deaf. the optics of this move are terrible.

      A company that sells identity products based on data that it (or anyone else) has demonstrated they can secure is being rewarded with more business from a government enterprise that is experiencing fraud at disturbing rates due to the failure of our national system of identity.

      Must we keep having the wrong conversations?

      1. Richard A Parry

        CORrECTION

        Evidently the IRS is completely tone deaf. The optics of this move are terrible.
        A company that sells identity products based on data that it (or anyone else) has demonstrated they CANNOT secure is being rewarded with more business from a government enterprise that is experiencing fraud at disturbing rates due to the failure of our national system of identity.
        Must we keep having the wrong conversations?

  15. Nick

    Both my wife and I have signed up for this so it allows more than 1 user per address. I did not get a notification when she signed up, so don’t count on being the first to grab the account to guarantee safety.

  16. Nick

    When companies say “it looks like state sponsored hacking” is it just an excuse to duck legal liability since they cant be responsible for another nations attack on them?

Comments are closed.