22
Mar 18

Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

Almost 20 percent of Americans froze their credit file with one or more of the big three credit bureaus in the wake of last year’s data breach at Equifax, costing consumers an estimated $1.4 billion, according to a new study. The findings come as lawmakers in Congress are debating legislation that would make credit freezes free in every state.

The figures, commissioned by small business loan provider Fundera and conducted by Wakefield Research, surveyed some 1,000 adults in the U.S. Respondents were asked to self-report how much they spent on the freezes; 32 percent said the freezes cost them $10 or less, but 38 percent said the total cost was $30 or more. The average cost to consumers who froze their credit after the Equifax breach was $23.

A credit freeze blocks potential creditors from being able to view or “pull” your credit file, making it far more difficult for identity thieves to apply for new lines of credit in your name.

Depending on your state of residence, the cost of placing a freeze on your credit file can run between $3 and $10 per credit bureau, and in many states the bureaus also can charge fees for temporarily “thawing” and removing a freeze (according a list published by Consumers Union, residents of four states — Indiana, Maine, North Carolina, South Carolina — do not need to pay to place, thaw or lift a freeze).

Image: Wakefield Research.

In a blog post published today, Fundera said the percentage of people who froze their credit in response to the Equifax breach incrementally decreases as people get older.

“Thirty-two percent of millennials, 16 percent of Generation Xers and 12 percent of baby boomers froze their credit,” Fundera explained. “This data is surprising considering that older generations have been working on building their credit for a longer period of time, and thus they have a more established record to protect.”

However, freeze fees could soon be a thing of the past. A provision included in a bill passed by the U.S. Senate on March 14 would require credit-reporting firms to let consumers place a freeze without paying (the measure is awaiting action in the House of Representatives).

But there may be a catch: According to CNBC, the congressional effort to require free freezes is part of a larger measure, S. 2155, which rolls back some banking regulations put in place after the financial crisis that rocked the U.S. economy a decade ago.

Consumer advocacy groups like Consumers Union and the U.S. Public Interest Research Group (USPIRG) have long advocated for free credit freezes. But they’re not too wild about S. 2155, arguing that it would undermine banking regulations passed in the wake of the 2007-2008 financial crisis.

In a March 8 letter (PDF) opposing the bill, Consumers Union said the security freeze section fails to include a number of important consumer protections, such as a provision for the consumer to temporarily “lift” the freeze in order to open credit.

“Moreover, it could preclude the states from making important improvements to expand protections against identity theft,” Consumers Union wrote.

While it may seem like credit bureaus realized a huge financial windfall as a result of the Equifax breach, it’s important to keep in mind that credit bureaus also make money by selling your credit report to potential lenders — something they can’t do if there’s a freeze on your credit file.

Curious about what a freeze involves, how to file one, and other options aside from the credit freeze? Check out this in-depth Q&A that KrebsOnSecurity published not long after the Equifax breach.

Also, if you haven’t done so lately, take a moment to visit annualcreditreport.com to get a free copy of your credit file. A consumer survey published earlier this month found that roughly half of all Americans haven’t bothered to do this since the Equifax breach.

Tags: , , , , , , , ,

55 comments

  1. We are a bank that has a lot of credit card fraud. We are just a small institution. How do people get our numbers from the dark web? We think most of the fraud is now coming form college or younger people who are buying our card information on the dark web. Do you thank it would be smart to look for our card numbers and buy them and then issue new cards? We think since we are small that we have been targeted by our card numbers. We have seen traffic increase on Sunday mornings or late Saturday nights.

    Also – the biggest player in this fraud – Wal-Mart and Sam’s. We blocked over $10mm of transactions at a Wal-Mart one weekend. Called the manger and found out that the thefts were sitting in self-checkout. They had to be running thru thousands of cards an on the machine for a long time. Just seems like they are violating the intent and laws of the credit card license for users. Seems like that they should be liable for broken internal controls. Know a good class action attorney??

    • > How do people get our numbers from the dark web?

      Easy. A lot of the time the card numbers are swiped from either A) An insecure POS terminal that’s on stripe or stripe-fallback or B) An online merchant who’s not PCI compliant and storing the credit card data (as opposed to the authtoken) in full.
      As you should know, the magstripe is plain text and anyone who swipes it has full TRACK1 and TRACK2 data. So if it’s swiped, and the terminal is compromised, you have everything you need to clone the card.
      If an online merchant stores the card in full and doesn’t obscure it, as soon as they get owned the attacker has everything they need. Simple, nearly as simple as the insecure POS terminal situation.
      A third, but likely less likely situation, is someone’s identity gets stolen and the card was fraudulently signed up for using stolen data, but that probably comprises a very small percentage of the incidents.

