The breach appears to have occurred months ago, but Equifax only learned about it July 29 and still waited more than a month to publicly disclose the incident. In the meantime, the company was creating a website, www.equifaxsecurity2017.com, which allows consumers to check and see if their personal information could have been impacted by the breach, according to the Washington Post. Regardless of whether a consumer was one of the 143 million people affected or not, they can opt to enroll in a free credit monitoring service through TrustedID Premier.
The process sounds simple, but it isn’t, and consumer groups warn that red flag issues should make consumers proceed with caution.
First, after a consumer verifies whether their information was potentially impacted, they have the option to click “Enroll.” An auto-generated message gives them a date in the future to return to the site and complete the enrollment. So, while their data was compromised months ago, and they have waited to even learn of the breach, they still must wait days to activate the monitoring.
Parsing through the fine print, consumers will note they agree to mandatory arbitration if they opt to use the service. The terms of service appeared to have changed Friday, CBS News noted, and it may be possible to opt out of arbitration. Even so, the responsibility to opt out will be on customers.
Arbitration clauses, or “rip-off clauses” as consumer rights activists call them, forced on consumers involved in financial transactions may soon be a thing of the past thanks to the Consumer Financial Protection Bureau (CFPB). The CFPB announced rules in July that will block companies “that extend credit or collect debt” from “contractually obligating customers to binding arbitration agreements,” CBS News reported.
Richard Cordray, who heads the CFPB, discussed the new rule in a New York Times commentary saying, “Not only do group lawsuits help consumers recover money they otherwise would forfeit, but they also protect many more consumers by halting and deterring harmful behavior.”
Finally, a cyber-security blog, Krebs on Security, noted that the new website had been reported as a possible phishing attack – potentially subjecting consumers to even further damage. Krebs on Security has previously recommended consumers consider alternative measures to protect themselves from cyber crime, including:
- Place a fraud alert, or security alert, on your credit file, which lasts for 90 days. The law allows them to be renewed as often as the consumer wishes. A longer-term alert can last up to seven years with proper documentation showing fraud has been committed against a person or is likely to be committed against them. Potential creditors are supposed to contact a consumer and obtain permission before opening new lines of credit in their name if they have a fraud alert in place. A consumer only needs to file a fraud alert with one of the major credit bureaus (Equifax, Experian, or Trans Union). They are required by law to alert the other two bureaus.
- Place a security freeze, which locks access to a credit file against anyone trying to open a new account or acquire a line of credit in someone’s name. A credit freeze may be less frustrating than a fraud alert if a consumer needs to apply for credit. A freeze can be lifted temporarily by the consumer if they are applying for credit.
- Monitor your own credit. Consumers can obtain one free credit report from all three major credit bureaus each year. A free copy is available at www.annualcreditreport.com, or call 877-322-8228 to obtain the free report.
- Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft.
New York Times
Krebs on Security