A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor — Experian. And to do that, it will soon be sharing with Experian contact information that affected consumers gave to Equifax in order to sign up for the service.
The news came in an email Equifax is sending to people who took the company up on its offer for one year of free credit monitoring through its TrustedID Premier service.
Here’s the introduction from that message:
“We recently sent you an email advising you that, until further notice, we would be extending the free TrustedID® Premier subscription you enrolled in following the September 7, 2017 cybersecurity incident. We are now pleased to let you know that Equifax has chosen Experian®, one of the three nationwide credit bureaus, to provide you with an additional year of free credit monitoring service. This extension is at no cost to you , and you will not be asked to provide a credit card number or other payment information. You have until January 31, 2019 to enroll in this extension of free credit monitoring through IDnotify™, a part of Experian.”
Equifax says it will share the name, address, date of birth, Social Security number and self-provided phone number and email address with Experian for anyone who signed up for its original TrustedID Premier offering. That is, unless those folks affirmatively opt-out of having that information transferred from Equifax to Experian.
But not to worry, Equifax says: Experian already has most of this data.
“Experian currently has and is using this information (except phone number and email address) in the fulfillment of the Experian file monitoring which is part of your current service with TrustedID Premier,” Equifax wrote in its email. “Experian will only use the information Equifax is sharing to confirm your identity and securely enroll you in the Experian product, and will not use it for marketing or solicitation.”
Even though people who don’t opt-out of the new IDnotify offer will have their contact information automatically shared with Experian, TrustedID Premier users must still affirmatively enroll in the new program before then end of January 2019 — the date the TrustedID product expires.
Equifax’s FAQ on the changes is available here.
Talk about the blind leading the blind. It appears that in order to opt-out of the information sharing or enroll in the new Experian program, people will need to click a customized link in the email that Equifax is sending to TrustedID enrollees. I’m not aware of another method for opting out or signing up, but I’ve asked Equifax for clarification on that point.
Fundamentally, I see no problem with people using these credit monitoring services as long as they are free. Credit monitoring services can be useful in helping consumers dig themselves out of the mess caused by identity theft.
The chief danger I see in relying on credit monitoring services to stop identity theft, however, is that these services traditionally have not been very good at doing that. As I’ve written ad nauseam, credit monitoring services are more useful at detecting *when* someone opens a new line of credit in your name. What this means is that while they might let you know when someone has stolen your identity, they’re not likely to prevent that from occurring in the first place.
The best mechanism for preventing identity thieves from creating and abusing new accounts in your name is to freeze your credit file with Experian, Equifax and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file.
Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stop all sorts of ID theft shenanigans. I explain in much greater detail how to freeze your files and what’s involved with that in this post from September.
Please note that if you haven’t yet frozen your credit and you’d like to take advantage of this offer from Equifax/Experian, it’s a good idea to enroll in the IDnotify first, as it’s often not possible to enroll in credit monitoring services *after* you’ve frozen your credit. That said, Equifax’s FAQ suggests this might not be the case, noting that if your Equifax credit report is frozen, the security freeze will stay in place for people who enroll in the new program.
I imagine this arrangement should help the credit bureaus steer more people away from freezing their and toward their respective “credit lock” services, which the bureaus have marketed as just as good as a credit freeze but also easier to use.
All three big bureaus tout their credit lock services as an easier and faster alternative to freezes — mainly because these alternatives aren’t as disruptive to their bottom lines. According to a recent post by CreditKarma.com, consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus’ freeze sites has been more or less instantaneous (assuming the request actually goes through).
TransUnion and Equifax both offer free credit lock services, while Experian’s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What’s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its “premium” lock services for a monthly fee with a perpetual auto-renewal.
Unsurprisingly, the bureaus’ use of the term credit lock has confused many consumers; this was almost certainly by design. But here’s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.
Did you receive this offer from Equifax/Experian? Are you planning to opt out or enroll? Sound off in the comments below.
I opted out after the free period. Glad I did, it wasn’t very good my credit card offers a better service for free, monthly reports, and notification with any changes. Since we don’t have the ability to not be included in these credit reporting companies data bases. At least we should get is free basic reports so we can be aware of improper activity.