      > Do you thank it would be smart to look for our card numbers and buy them and then issue new cards?
      I would never buy the data from them, even if it’s being done for a good deed. If you pay them, you are incentivizing the thief to continue on. Also I doubt you’re being targeted because you’re small.

      Now with regards to Wal-mart and Sams…doesn’t surprise me. They’re huge retailers that sell a lot of big-box items. Makes sense that they’ll be hit up for buying stolen goods and reselling them. I’d say a class action would be pointless, since as long as their policies and merchant agreement agree to this, there’s not much you can do. The liability shift in the Visa and MC spectrum are both well-known depending upon the steps followed.

    • Regarding card fraud, some banks found that if they bought up their own card data they actually created a market for it and drove the prices *UP*.

      Our suggestion: If you are not already, join the FS-ISAC and NCFTA groups, get as much data as you can for little/no cost, and only shut down cards when they are actually used for fraud. You can spend more money on reissuing cards proactively than you would take losses on the cards that do get used.

    • “We have seen traffic increase on Sunday mornings or late Saturday nights.”
      Just in the past few months my CU cut the maximum allowable daily ATM withdrawal for the weekend when they are not open to $250, half of what they allow at other times.

    • Hey thats crazy. Im a manager at a branch as well & we deal with an insane amount of fraud as well. By chance what CU does that happen to be? I want to inform my superior of your similar plight.

  2. There also needs to be change in what it takes for parents/guardians to freeze the information of their minor children. Once again, the most vulnerable are left wide open because it’s difficult to take action.

  3. Would love to see the breakdown of how much money Equifax lost due to the breach, vs how much they made by selling credit freezes. I wonder if they actually _made_ money on the breach.

    • Based on the $1.4 billion estimates and about 30% of that going to Equifax so around $466 million. The numbers for how much the Equifax breach cost them are all over the place but looking at all the articles I would say they have paid $400 million to date and that could go up to $600 million. Considering that they now have all new security tools, a new security team, and I assume a much better security program now, $66 million seems cheap. Equifax is rolling in $3 billion in annual revenue and has over 9,000 employees.

    • Different Dave here: That was exactly the question I was going to ask. If you’re profiting from the results of the breach, it could be worthwhile to engineer a fake breach calculated to minimise harm to yourself while maximising revenue from people paying you to clean up your own mess (or fake mess in this case). You’d just need to have some high-level exec close to retirement who could act as a fall guy for it in exchange for getting a bigger golden handshake.

      • Dave, what also makes matters worse is that Walmart does not bother with a pin for debit card purchases under $50.00. They just run them through. I do not like that practice and it makes me very reluctant to shop there. They also have a fast checkout which is basically unsupervised so plenty of opportunity to run stolen cards, etc. You just grab what you want, run a card, and you are out the door.

        On a positive note, Florida just passed a new law allowing people to freeze their credit for free. One small victory for consumers.

        • I wouldn’t recommend using a debit card for purchases anyhow, as you’re usually out the money until the dispute resolution is complete, as opposed to credit cards where you are not liable for charges unless you lose the dispute.

          If you do use your debit card, I would recommend never using your PIN in case there are skimmers attached to the POS.

    • Very good point

    • But Equifax did not charge for freezes. They certainly didn’t charge us or others we know. So how did they make money from the freezes?

      • Caray,

        I think it was because of situations like that that the survey intentionally did not assume a certain cost per person of applying freezes; rather it asked those surveyed to self-report the amount spent.

    • I froze my Equifax credit report, and they didn’t make me pay a fee. I also had to unfreeze it for a bit, and I wasn’t charged for that, nor for refreezing it. My state allows up to a $10 charge per freeze/unfreeze and temporary unfreeze.

  4. The Sunshine State

    Good article !

  5. Apparently legislation from Congress is not needed as several states have already prohibited such fees. I suspect such laws at the national level will take a long time to be implemented or require other onerous compromising legislation.
    Contact your *state* legislature and demand that they eliminate all fees for freezing, “thawing” and unfreezing YOUR data.
    It’s your money!

