13
Nov 17

How to Opt Out of Equifax Revealing Your Salary History

A KrebsOnSecurity series on how easy big-three credit bureau Equifax makes it to get detailed salary history data on tens of millions of Americans apparently inspired a deeper dive on the subject by Fast Company, which examined how this Equifax division has been one of the company’s best investments. In this post, I’ll show you how to opt out of yet another Equifax service that makes money at the expense of your privacy.

My original report showed how the salary history for tens of millions of employees at some of the world’s largest corporations was available to anyone armed with an employee’s Social Security number and date of birth — information that was stolen on 145.5 million Americans in the recent breach at Equifax.

Equifax took down their salary portal — a service from the company’s Workforce Solutions division known as The Work Number (formerly “TALX“) — just a few hours after my story went live on Oct. 8. The company explained that the site was being disabled for routine maintenance, but Equifax didn’t fully reopen the portal until Nov. 2, following the addition of unspecified “security improvements.”

Fast Company writer Joel Winston’s story examines how some 70,000 companies — including Amazon, AT&T, Facebook, Microsoft, Oracle, Twitter and Wal-Mart — actually pay Equifax to collect, organize, and re-sell their employees’ personal income information and work history.

“A typical employee at Facebook (which also owns Instagram and WhatsApp) may require verification of his employment through TALX when he leases an apartment, updates his immigration status, applies for a loan or public aid, or applies for a new job,” Winston writes. “If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose,” that company can purchase his employment and income information for about $20.”

While this may sound like a nice and legitimate use of salary data, the point of my original report was that this salary data is also available to anyone who has the Social Security number and date of birth on virtually any person who once worked at a company that uses this Equifax service.

In May 2017, KrebsOnSecurity broke the story of how this same Equifax Workforce portal was abused for an entire year by identity thieves involved in tax refund fraud with the Internal Revenue Service. Fraudsters used SSN and DOB data to reset the 4-digit PINs given to customer employees as a password, and then steal W-2 tax data after successfully answering personal questions about those employees.

Curiously, Equifax claims they have no evidence that anyone was harmed as a result of the year-long pattern of tax fraud related to how easy it was to coax salary and payroll data out of its systems.

“We do not know of any specific fraud incidents linked with the Work Number,” Equifax spokeswoman Marisa Salcines told Fast Company.

This statement sounds suspiciously like what big-three credit bureau Experian told lawmakers in 2014 after they were hauled up to Capitol Hill to explain another breach that was scooped by KrebsOnSecurity: That a Vietnamese man who ran an identity theft service which catered to tax refund fraudsters had access for nine months to more than 200 million consumer records maintained by Experian.

Experian’s suits told lawmakers that no consumers were harmed even as the U.S. Secret Service was busy arresting customers of this identity theft service — nearly all of whom were involved in tax refund fraud and other forms of consumer ID theft.

Loyal readers here will know I have long urged consumers to opt out of letting the big credit bureaus resell your credit file to potential lenders (and, by proxy, to ID thieves), by placing a freeze on their credit files with the Equifax, Experian, Trans Union and Innovis.

In the wake of the Equifax breach, one thing I’ve heard from so many readers that was a big factor in their decision to finally freeze their credit was that the bureaus would no longer be able to profit by selling their credit files.

As it happens, it is possible to opt out of having your salary data sold through Equifax. According to Equifax, this involves placing a free “freeze” on your file with the Work Number. These instructions on how to do that come verbatim from Equifax:

To place a security freeze on your The Work Number employment report, send
your request via mail to:

TALX Corporation
ATTN: Employment Data Report Dept 19-10
11432 Lackland Road
St. Louis, Missouri 63146

Or, you may contact us on the web at http://www.theworknumber.com or call 800-996-7566.

It’s not clear what may be the potential consequences of freezing your file with The Work Number. Fast Company explains the service and its giant database “helps streamline various processes for employers and other agencies, and it helps employees too, Equifax wrote in an emailed statement. The Work Number provides prospective landlords a way to verify an applicant’s income, for instance, or makes it cheaper for human resources departments to examine an applicant’s background.”