Hi again, W43, Brian and all,
W42, can I ask a question: when creating your account (since you already had an existing credit freeze & PIN in place), did anywhere in the account-creation process either Equifax and/or TransUnion “officially acknowledge” that:
a) your current freeze exists, and is it in place (did it show this to you, it didn’t for me), and;
b) from this point forward the existing freeze will be managed via your new online account?
Does the online system even know if you/we have a current freeze with a PIN in place??? All’s it knows is asking if you want to place a “new” freeze on your account, not whether there is an existing one in place. THIS IS KEY. And it is an assumption that we should not trust them to make. Thus, this is the scary thing going on right now……both Equifax and TranUnion cannot answer this question at the moment, and actually outright are refusing to answer the question other than saying your current “credit freeze & PIN is still good “via the telephone”. THAT is NOT what we are asking.
Until further clarification, nothing can be assumed on the part of Equifax and/or TransUnion at this moment. This is, to me, the terrifying part of what is going on with this online-account creation push from Equifax and TransUnion.
Personally speaking, and please understand I am just hypothesizing here using my 25+ years of being involved in the Linux industry, this behavior from Equifax & TransUnion tells me three things:
1) their internal server systems, that hold the the deluge of credit freezes & PINs put into place since the breach, had/has gotten out of control and they do not have a handle on it speaking in terms of the databases created via the telephone system over the past few years;
2) the internal integration of those databses systems into the overall company intranet is also questionable since nearly all of the security freezes & PINs were enabled via telephone systems & the software associated with that (which is vastly different, and usually horribly outdated, when compared to a company’s external-to-internal web facing systems), and;
3) the “integrity” (knowing what and who belongs together) of those internal servers holding the current existing freezes and PINS is also questionable.
One and/or all of the above are the only reasons/excuses I personally can think of for the inability of both Equifax and TransUnion to not be requiring that “existing” credit freeze PIN numbers be given while going through the new online-account creation process.
Let’s hope Brian finds some more out with his industry contacts.
Re. your questions/confusion about the use of the existing PIN associated with the freeze put in place last year or earlier, I just spent a tortured 45 min on the phone with various Eq reps, none of which could fully answer my questions about the use of that existing PIN, or the purpose/use of the new PIN (delivered by pdf — see screenshot already posted above https://i.postimg.cc/CK4mhtFK/Equifax-Action.jpg), and under what circumstances that new PIN is created. Won’t go into the weeds with this, but finally gave up after speaking with the third or fourth rep, who only created more confusion.
Have created the account, with very long password, which will I hope deter any criminal actors. No need at present to lift the freeze and will find out just what actually happens with those PINs at some point if and when a remove is needed.
Very sick and tired of the whole business. Won’t bother with TransUnion, at least for now.
Fantastic info shared here, and gives me a huge heads-up on how busy I will be today. Not hearing this anywhere else, I thank you Brian, and W43 and Belli. We have everything frozen everywhere, and earlier this year had no issues doing short term unfreezes with PINs, for all 3 files, but obviously things have changed and I wasn’t going to find out unless/until we would be rudely surprised by more abuse….again, thank you.
I can say last week that I was able to visit both Transunion and Equifax Freeze/Unfreeze Webpages and filling in their forms and using the PIN I was able to unfreeze my credit and set a timeframe before they go back into a ‘Freeze’ state. Now with that said if these two organizations merge who know what it will take to go though their NEW Process to get this done again??? TBD.
I feel like since Everyone is now Freezing their credit and hurting these companies bottom lines they are trying to find a way to unfreeze our files by making changes that will allow them to do so. And with little notification.
@ Belli, re. your earlier post about how TransUnion is also affected, after searching fairly exhaustively, not seeing how one can manage a security freeze with TransUnion online without having the initial pin from when the freeze was first placed. Everything I come up with suggests that the initial pin is required to unfreeze or pause. Perhaps a link?
I tried posting yesterday (nearly 24 hours ago) asking you a question about your interaction with the Equifax website, but for some reason Mr. Krebs has not posted it and/or blocked it.
