Consumers Union Demands Equifax Make Affected Customers Whole

[tao]

The policy and mobilization arm of Consumer Reports is deeply concerned and outlines fixes the company must make

 

Consumers Union, the policy and mobilization arm of Consumer Reports, sent a letter to Equifax CEO Richard Smith on Thursday, expressing deep concern over the immediate and lasting effects for the 143 million consumers potentially compromised by the data breach the company announced last week.

 

In the letter, the consumer advocacy organization called Equifax’s response “wholly inadequate” and outlined seven steps it believes Equifax must take to remediate the situation, including paying for credit freezes, processing disputes promptly, and setting aside funds to compensate consumers. 

 

"Given the extraordinary nature of this breach and the threat posed to nearly half of all Americans, Equifax has a responsibility to offer consumers the best resources and tools to help them protect themselves," said Jessica Rich, vice president of Policy and Mobilization at Consumers Union.

 

Consumer Reports reached out to Equifax late afternoon for reaction to the demands and will update the story with any comments. 

 

The credit bureau today did provide some more details about the breach, saying on its website, "We know that criminals exploited a U.S. website application vulnerability," adding that it was working with law enforcement.

 

Equifax also said that customers affected by the breach who have signed up for free credit monitoring will not be subjected to a binding arbitration clause.

 

On Sept. 7, Equifax, one of the big three credit monitoring bureaus, announced that it had been aware—since July—that it was the victim of a massive hack affecting more than 100 million accounts.

 

According to Equifax, the information exposed included Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, Equifax said the credit card numbers of approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers, were accessed.

 

Equifax says it moved quickly to help people potentially impacted by the breach. The credit bureau says it took steps to stop the intrusion, engaging an independent cybersecurity firm to forensically investigate the breach. The cybersecurity firm Equifax hired will also determine the scope of the hack and provide recommendations to help prevent a similar incident in the future.

 

Equifax also established a dedicated website, www.equifaxsecurity2017.com, where it provides a tool for users to determine if their information may have been stolen. The company is also offering U.S. consumers an identity theft protection and credit file monitoring product called TrustedID Premier, free for one year. It includes credit monitoring of Equifax, Experian, and TransUnion credit reports; copies of a user's Equifax credit report; the ability to lock and unlock an Equifax credit report; and identity theft insurance. The company will also scan the internet for Social Security numbers. Users must enroll by November 21, 2017.

 

CU: What Equifax Should Do

1. Pay for credit freezes. “Consumers who wish to freeze their credit in response to Equifax’s announced breach still must pay to freeze their records with other major credit bureaus in order to make the freeze effective. We urge Equifax to pay any fees associated with credit freezes at other credit bureaus so that consumers can prevent their data from being improperly used in connection with other credit bureau records,” Consumers Union said.

 

2. Extend credit monitoring for affected consumers. Consumers Union points out that Equifax has offered affected consumers “only one year of credit monitoring and, following public outcry, a limited and narrow opportunity to obtain a free credit freeze.” Because risks to consumers due to this breach are not limited to one year, Consumers Union demands that "Equifax should extend credit monitoring indefinitely for all consumes potentially affected by the breach."

 

3. Provide more detailed information about the security incident. Consumers Union says the company provided “inadequate and unreliable information” about which consumers were victimized and what data was compromised, limiting consumers’ ability to take steps to protect themselves. "To prevent further harm to consumers seeking to protect themselves, Equifax must upgrade its tool to provide more detailed information about precisely what types of data were breached for each affected consumer," Consumers Union said.

 

4. Remove all mandatory arbitration clauses. Equifax has been criticized for forcing victims visiting its site to waive their right to sue the company. Equifax says that it has corrected this issue, but Consumers Union says the remedy is confusing and insufficient. “Equifax has repeatedly changed its story about whether and how the mandatory arbitration clause impacts consumers,” the letter said.

 

For example, after Equifax said its arbitration clause was moot, Consumers Union notes that another—broader—arbitration clause remained in effect. According to Consumers Union, Equifax is now saying that none of these clauses will apply to consumers harmed by the data breach or who sign up for credit monitoring services. However, the clauses remain in print and, Consumers Union says, “it’s unclear whether or how they could still be used to prevent consumers from having their day in court.”

