Equifax

There's a lot going on with the Equifax breach. The company knew about it for 6 weeks before telling consumers, plus 3 executives (including the CFO) dumped their stocks 3 days after they learned of the breach.

The company is also trying to add fine print for anyone who agrees to get the offer of a free year of credit monitoring by rival Experian, that they have also just agreed not to sue Equifax. Yeah, that won't last 5 minutes in court, particularly given the magnitude of the breach, which is hitting some 143 million Americans plus some Brits and Canadians.

This is going to get ugly for a lot of people.

jespah-

Thank you.

I think everything in your Post is accurate.

But it is not responsive to my query.

I think the hacker (A) sells the data to another party(ies) (B) who uses it to assume people's identities and use those identities to fraudulently obtain money.

I think B needs to instruct a company to change its records of a customer's address, etc. If the company would send the notice to the customer's old address, it might stop the fraud.

Well, not necessarily.

Identity thieves do like to mail out change of address forms as that makes it take longer for their victims to notice the fraud being perpetrated on them. However, they don't always do this.

Part of the Equifax breach was credit card numbers for I believe it was about 200,000 individuals. The thieves don't need a change of address form for that.

As for having the companies follow up with every change of address notification, many companies will throw up their metaphorical hands and claim that's impractical. After all, Visa has how many million customers?

It might work for them to have a two step-process for verifying a change of address - perhaps a code given to the customer at the beginning, which he or she must give to the credit card company (or any other company) before filing a change.

A weak link in all of that is the post office. They're ground zero for address changes, but they've also got a paper-thin budget. They wouldn't have the manpower or the money to investigate every address change, so they rubber stamp them.

PS I realize my responses are long but I work in business credit and this is a HUGE story in the industry.

Well, what should we be doing niw?

1) Pull your credit reports or at least check your scores, which you can do with CreditKarma for free. Reports are for details, but scores will alert you to trends. If your score is normally 690 and it dips to 685, I wouldn't panic. But if it plummeted to 610 I would be pulling the reports to see what was going on.
2) Make sure the banks, etc. know your correct snail mail address. Change of address forms are often the first place identity thieves start, because that gives them more time to fleece you before you figure out what's going on. If you are getting services (oil, cable, etc.) or bank usage, but not the invoices and statements that go with them, that can be a sign that ID theft is starting.
3) If you have more than just a data breach but an actual ID theft, go to the IRS's website and fill out their identity theft form. This is because you'll need this form for step 4, but also because ID thieves might do otherwise legit work with your name and address on their W-2. With online work and Paypal, they can do this and no one's the wiser until you get the 1099 in the mail for that tax year. This protects you from being audited. The IRS will look at your returns more closely but it will be for ID theft patterns and not for the purposes of an audit.
4) Go to the cops and have them open a file. Take everything with you that's proof of ID theft (in my case - yes, I've done this - it was a 1099); they'll copy that stuff and make it a part of their file and they will give you a copy. In step 3, the IRS will give you access to their ID theft website. When you get the police report, copy that information (case number, etc.) into the online record. That site will also show give you tips on what you might want to do, like put a credit alert or a credit freeze (or both) on your file.
5) Consider a credit monitoring service. However, they are costly, and if you get CreditKarma and you can also read a credit report well enough to determine if it's wrong and/or if there are suspicious charges, then you might not need one.

Also - Equifax is trying to pull a fast one. They are offering one year of free credit monitoring from their competitor, Experian. Except the fine print says that if you accept that service, you are forever waiving your right to sue them about the breach.

This is highly unethical and it won't hold up in court. Judges hate covenants not to sue, and they interpret them extremely narrowly and nearly always strike them down. When they don't, it's because of (a) transparency and (b ) more or less equal bargaining positions between the parties. Neither of those factors are at play here, plus the consequences of this breach could be staggering and long-lasting, and the company's failure to even report the breach for 6 weeks seems like negligence on its face. So the courts will not look kindly upon that kind of nonsense.

This kind of breach (which is easily more than all of the adults in the US - the breach affects 143M people and the US only has 126M adults) can be used for fraud on a grand scale, including vote fraud. Talk to your local politicians about trying to set up some way of making sure the people who are voting are who they say they are.

jespah-

How about issuing a credit freeze order filed with each of the 3 credit reporting agencies?

You could if you want to. That won't fix other issues (like a W-2 in your name), but it would remove one issue.

I'd love for somebody to steal my infos, my credit is so terrible they won't get very far 😁

My credit number dropped from 745 to 620 in May 2016. I had moved in the previous March and a $2.35 Macy's late fee got lost in the mail. That's the only thing I could track it to until I found out my nephew used my address to purchase a car. He has bad credit anyway. My credit # has come back up to 729.

I logged in on their website and, sure enough, it says that my "personal information may have been impacted by this incident." So, I signed up for their free ID monitoring service.

I had been wondering how long it would be until the credit reporting services fell to the hackers.

Motherf'k.

A credit freeze is a good way to go. Here's what I know (and I have done, I might add):

Equifax (free):
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

Experian (site kept crashing but I was able to take care of RP; I'll have to call to take care of my own account):
https://www.experian.com/freeze/center.html

TransUnion ($5 or free, depending on your state; you have to open a free account with them first):
https://www.transunion.com/credit-freeze/place-credit-freeze

Innovis (you must snail mail the document in):
https://www.innovis.com/assets/InnovisSecurityFreezeRequest-f77aade600faab215c64ce801278a260.pdf

A credit freeze means that every time someone (including you) wants to open up another credit account or get a loan, you need to use your PIN to temporarily unlock your account. Obviously, you don't unlock for thieves (duh!). Keep your PINs safe and secret, of course. You can take off the freeze permanently if you want to, and some of the services allow you to preemptively remove a freeze on a credit inquiry, which you might want to do if you're buying a car or the like and know which company will be making the inquiry.

All of these were fast but they are all overloaded right now by people doing this very thing, so be patient.

Thanks for the tip!

Did the first two (Equifax and Experian) and will be doing the Transunion right now. So far, no problems with getting the freeze. Took less than ten seconds to perform the first two ones.

What is Innovis? I never heard of that credit agency? Is it relatively new? A European credit agency? Something completely different?

PS: Really appreciate the link drop Jespah.

Can't get the freeze directly from Transunion because I can't remember my exact answer to my secret question to my old Transunion account.

Innovis is #4 in the US. I'm only suggesting them because that one is pretty easy.

I am currently on hold hell with Experian....

Just printed up the Innovis PDF all filled out. Stuck it into an envelope with the appropriate postage and mail it out from work.

Woot - Experian is understandably swamped - but they also charged me but didn't give me a freeze PIN.

PS their hold music sucks.

I just got off the phone by setting up a Credit Alert Warning for Transunion.

I gave up on Experian after the phone was answered (after about 35 minutes) and they dropped the call. I'll try again in the AM. I realize they're swamped and they have to soothe panicked people. But I don't love wasting all that time (I made and ate lunch while listening to their hold music).