Here’s Equifax explaining why consumers might want to leave their files alone:

“Without the Work Number, a lender, property manager or pre-employment screener will call an employer and explain why they need to check on an employee or former employee’s employment or income. That individual has no control over who picks up the phone, whether the right information is actually given out, or if his or her privacy will be respected.”

Neither does the consumer have any control over to whom Equifax gives this data. I for one am taking my chances and freezing my salary data at Equifax. I’ll let you know how it goes.

Before you opt out, you may wish to see which lenders, credit agencies and other entities may have received or attempted to pull your Work Number salary history.

To request a free Employment Data Report, you’ll need to fill out a form at the Work Number website, or make a request by mail, or through a toll-free phone number (1-866-222-5880).

Tags: , , , , , , , , , , , , ,

52 comments

  1. I have been complaining for sometime about a “Genealogy” service (no fee or registration). It allows any person to enter a target’s name and get lots of information about that target including every previous address the target has lived at. Those addresses are part of security questions the credit rating companies like Equifax use.
    That geneology company is called “familytreenow.com” I encourage everyone to use the opt-out for their names any any family members. No, I have not business interest in the company. I read about them in Forbes and a couple of other media outlets.

    • The fun part about these kinds of questions is that normal people don’t anal retentively track this level of detail, so I end up having to resort to websites like this to get the detail required to answer the questions I’m supposed to somehow know off the top of my head.

      For a little while I was tracking addresses but its not like I’m going to remember details from 20 years ago.

      • You are lucky you aren’t an immigrant asked to list all addresses where they have lived the last ten years! What normal person remembers stuff like that?

        • I would say most normal persons do. Most normal persons probably had like 3 addresses max in the last 10 years. Many younger ones would probably include their parents address in there which would not have changed in quite a while most probably.

          • There are immigrants that were students and moved at least once a year, sometimes more frequently. Unless you don’t think those are the normal kind 🙂

          • How about if you were a college student? You could possibly move at least once per year in four years, and likely move more than that if you had internships, etc. Going back through 10 years of addresses is likely to yield more than 3 unless you are lucky enough to say find a job, immediately buy a house, and not move again. Be realistic!

    • Thanks for the tip! The opt-out link is here:
      https://www.familytreenow.com/optout

      • This “opt-out” is actually a scam to get people to verify the data this scam company has scraped from public records and other websites. If they had any interest in your privacy or the security of your personal information,. They never would have republished it online in the first place.

  2. i have been reporting about the dangers of how easy it is to gather information for identity theft. There is one scammer that has set up more than 45 fake staffing companies with separate web domains with matching email address. The goal is to convince targets to give up their DOBs and SSNs. Combined with other openly available info the targets are destroyed.
    I warned one California based hosting company what is occurring on their servers and they responded by ignoring and continuing to provide service to the scammer.
    http://fakestaffing.blogspot.com/p/all-created-by-same-individual.html

  3. My wife and I moved from California to Canada once in 1976 for ~16 years and then permanently in 1995. Because we have a US work history, we also have crumbs sprinkled about in these employment and credit check agencies. How do we go about securing our historical records?

  4. “In the wake of the Equifax breach, one thing I’ve heard from so many readers that was a big factor in their decision to finally freeze their credit was that the bureaus would no longer be able to profit by selling their credit files.” I’ve frozen my files as well. But the downside is, when one’s files are frozen, s/he should not expect to be able to secure a loan or transact any business that requires verification of payment history, employment, etc. Banks and lending institutions are not going to be in favor of ‘freezing’. But if the lock/unlock system that Equifax claims will be ready by early 2018 works, maybe that standard should be applied to all of the reporting agencies. Give consumers the option . I doubt though, that the majority will take advantage of such a program. Convenience is more important to them.

    • I have just completed a loan with a bank while my credit was frozen. I lifted credit freezes for a 30-day period, and the bank was able to pull necessary credit reports. Please don’t encourage people to think that this process doesn’t work. Only one of the credit bureaus charged me for this temporary freeze lift, although legally each of them was entitled to do so. Each state has set the amount a credit bureau may charge for this lifting service, and there are links on each credit bureau’s website showing the allowable fee for each state.