Guess I did something wrong, I think perhaps it was the “hypothesizing” why Equifax/TransUnion are in a rush to do this.
The link I have is just this:
Then I spoke to TransUnion directly and was told (twice) that I do not need to provide my existing PIN number to create an online account (was told same thing at Equifax). I told TransUnion I am very reluctant to create an account with them (ironically, out of all the big credit agencies) because of their policies regarding using that account to try and cross-sell me things and also, if I read the fine print correctly, given them permission to have other credit industry players advertise to me (using that online account).
I hope I read it wrong…..
Also still wondering if I did something wrong in my post to you yesterday that wasn’t posted here. I work in the Linux industry, for nearly 30 years now, and maybe (like aforementioned) I should have kept my thoughts to myself about Equifax/TransUnion’s push to get people to create online accounts. If so, Brian, please accept my apology.
I didn’t block it; I scarcely have time for that. It was auto-moderated. It’s now approved.
Re. my reply yesterday 11/6, in older comments, just to add, I signed up last year for TustedID (rather pointless and lame, especially since, with the freeze in place, I only see “one bureau credit report” with outdated report still from 9/12/17, from when I placed the freeze), where I can see the following, which confirms that my security freeze is still in place:
“Your Equifax® credit report is currently
Your Equifax file is frozen under state freeze law or the Equifax voluntary security freeze program.”
Based on that I would assume that any freezes put in place earlier are still in effect.
Thanks for replying. I didn’t signup for the TrustedID and/or anything else from Equifax, ever. But I’ve had a credit freeze in place with them for more than 2 years now (going on 3 now that I think about it).
What shocked me about setting up a new online account with Equifax was not only did they never ask me about my current, existing credit freeze (for verification in setting up the online account), nowhere in the newly created account was it clear that my current, existing freeze was in place.
Talking to them by phone is even worse. It seems the phone reps no little of the ins and outs of this new online-account push.
So I was and am a bit flummoxed…. ;-/ I guess at least if we have our accounts created, no one else can create one in our names.
But this whole affair has left me uneasy with Equifax and TransUnion….even more uneasy than when the breach occurred.
Not very sure after all whether the cure (user created accounts at EQ and TU–hardly know how truly secure they are) is any better than the disease (door left wide open for no-PIN accounts for criminals to create with stolen credentials, then remove freeze.)
It’s wrong that I have to opt out of Equifax
a) signing up for a new product/company,
b) sharing my personal data
I did not give them permission to do either
I have no rating, I live within my means.
My first interaction with their site, it told me my password was too long. Very reassuring they require weak security.
I recently had this issue with my bank as well. They also don’t have 2fa on their web login.
The fact that Equifax has faced no repercussions over leaking an insane amount of customer data still quite literally… hurts my brain.
I decided to opt out; the only thing the service ever did for me was generate masses of junk mail when I applied for credit.
Thanks to all for your comments/insight and to Brian for this article. Unfortunately, I missed the 14 day window to disallow Equifax from sending my account information to Experian. After reading many of the comments (I admit, I didn’t read all of them), I do not want the Experian IDnotify product and will freeze/lock my 3 credit reports per Brian’s September 21, 2018 article on that topic. Since I missed the 14 day “opt out” period, my assumption is that Experian still requires my approval for using their IDnotify product. Can anybody shed a light on this or provide a link that details steps to take to not accept the Experian IDnotify product if you missed the 14 day opt out period. Perhaps it is as simple asot confirming my information that Experian sends to me. If this information was already provided in a previous comment, my sincerest apologies…..I had to skim the comments due to some family health issues that is consuming my time. Thanks again folks.
They caused the problem, why are they making me switch, seems like a good way for them to slowly slip away from liability. Jerks!
I has happy with the service from TrustedID and felt it offered my protection. I was able to easily lock and unlock my credit and it protected my from at least 3 or 4 times that someone attempted to open an account in my name.
So now I am looking into the IDnotify company.
If you check the WHOIS info on IDnotify, it says:
Registrant Country: RU
So, a company in Russia is going to be watching my credit?