 

5. Commit to hiring and training sufficient staff to review and process disputes promptly. “Given the enormity of the exposure, Equifax needs to be prepared for a deluge of problems and must have sufficient resources on hand to resolve these problems quickly and effectively,” Consumers Union said. “The company should not wait for these problems to pile up and then address a mounting backlog.”

 

6. Set aside a fund to compensate consumers whose data has been exposed. “Equifax has an obligation to American consumers to compensate them for the injury they may incur for years to come. Accordingly, Equifax should create a substantial and dedicated reserve account to compensate consumers affected by this breach,” Consumers Union wrote.

 

7. Investigate allegations of insider trading and hold wrongdoers accountable. “The company does not appear to have fully investigated—and certainly has not explained to the public—the sales of stock by three executives just prior to public announcement of the breach,” Consumers Union said. "The timing of these sales—a handful of days after the initial uncovering of a massive security incident—raises major red flags. However, Equifax’s initial reaction was disappointing and troubling: first, its press statement sought to minimize the scope of $2 million in sales as 'small.' Second, rather than stating an intention to investigate the issue, Equifax casually and summarily dismissed the allegation of trading on nonpublic information with no apparent inquiry at all—much less a rigorous one." 

 

Consumers Union says that Equifax should immediately act to preserve all documents and communications of the executives in question, and commit to an independent investigation of the possibility of insider trading.

 

What's Next

The letter concludes with an acknowledgment of the magnitude of the fast-moving situation, but stresses that “the consumers injured by this breach should be the company’s first and foremost priority, and Equifax should commit to their protection and to making them whole.”

 

The Equifax CEO is scheduled to testify before the House Energy and Commerce committee on October 3. That committee has jurisdiction over the Federal Trade Commission and Consumer Financial Protection Bureau, the agencies responsible for regulating data security.

 

On Thursday the FTC announced that it had launched an investigation into the Equifax breach.

 

"The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach," Peter Kaplan, the FTC’s Acting Director of Public Affairs, told Consumer Reports in an email.

 

Also, Connecticut Attorney General George Jepsen has announced that his office has initiated a formal multi-state investigation into the breach.  

 

< Here >

 

 

[virge]

Latest Update:
Equifax, the credit reporting agency, said Friday, 9/15/16 that its chief information officer and chief security officer were retiring “effective immediately.” The announcement came one week after the company revealed that a cyberattack potentially compromised confidential information of 143 million Americans. On Friday, the company also provided further details about when it had discovered the breach and which part of its website had been targeted by hackers. But many details about the breach, who was behind it and the computer security defenses at Equifax are still unclear.

 

On Sept. 7, Equifax reported that hackers had exploited a vulnerability in its US website application to gain access to certain files from mid-May through July 2017.

 

Roughly 143 million US customers could be affected. 

The hackers accessed personal data, including Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers. They also stole credit card numbers (at least) for approximately 209,000 US consumers, as well as dispute documents—used to dispute errors on credit reports—with personal identifying information for approximately 182,000 US consumers. Some UK and Canadian residents may have also had personal data compromised.
If you’re in the US, you were probably affected! 

 

If you are an American citizen or US resident and you have ever applied for credit, you could have been affected by the breach, according to the Identity Theft Resource Center. (After all, 143 million people represents 44% of the US population.) Says ITRC: “The breach may also impact minor children whose parents have submitted documentation to the CRAs for the purposes of checking on or protecting their credit information, even if a credit report or score was never established.”

 

Equifax knew about the hack more than a month before they reported it. 

You read that right. The company discovered the breach on July 29 and chose not to publicly disclose it until last week. Adding insult to injury, three Equifax executives sold nearly $2 million in company stock before the announcement. The company maintains that its executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”

 

 

Summary - If you live in the US and are not checking your credit profile weekly, you are asking for trouble.  Your social security number and date of birth will never ever change. These hackers can open an account in your name now, 5 or 10 years from now and there is nothing you can do other than being pro-active. Most people have no idea what's on their credit report or never checked it, they are going to be in for a rude awakening.

 

The hack came about because Equifax failed to properly patch their servers with the latest fixes. Good old lazy admins.

[davmil]

They just handed us a lifelong problem like a disease.  Thanks.  If you have credit cards and loans, your name is on the list of 143M hacked.  Just check their website.  Then freeze all your reports and get prepared to pay for life for their fuckup.