    • The fact that you have to lift the freeze to apply for a new credit card or loan is precisely what saves you from fraudsters doing the same in your name.

      I have lifted my freezes many times as needed, and had no problems even fully refinancing a house etc. If you lift the freezes online it goes into effect immediately. In my experience 2 of the 3 always charge $10 but whatever, $20 every now and then (you shouldn’t be getting new credit cards that often!) is worth it when I know my SSN has been leaked multiple times now.

  5. This service is so much more of a problem than just security. It is a tool for the systemic oppression of workers. I know that sounds hyperbolic, but it isn’t. Allowing employers to verify salary history goes completely against all capitalist values and free market. Most employers only want to pay the bare minimum they can, and if they definitively know your history, they can use that unfair advantage to screw you. They should be paying/offering a salary based on the value you provide to the company. Having this kind of information available is akin to insider trading.

    Like it or not, companies choose a salary to pay based on what you tell them of your history in previous jobs. Many people will say that it shouldn’t be this way, blah blah blah, but that’s just not the reality. Most companies won’t even talk to you without demanding you give them your current salary. The only recourse people have to try to get more money is to lie/embellish their number, but with a service like that it easily becomes another way to eliminate you because you “lied”.

    People who worked at crappy low level jobs will never be able to get a higher salary if they are always compared against what they made before. Women and others who typically are paid less would never be able to escape the trap of a lower salary that they can never get increased.

    Companies *should* only offer a salary based on the value the position provides to the company. The salary history should be irrelevant, but it never is. Negotiations are human-driven, not rules-based, so there always needs to be the opportunity for soft information and back-and-forth discussions, and this kind of service removes that.

    It will lead to ever increasing lines of people at the unemployment office, unable to get work because of salary, work history gaps, or any other thing that is really irrelevant but hiring managers seems to place stock in anyway. This service is nothing more than a tool for worker oppression, and it should be regarded as an affront to basic human rights.

    • Come on, “nothing more than a tool for worker oppression”? Salary reports are used by people whom do you ask to lend you money – banks, landlords etc. Use for employment? Agree, that would be bad. It would still show up in the report so one can tell if their prospective / new employer did that.

    • Excellent post Brian. There are a few States that are banning the practice of employers asking you what your salary is so that they can pay you the bare minimum above that (if at all). They would rather not give you an increase in some cases. This prevents people from climbing the economic ladder in our society. Glad to see this being discussed.

  6. Here’s a thought: instead of a freeze, contact me directly any time an entity is requesting my credit information. If I’m buying a house, applying for a job, getting an apartment, then I’d likely be expecting this and approve it. If not, then I have the option of saying no.

    Not perfect but at least it would give me some hint of control.

  7. Okay, over the past week, I have twice gone to the website and filled out the employee request form stating I wanted to place a security freeze on my information. I never once received a reply.

    So, today I called the 800 number and the person I initially talked to said she had no idea what a “security freeze” was. I asked to speak to a supervisor, who told me that it was not possible to freeze your account.

    Has anyone been successful and placing a freeze? If so, how did you do it? Is snail mail the only way to accomplish this?

    THANKS!

  8. A month ago, I placed a freeze on my Credit Report. Does this also freeze access to my Work Number employment report?

  9. Somehow a guide on “how to opt out of Equifax revealing [any of your data]” seems a tad ironic.

  10. My concern with placing this freeze on my salary report is that once a few people start implementing this freeze, this sleezy company will change the rules to invalidate my freeze and i would never know.

  11. Never start the initial placement of a freeze using any CRA website. Always always do it by certified mail. Why? Because their Terms of Use/Agreement requires you to agree to Arbitration. There is no such arbitration requirement when done by mail. Unless something has changed, but I doubt it.

    How do I know this is the case? I’ve had my files (Transunion, Equifax, Experian and Innovis) frozen for more that 10 years. I read the Agreement on their site FIRST before proceeding.

    Of course I never went through with it via the web but instead filed the Freeze request by mail.

