A KrebsOnSecurity series on how easy big-three credit bureau Equifax makes it to get detailed salary history data on tens of millions of Americans apparently inspired a deeper dive on the subject by Fast Company, which examined how this Equifax division has been one of the company’s best investments. In this post, I’ll show you how to opt out of yet another Equifax service that makes money at the expense of your privacy.
My original report showed how the salary history for tens of millions of employees at some of the world’s largest corporations was available to anyone armed with an employee’s Social Security number and date of birth — information that was stolen on 145.5 million Americans in the recent breach at Equifax.
Equifax took down their salary portal — a service from the company’s Workforce Solutions division known as The Work Number (formerly “TALX“) — just a few hours after my story went live on Oct. 8. The company explained that the site was being disabled for routine maintenance, but Equifax didn’t fully reopen the portal until Nov. 2, following the addition of unspecified “security improvements.”
Fast Company writer Joel Winston’s story examines how some 70,000 companies — including Amazon, AT&T, Facebook, Microsoft, Oracle, Twitter and Wal-Mart — actually pay Equifax to collect, organize, and re-sell their employees’ personal income information and work history.
“A typical employee at Facebook (which also owns Instagram and WhatsApp) may require verification of his employment through TALX when he leases an apartment, updates his immigration status, applies for a loan or public aid, or applies for a new job,” Winston writes. “If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose,” that company can purchase his employment and income information for about $20.”
While this may sound like a nice and legitimate use of salary data, the point of my original report was that this salary data is also available to anyone who has the Social Security number and date of birth on virtually any person who once worked at a company that uses this Equifax service.
In May 2017, KrebsOnSecurity broke the story of how this same Equifax Workforce portal was abused for an entire year by identity thieves involved in tax refund fraud with the Internal Revenue Service. Fraudsters used SSN and DOB data to reset the 4-digit PINs given to customer employees as a password, and then steal W-2 tax data after successfully answering personal questions about those employees.
Curiously, Equifax claims they have no evidence that anyone was harmed as a result of the year-long pattern of tax fraud related to how easy it was to coax salary and payroll data out of its systems.
“We do not know of any specific fraud incidents linked with the Work Number,” Equifax spokeswoman Marisa Salcines told Fast Company.
This statement sounds suspiciously like what big-three credit bureau Experian told lawmakers in 2014 after they were hauled up to Capitol Hill to explain another breach that was scooped by KrebsOnSecurity: That a Vietnamese man who ran an identity theft service which catered to tax refund fraudsters had access for nine months to more than 200 million consumer records maintained by Experian.
Experian’s suits told lawmakers that no consumers were harmed even as the U.S. Secret Service was busy arresting customers of this identity theft service — nearly all of whom were involved in tax refund fraud and other forms of consumer ID theft.
Loyal readers here will know I have long urged consumers to opt out of letting the big credit bureaus resell your credit file to potential lenders (and, by proxy, to ID thieves), by placing a freeze on their credit files with the Equifax, Experian, Trans Union and Innovis.
In the wake of the Equifax breach, one thing I’ve heard from so many readers that was a big factor in their decision to finally freeze their credit was that the bureaus would no longer be able to profit by selling their credit files.
As it happens, it is possible to opt out of having your salary data sold through Equifax. According to Equifax, this involves placing a free “freeze” on your file with the Work Number. These instructions on how to do that come verbatim from Equifax:
To place a security freeze on your The Work Number employment report, send
your request via mail to:
ATTN: Employment Data Report Dept 19-10
11432 Lackland Road
St. Louis, Missouri 63146
Or, you may contact us on the web at http://www.theworknumber.com or call 800-996-7566.
It’s not clear what may be the potential consequences of freezing your file with The Work Number. Fast Company explains the service and its giant database “helps streamline various processes for employers and other agencies, and it helps employees too, Equifax wrote in an emailed statement. The Work Number provides prospective landlords a way to verify an applicant’s income, for instance, or makes it cheaper for human resources departments to examine an applicant’s background.”