    • According to the Equifax site (https://bit.ly/2l9cF6J):

      “Equifax is waiving any fee to Place, Temporary Lift or Permanently Remove a Security Freeze through June 30, 2018. Any freeze activities after June 30, 2018 may be subject to the fees provided by your state of residence”.

      Get your freeze while it’s hot!!

      • a ‘security freeze’ is NOT a credit freeze. it’s their scam to make you think your credit is frozen while they continue to pimp your financial profile and profit from that

        • From the Equifax Web site:

          “What is a Security Freeze?
          A security freeze, also known as a credit freeze, is a tool that can help prevent unauthorized access to your credit reports. Freezes are subject to regulation by each state. Once a freeze is placed on one of your credit reports, it prevents access to it by certain third parties, like lenders and creditors you’re requesting new credit from”.

          From the FTC Web site:
          “What is a credit freeze?
          Also known as a security freeze, this tool lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your file, they may not extend the credit”.

        • They are two different terms for the same thing. You are probably thinking about the “credit lock,” which as you say not the same thing as a freeze. This is explained in the Q&A linked to in the article:

          https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/

          Q: I see that Trans Union has a free offering. And it looks like they offer another free service called a credit lock. Why shouldn’t I just use that?

          A: I haven’t used that monitoring service, but it looks comparable to others. However, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to steer people away from securing a freeze on their file. I notice that Trans Union currently does this when consumers attempt to file a freeze. Your mileage may vary, but their motives for saddling consumers with even more confusing terminology are suspect. I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

  6. HMMM…..

    My first reaction when reading the subject line of this article

    Guess that’s the conspiracy theorist in me coming out.

  7. This made my life almost unmanageable.
    But I learned the Breach made so much money as they sold there stocks before they told us of the breech.
    I was sold on the black market maybe to use my information to elect a criminal president.
    Everything is forsale these days.
    Greed over ethnics is now the norm.
    Look at Facebook.
    Look at our elections now.
    Ever since the computer and information became a commodity the thieves have been swarming.
    But now I know.

    I just went back to church and pray for everyone to go back to basics and treat others as you would want others to treat you.
    You can take my information but you can’t buy or sell my spirit.
    Enough is Enough.
    Simplfy.
    Enjoy you life.
    Stay away from the ways that try and control who you were born to be.
    I am more than a social security number.
    Not afraid no more.

    • Hi David. If any of your information was sold on the dark web it was likely used to TRY and elect a criminal president. I thank God they were not successful and the country has once again turned back toward freedom. MAGA

  8. well americans got a lot money.
    its debt but as we know for every debt there is equal debit.
    every debit is credit ,thats universal equilubrium law.

  9. Equifax should be forced to reimburse all of this and then promptly given the corporate death penalty

  10. Free makes me uncomfortable.
    Free makes it too easy for pranksters and other troublemakers to start swatting my credit file. We all know that those credit bureaus have extremely bad security.
    I would rather pay the $10 ($10 times 4 credit bureaus).

  11. I gave up on our system years ago. I have no credit, and I don’t want any. Render unto Caesar…

  12. Washington state recently passed and signed a bill to allow free credit freezes.

  13. Brian, you wouldn’t know the house, and/or senate bill number for that proposed law would you? It would help me pound on my congressman’s door to urge him to vote! I’ve been doing a lot of that since the breach – those idiots at Equifax really get my blood boiling! >:(

  14. If you are a senior (age varies by state), a number of states besides the four mentioned in the article also mandate free freezes and thaws. The CR articles cited by Brian lists them, and each credit bureau has a similar list.

  15. I did try to freeze my credit with all 4 bureaus (there’s also Transunion besides the major 3) and guess what? My car insurance premiums started going up for no reason. I realized it only after about couple of years that they were charging me roughly around $100 more for a 6-month premium. How do I know? I read the large small print sheet of paper that comes with a bill that basically said that if we can’t access your credit we may jack up your rate. Which they did. I then called my insurance agent and asked him if a freeze would affect my premium and he basically didn’t know a thing about it. So just to try I decided to remove the freeze, and guess what, next time the premium bill was drastically lower. So keep this in mind when “playing” with these credit freezes. It may affect your other insurance premiums as well.