    DO NOT let them scare you into not doing it by their claim it will slow things down when someone with a Permissible Purpose wants in to your file blah-blah-blah. Even if it were true the risk of an un-frozen file is big. I lock and un-lock mine periodically with one phone call, then specific how long to leave it un-frozen, then it re-freezes itself automatically.

  12. To get the free Employment Data Report, Equifax demands one’s SSN, address, and a copy of one’s drivers license (or other ID). Should we trust them with such sensitive information?

  13. My experience:
    – called 800-996-7566
    – navigated automated menus to “Contact us regarding the work number as an employee”
    – got to operator
    – said I wanted to opt-out
    – they said I had to contact ‘dispute department’ and given 1-866-222-5880 number (which is their main call center)
    – Transferred to ‘dispute department’ which was closed

    So that’s nice

  14. What information is required to place a freeze on this? Do I just need first/last name and address? Or do I need photo ID and/or SSN?

  15. it never ceases to amaze me what kind of personal information about a person can be processed in the US without him knowing/consenting.

    the solution is simple: change every opt-out to opt-in. i know that business would cry, but it’s like this in many EU countries and it does work (ok, maybe not 100%, and not every country, but it’s still protects a private person orders of magnitude better)

    https://clientsites.linklaters.com/Clients/dataprotected/Pages/Poland.aspx
    (click on a country on the left side and search for “Are there any formalities to obtain consent to process personal data?” in the text)

  16. If they, or anyone else for that matter, can’t run an information collection/holding company properly logically/morally… and just not for profit. Time to burn it down – Start over – split up the services to separate companies/database locations.

    How do Credit Service companies not have a type of Monopoly? In today’s world, you can’t really avoid using such services. If it’s not a Monopoly it should be a “Utility” like water and electric.

    There needs to be limits to what data they may collect and who may access such data. remove “freeze” instead.. like the poster above and I have similar ideas that, you need to authorize access to the information.

    Say you were buying something and that vendor needed your credit information. You would get the information from the vendor (before the request), and call up to submit the permission with a series of access codes. (it’s annoying, but how often will you use it). This authorization is for 1 time access. It will slow down the process, but it’s good for the human. Humans are more important than profit in this case.

    The Credit system then could give some information back.. but not a lot. If they can’t profit from these changes, time to change the business. Be realistic, don’t maintain size and expect growth by penalizing data accessing with excessive cost.

  17. Brian,

    Thank you for providing the information that you have on this service and discussing the options and impact of choosing those options that consumers have.

    Your link in the following paragraph for opting out:

    To request a free Employment Data Report, you’ll need to fill out a form at the Work Number website, or make a request by mail, or through a toll-free phone number (1-866-222-5880).

    … points to an insecure connection (http://www.theworknumber.com/Employees/DataReport/index.asp).

    I would recommend updating the link to point your users to:

    https://www.theworknumber.com/Employees/DataReport/ which is the same landing page, but secured.

  18. This is endless. I shouldn’t have to OPT OUT of the collection of personal information which I never gave permission to collect and store in the first place. Where did they get that information, anyway?

    • This is endless. I shouldn’t have to OPT OUT of the collection of personal information which I never gave permission to collect and store in the first place. Where did they get that information, anyway?

      Your employers. They provide salary data as part of their contract for other services. Employers wanted this service, so they could see the people jumping from $15/hr to $50K/yr to $150K/yr over short periods. During the late 1990s, it was possible to double your salary a few times in just 5 yrs. I did.

      Employers didn’t like this – it was like an arms race for anyone with “full stack” skills at the time.

      I was trying to hire a guy who definitely had the right skills, but our HR director was running all the normal HR screens/background checks before sending the offer letter. The guy had the skills AND didn’t mind the low-mid pay we were offering for the position. It was his first job, but he’d just gotten a masters from GA Tech … and wasn’t personality stunted. HR demanded his last paystub from the prior employer and our candidate got a better offer, took it. Our company was screwed because HR didn’t snap him up. It wasn’t my problem, since I’d already provided 2 months notice. I’d almost doubled my salary by leaving. I was the team lead. They offered all sorts of perks to get me to stay, but really, it was time I moved onto new challenges.