Here’s Equifax explaining why consumers might want to leave their files alone:
“Without the Work Number, a lender, property manager or pre-employment screener will call an employer and explain why they need to check on an employee or former employee’s employment or income. That individual has no control over who picks up the phone, whether the right information is actually given out, or if his or her privacy will be respected.”
Neither does the consumer have any control over to whom Equifax gives this data. I for one am taking my chances and freezing my salary data at Equifax. I’ll let you know how it goes.
Before you opt out, you may wish to see which lenders, credit agencies and other entities may have received or attempted to pull your Work Number salary history.
To request a free Employment Data Report, you’ll need to fill out a form at the Work Number website, or make a request by mail, or through a toll-free phone number (1-866-222-5880).
Generally, companies guarantee privacy and confidentiality when their users sign up for their services then turn their backs and break these agreements, and make money in the process. What happens if government agencies target individuals in the name of “national security” from these records? This gives an incentive for governments to force companies to keep records of their citizens with specific information for a certain period of time since they know that this is possible based on these reported violations.
I tried to opt out by phone today and I think I finally managed to place the dispute. However, they gave me a Tickt No. and told me that a decision on whether to accept this dispute (i.e., whether a freeze will actually be placed on my salary info) WILL BE MAILED TO ME WITHIN 30 DAYS.
I guess that means they could still deny it?!?
Anyway, getting to that point was an ordeal. I called the dispute number directly. Wait varies from 15 min. to 5-10 min. The procedure is:
– agent gets your personal info (Name, Address, SSN, DOB)
– agent asks you a set of security questions. Here’s where I failed the first time. First agent read 4 multiple choice questions regarding my financial information. I wasn’t sure of everything because, for example, we have credit cards with both Target and Kohl, but I only said “Traget”. She then submitted all 4 answers simultaneously and declared that I had failed the security check. Duh! She wouldn’t let me take it again and asked that I apply by mail with two forms of ID, blah blah blah.
So I called again. First time, I got the same agent. Bummer.
Called again and got another agent. This one was rude but more efficient. She read me the security questions one at a time, and she had me say the correct answer instead of reading four answers and asking me which is the correct one. I much prefer this method and I passed.
Will post the final outcome here when I receive it.
“In the wake of the Equifax breach, one thing I’ve heard from so many readers that was a big factor in their decision to finally freeze their credit was that the bureaus would no longer be able to profit by selling their credit files.”
After freezing, do people have a side benefit affect that U.S. Postal spam is diminished, especially from automotive dealerships?
Credit agencies are selling info for U.S. Postal spamming for non-credit marketing. Here’s a comment from one U.S. Postal “advertising agency”-spammer: [we are] “an approved “Vendor 2″ by Equifax, granting us full access to mailing lists with credit data on behalf of lenders for printing and shipping mail [aka spamming]. Not all [advertising-spamming] agencies and [advertising-spam] printing companies are credentialed by Equifax; in fact, Vendor 1 credentialing only provides access to the recipient names and addresses, not credit data.” Seems the credit agencies provide names and addresses for use in regular, monthly sending of U.S. postal spam, often for automobile dealership advertisments.
The quotes are from platinumplusprinting.com, one spamming-“marketing-printing” agency, that obtains credit agency mailing lists.
I’ve personally seen their monthly automotive dealership spam mailings; but, think my address was sold by Experian due to the personal address nominclature being unique in my Experian file, different personal address on file with Equifax and Transunion.
Experian selling mailing lists:
Update: Today I got written confirmation by mail from Equifax that my salary info from my previous and current employers is no longer available. Apparently you can freeze each employer separately if you wish.
I would recommend everybody to take this step.
I consider this a partial success, but I will still fight with my HR so that the data do not get to Equifax/TALX/TheWorkNumber in the first place.