Imagine, for a moment, that you’re the president of a bank. A very big bank. A bank entrusted with guarding the precious valuables of millions of customers.
One day law enforcement warns you that your alarm system has a glitch that needs to be fixed. You pass the message on to members of your security team, who assure you that they’re on top of the problem. But a few months later, you get some distressing news. For at least the past ten weeks, a back door to the bank has been left unlocked every night, and the vault has been wide open, the alarm systems useless. No one’s sure how much has been stolen yet, but it appears this astonishing carelessness may have jeopardized the financial welfare of roughly half the U.S. adult population.
The scenario sounds absurd, but it’s actually similar to what happened last year at Equifax Inc., the consumer credit reporting agency. From mid-May until July 29, 2017, hackers managed to exploit vulnerabilities in the company’s online security in order to steal, not cash, but the personal data of approximately 148 million people. The sensitive information that was compromised includes names, addresses, birthdays, Social Security numbers, some driver’s license numbers, and, in the case of about 200,000 customers, credit card numbers as well. The caper is one of the largest data breaches in history — and potentially one of the most damaging because of the nature of the data that was obtained.
Last spring the U.S. Department of Homeland Security advised Equifax that it urgently needed to patch a software application on its website that could be used as a point of entry by hackers. The company apparently took measures but was unaware that the problem persisted for months — until the hack was discovered in late July. The breach wasn’t publicly disclosed until September, amid much anger and confusion from consumers and harsh criticism of Equifax by lawmakers.
Half a year later, the impact of the breach is still being assessed. Except for the credit card numbers the hackers obtained, the main threat isn’t that someone is planning to hijack the existing credit accounts of Equifax customers. Instead, it’s the possibility that criminals will use the personal data, which is precisely the sort of information banks and other businesses use to verify your identity, to open new accounts, commit massive fraud — and wreck their victims’ credit in the process.
Such schemes have grown in frequency and sophistication in recent years. According to a new report from Javelin Strategy & Research, nearly 16.7 million consumers were subjected to identity theft in 2017, resulting in $16.8 billion in losses. The Equifax breach may have contributed to that total, but so did the ease with which fraudsters can break into email accounts and mobile phone info and open bogus accounts that don’t show up on many credit monitoring services, such as PayPal and Amazon accounts.
In the aftermath of the breach, Equifax set up a special website that consumers could visit to learn if their data had been stolen. But some victims were wary of the site, which required typing in six digits of a Social Security number; several traits of the site, which used a different domain name than Equifax’s main site, were criticized for resembling a phishing site, designed to extract more personal information.
Equifax also offered victims a year of free credit monitoring and to temporarily waive the fees it generally charged to “lock” or “freeze” credit files; a frozen account is an effective way of discouraging scammers from opening up new credit accounts in your name, as the financial institution that receives the application has no way to access your file. But even after foregoing the usual fees for such services, Equifax could end up collecting a windfall from its blunder. If, for example, some of those who accept the free credit monitoring decide to continue the service after a year out of fear of identity theft, that could mean millions in revenue for the company; Equifax also gets a cut from third-party identity protection services, such as Lifelock, that rely on Equifax monitoring, and it collects fees from government agencies that rely on the company for identity verification. All of which prompted Senator Elizabeth Warren of Massachusetts to complain that Equifax could potentially make “millions of dollars off its own screwup.”
In fact, Equifax recently reported that net income was up 20 percent in 2017 over the previous year. Even though the company claimed that breach-related expenses topped $100 million, the company still collected revenues of $3.4 billion last year.
Despite the outrage expressed by Warren and others, Congress has done next to nothing since the breach to toughen laws regarding data security or identity theft. That may be due largely to a lack of pressure from the American public. As reported by CNBC, a recent survey indicated that half of U.S. adults haven’t even bothered to check their credit report since the Equifax breach. Perhaps the blithely unconcerned haven’t heard about the breach, or they believe they are insulated from serious financial loss because credit card companies routinely take the hit from fraudulent accounts. But as anyone who’s been victimized by identity theft knows, the frustration and anxiety of trying to repair your credit and your reputation can be quite a liability on its own.
In the absence of legislative action or real reform in the data security business, there are steps you can take on your own to protect yourself from breaches and identity theft. You have a right to request a free credit report annually from each of the major credit monitoring agencies through AnnualCreditReport.com; reviewing your accounts periodically can help you catch any suspicious activity before it gets out of hand. Do consider a credit freeze, too. In some states, it’s free, and you can always temporarily unlock your credit file when it’s needed for a loan review or some other vital transaction.
Of course, you should also take the usual precautions against hackers and phishers on your home and office computers. Don’t use easy-to-crack passwords, and change them regularly. Don’t click on email attachments or links sent to you by people you don’t know (or from addresses that seem sort of familiar but really aren’t). Stay away from sketchy websites and use reliable virus and malware detection programs. It’s a scary world out there in cyberspace, as Equifax found out all too well, but a few basic precautions can make your data a lot safer.
If you have suffered damages as a result of data breaches, unfair business practices, or corporate misconduct, the class-action and consumer protection lawyers at FDAzar may be able to help. Speak with a member of our team today or contact us here. The consultation is free.