      Fortunately, I checked my “Work Number” report a few months ago and they didn’t have any records that I’d ever held a job. 😉 Win-win.

      The data brokers are a necessary evil, sadly. The only solution to their lack of security is a $1000 fine, per incident of any leaks. That will either force them to take security serious or after 1 breach, they will be out of business. Either is fine.

  19. Something I have used a couple of times that adds a layer of protection (to your credit files, not salary info), is to place a fraud alert on all of my family members accounts. It’s only good for 90 days, but you can renew it continuously AND there’s no charge. I like the idea of making these ripoff agencies do work without having to pay them for it.

  20. Playing devil’s advocate by putting on the black hoody….I would honestly from the criminal perspective exploit the system to scout for HVT (high value targets) or at least medium ones based off of fullz that are for sale and/or publically leaked to get a higher validity on return for account takeover situations. This is kind of what I am seeing from my perspective in the industry already based on the clientele that is getting targeted out of the population.

  21. They don’t need to profit if you’re paying them to freeze the file. They probably make more from the freezing.

  22. On the phone with them now… and they’re telling me to contact each employer… Their customer service team is woeful at best.

    #15min’s in, waiting for a supervisor…

    And they ask me questions on the phone about accounts that are over 5 years old for “security” and claim that the questions are “computer generated for my security”… from my credit report that all of these companies have leaked… #fail.

  23. Brian, I wanted to view & share your article you reference from 2015:
    https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/
    but I get a 403 Forbidden error when I try to view it.
    Unexpected error?

    Separately, thanks for the advice about the work history service.

  24. If you work for any state departmment in California your salray history is available at http://www.sacbee.com/site-services/databases/state-pay/article2642161.html albeit a year out of date, so not a lot of point in blocking theworknumber.com if it is already out there.
    There’s also a number of other similar sites, e.g., https://transparentcalifornia.com/
    Not sure how to lock those doors.

  25. Oops… looks like they took the logins “temporarily down for service” after your post appeared.

  26. I called them, but because I didn’t work for a company they harvested data from I wasn’t able to opt-out so I guess this is only useful to people who have worked for some of the major corporations you listed.

  27. Since there are three (or four) credit reporting agencies, does a person need to place a “work number” like freeze at all of them?

  28. > “TALX“
    @Brian: the trailing quotation mark here is actually an open mark.

  29. Tried posting to an older Equifax breech article but they are all closed. But I wanted to pass this along to those who are interested in such. I received a ltr 2day from one of my CC issuers concerning the Equifax breech – but not from Equifax, which has not contacted me about anything. I wonder if they have contacted anyone? Equifax press statements “imply” they will follow the letter of the law concerning the breech in contacting customers, which is gobbledygook for, “we’ll do ONLY what we are forced to do and if your state has no laws we must obey, don’t expect any help from us.”

    Snippet of the ltr, “…but we have been working with Equifax to learn more about this event and understand there is a possibility that your personal information might have been exposed” In other words, my CC number was compromised in the Equifax breech. Since I rarely use this card, I’ll know immediately if someone places a charge on it but then the bad guys don’t know that.

    They encouraged me to contact Equifax to determine if I was affected (not wasting my time on this) and sign up for monitoring (not trusting yet more entities, Equifax nor a third party, with any more info which exposes me to more potential breeches). And they suggested I place a freeze on my credit reports, that I did.

    Found out that ChexSystems seems to have, ah, lost the ltr they sent me with my PIN. So I now need to follow up on that. The freeze is in place, I just can’t lift it since I do not have a PIN. Maybe one of the nicer bad guys can tell me my PIN 😉

  30. I’m so glad someone is talking about employee oppression of wages. I just received a copy of a background check, and two of three of my past employers sold my information to work number. I’m shocked to see the exact hourly wage and YTD salary information posted. Luckily, I got the job i applied for, even though I inflated my base salary by 10%. One employer, a university didn’t provide my salary information, just the dates. So now, nobody can lie about salary when applying for a job unless they want to risk being dishonest. We’re fucked guys, society is fucked. Companies know all about you before even talking to them. I’m lucky the company provided me with the salary applicable to the position in a bigger city.

Leave a comment