By now you’ve probably heard that Equifax (NYSE:EFX), one of the three major consumer credit reporting agencies, has suffered a major data breach. If initial reports are correct, around 143 million Americans’ data was compromised.
That is about 44 percent of the country. But census numbers include people with no credit reports, like young children. If you are an adult who uses the banking system, there is a better-than-even chance your data was exposed in the breach.
While other hacks have been larger in number of users affected, this was the real nightmare scenario everyone was waiting for. The Equifax breach included all the information necessary to select a target for identity theft (that is, someone who has a history of qualifying for big credit lines, indicating substantial resources), plus account numbers, plus Social Security numbers, plus subsidiary information, such as driver’s license numbers and dates of birth – all in one place, and reportedly reachable through a single, simple software vulnerability.
“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” Avivah Litan, a fraud analyst at Gartner, told The New York Times.
I went to the much-criticized Equifax site created to help consumers determine whether their data had been compromised. I wasn’t at all surprised that both my information and my wife’s likely had been. Most American adults who have been involved in the credit system probably had their personal data exposed to some degree, in ways that are bound to cause long-term inconvenience or worse. The site instructed me to go back this week to enroll in Equifax’ TrustedID program. As a Florida resident, however, I have been a little busy dealing with a different disaster.
There is no turning back from this hack; no account number changes, no credit monitoring will fix things. Even given the commerce-friendly attitude of the Trump administration, when the nation can turn its attention back to ordinary business, I expect we will see big changes in the credit reporting industry soon. Equifax has proved that not only can the industry not be trusted to maintain accurate data (which is why we have a Fair Credit Reporting Act), it cannot be relied upon to keep the data it collects secure.
Nor did Equifax help its public image by sitting on the leak for six weeks, a period during which several of its executives reportedly unloaded significant chunks of company stock. But this problem extends beyond Equifax’s bad handling of the breach.
Consumers face the added aggravation of knowing there was nothing they could have done to protect themselves in advance, and they cannot know for sure now whether they have been affected. After all, you and I are not Equifax’s customers; we are their product. Equifax monitors individuals’ credit automatically, leaving the responsibility with individuals to check the report once annually for free or to pay for more up-to-date monitoring of the information they did not ask Equifax to store in the first place.
While Equifax is now offering one year of credit monitoring free to anyone who signs up, the compromised information could cause headaches years or decades down the road, since most people’s Social Security numbers never change. Smart crooks won’t use the information now, while the public is on high alert. They will wait until the headlines have moved on and the free monitoring runs out.
There are a few steps individuals can take to protect themselves, at least partially. Placing fraud alerts on file with all three of the major credit agencies could make it harder for thieves to take advantage of stolen information. A credit freeze is even more effective. Equifax is offering the service for free, though only for a limited time and only after customer outcry at initially continuing to charge for it; you will have to pay for a freeze with the other two credit reporting agencies. (I suspect Equifax will eventually be forced to reimburse many such expenses, but that is just a guess.) You may currently run into technical problems at all three, considering they have been swamped with requests. You will also need to “thaw” your credit any time you want to open a new line of credit or allow a legitimate entity to review your credit history. Even this solution won’t protect you from, say, someone using your Social Security number to file a fraudulent tax return.
Eventually, we will have to move away from using Social Security numbers as an identifying measure and metric. It was never a good idea, and it is no longer necessary in a world where any decent smartphone can read a fingerprint.
Once upon a time, commercial banks offered “signature guarantees” to customers, which proved to the satisfaction of financial firms that the person opening an account or applying for a loan was known to someone in that industry and was who they said they were. To open a mutual fund account you might have needed such a guarantee; a notary public wasn’t good enough. That system has mostly died out, although I was asked to get a signature guarantee as recently as a year or two ago.
I can envision a replacement system evolving, where financial institutions or other businesses – maybe Google or Amazon, or maybe a brick-and-mortar retailer like Walmart or Home Depot – maintain a network of fingerprint or iris scanners that is accessible to the public. Someone else, perhaps the government at the state or federal level, would maintain a database that matched the physical data with an identity used for driver’s licenses or passports. We’ll be scanned when we go to the airport, and we’ll be scanned when we apply for credit. Maybe we can scan ourselves with our own devices if there is enough authentication involved.
This is only one scenario. But something has to change, which means something will change. The Equifax incident is probably the death knell for identification based on Social Security numbers plus some other piece of hackable data. When it comes to big transactions, and maybe not so big ones, I suspect we’ll have to present ourselves somehow to prove that we are who we say we are.