    PS. Oh, and if they pass the law that those freezes should become free, I want my $45 x 2 reimbursed that I spent on freezing and then on unfreezing my accounts. So keep that in mind as well — once you commit to doing it, you’ll have to pay equal amount to undo it later.

    My bottom line is that it is not as “innocent” sounding like Brian describes it here. They will find a way to get their money from you one way or another.

    • Yeah if you have a good credit score and your insurance company was able to verify it, they were likely giving you a better rating, as people who can manage their finances tend to have less claims.

      Makes sense then that if suddenly they were blind to your creditworthiness your premium would go up.

  16. Froze the big 3. Now moving to NV. In NV State Farm does a credit check each time I transfer a policy. 3 times so far. And they check all 3 services. TransUnion hits me up for $5 each time. And I am a 30+ year customer of State Farm in CA.

  17. I live in CA. I paid $0 to put freezes on my accounts with all 3 credit companies. There will be a $10 fee to permanently remove them.

  18. The Equifax breach was a fiasco waiting to happen. And I’ll bet more are on the horizon. I put together a presentation to fix the system structurally. Maybe it can do some good. Here’s a link:

    http://dgregscott.com/143-million-reasons-credit-reporting-industry-reform-part-2/

    – Greg

  19. Luckily I live in one of the 4 states that charge zero for the freeze so I froze all 4 of mine after reading Brian’s articles about this mess. I did apply for a loan last month from my credit union and got a pat on the back from the loan officer for putting the freeze in place. Unfroze the one the credit union checks for 24 hours so they could process the loan and everything went smoothly. Thanks for keeping us up to date with all the information Brian.

  20. Carolyn Ferguson

    Im a victim of fraud 4 time n credit breach i dont know who to contack i need help

  21. I have a question that I am torn about. The 3 credit bureaus + Innovis have the option to create online accounts within them to dispute information, pull reports, and so on. Do most of you create online accounts for these websites? I try very hard not to create additional accounts, but then I think if someone
    malicious creates an account in my name then i will not be able to create my account later on. Thoughts? Advice? Thank you –

    • I haven’t. My view is that phone based systems are required to have recorded logs (which shouldn’t be web accessible, and if they are, liability should be clear).

      Web based systems are a whole slew of invitations for attacks, injection, reset, hacking,…

      I froze my big 4 accounts (Equifax, Experian, TransUnion, and Innovis) years ago and froze a fifth (Chex systems for free) recently. I don’t expect to need to thaw or check anything, so why create an account which creates more exposure risk?

      Caveats:
      1. I have exposure risk in two other countries, one with weaker protection than the US and one with unknown…
      2. I have relationships with enough credit providers that I’m comfortable relying on them if I need credit as opposed to the open market (which would require a thaw) – companies with existing business to you aren’t blocked by freezes, so they can see your file or choose to extend credit based on the their direct experience with you.
      3. I’m not a US resident, so I don’t have immediate needs for US credit.

      Note that most people each year don’t need new credit, so leaving things frozen is the right baseline.

      It’s bad enough having to worry about credit card compromises.

  22. Buy 90 Dan Williams Jersey from
    China jerseys from china cheap factory, free shipping and easy returns also best service.

  23. This method could possibly be useful in case you’re in an emergency situation ,
    out in the boonies without reception, or misplaced in the woods with nothing
    shut by except a cottage manufactured from candy.

  24. For those of you that were affected, good credit or bad credit your identity is still always at risk. I work for a company that offers an identity shield to keep things like this from happening. I Had the protection at the time of the breach but I have a friend that was affected and one of her children were affected. She subscribed to our services and they worked until she was back to pre theft status. Your backed by a 5 million dollar guarantee as well. Give you and your family a peace of mind. For a small fee get coverage at the touch of an app.

    https://amilligan3105.wearelegalshield.com/

  25. By so doing, you usually are not only making your household grow, you might be also which makes it strong.

    Of course, allow us to take into account the power of audio players,
    which made the way to expanding the music business insurance agencies several
    different brands that offer such devices. Her eyebrows are shaven, which indicates she’s married,
    and her eyes are narrowed in a dreamily gaze looking to the distance.

    • My household is guarded by a slovenly hippopotamus, who enhances the power of my foundation as he sits listening to his iPod Shuffle while he munches on my shrubbery for sustenance. His eyebrows are nonexistent, which indicates he’s wise beyond his years, and his eyes are narrowed in a stern expression reminiscent of the villains from spaghetti westerns.