Tag Archives: Equifax Hacking

As of Sep 21, “Credit Freezes” & “Unfreezes” Will Be Free for All Americans

After the uproar about the Equifax hack, Congress did do something. And credit freezes are now a lot easier to place and lift.

https://www.zerohedge.com/sites/default/files/inline-images/2018.09.19crypto.JPG?itok=_S6Px10L

Starting September 21, 2018, placing or lifting a “credit freeze” – aka “security freeze” – will be free for all Americans in all states. In response to the Equifax-hack uproar and the grassroots movement it triggered, after the personal data of nearly half of all adult Americans had been stolen, Congress passed a bill in May that contained a provision about credit freezes.

It requires that all three major consumer credit bureaus – Equifax, Experian, and TransUnion – make credit freezes and unfreezes available for free in all states. Under most existing state laws, credit bureaus were able to charge a fee for placing and lifting a credit freeze. This could add up: for an effective credit freeze, you need to freeze your accounts at all three major credit bureaus, and pay each of them – and then pay each of them again to unfreeze those accounts if you want to apply for a credit card or loan.

The new law also requires credit bureaus to fulfill consumer requests for a credit freeze within one business day if made online or by phone, and within three business days if made by snail-mail.

Why is this important?

Credit bureaus collect personal and financial data on just about all adult Americans, whether they know it or not. These dossiers are extensive. They include the Social Security number, date of birth, address history, credit-card history, loan history, bank relationships, payments history, etc.

These dossiers are used to build a “credit report.” This is an extensive file (not just a credit score) that shows in detail your entire credit history – such as mortgages, other loans, credit cards, late payments, etc. These reports are sold – you’re the product – to third parties, such as lenders, credit-card promoters, and others.

Credit bureaus hate credit freezes because they cut into their revenues. But years ago, state laws forced them to make credit freezes available, though credit bureaus could make the process of freezing and unfreezing the account cumbersome, time-consuming, and costly. Now, under the new federal law, it’s easier and free.

When you put a credit freeze on your account with the three credit bureaus, they can no longer release this report to third parties, and it becomes impossible to open a credit-card account or bank account in your name – impossible for you as well as identity thieves.

After you place credit freezes on your accounts and then want to open a new loan account or open an account with the Social Security administration (yes!), you need to first lift the credit freezes.

All this has now become a lot easier, faster, and as of September 21, free.

Identity theft is hitting Equifax-hack victims

During the Equifax hack that was first disclosed a year ago, the personal data, including birth dates and Social Security numbers, of over 148 million Americans (according to the latest Equifax estimates) were stolen. These were the crown jewels for identity thieves.

Since then, 21% of the victims have seen “unusual” activity on their accounts, according to a survey by the Identity Theft Resource Center. Of these victims:

  • 24% had a new credit-card account opened in their name
  • 34% experienced changes to an existing credit card
  • 23% had other accounts opened in their name, including loans, debit cards, bank accounts, and cable, internet, or utility accounts.
  • 10% had some sort of medical identity issue, including receiving a medical bill or collection notice for services they never received, learning that medical records were compromised, or discovering another person’s information on their medical records.
  • 4% had either state or federal taxes filed fraudulently in their name to collect a refund.
  • Other issues included email flagged as being on the dark web.

A credit freeze at the three major credit bureaus cannot prevent all forms of identity theft and fraud, but it’s the single biggest and most effective defense mechanism consumers in the US can deploy.

Since I first started reporting on the Equifax hack last September, I included the links to the credit-freeze pages at the credit bureaus. The credit bureaus have changed those links several times, perhaps to make it more confusing. Here are the updated and functional new links to the pages of the three major credit bureaus where you can request or lift a credit freeze (aka security freeze):

Wolf Richter initiated a security freeze with the major credit bureaus in 2010 after the University of Texas at Austin, where he’d gotten his MBA years earlier, notified him that all his data, including Social Security number, had been stolen. It was the Wild West of credit freezes. It was cumbersome, took weeks, and had to be done by a combination of fax, mail, and phone that involved a lot of road blocks they put in his way. But it was a great decision.

As a positive side-effect, it stopped most of the “pre-approved” cash-advance and credit-card promos that showed up in the mail – an identity theft risk if they fall into the wrong hands – since credit bureaus could no longer sell my data to promoters.

Making credit freezes & unfreezes available to all Americans for free in a quick and convenient manner is one of the best little things Congress has done for US consumers, and was long overdue. 

Source: by Wolf Richter | Wolf Street

IRS Awards Multimillion-Dollar (no bid) Fraud-Prevention Contract to Equifax

Say what?

https://static.politico.com/dims4/default/0f31fd5/2147483647/resize/1160x/quality/90/?url=http%3A%2F%2Fstatic.politico.com%2Fba%2Fc8%2F6fca25494fee975f4f414529aaf5%2F171003-equifax-getty-1160.jpg
Former Equifax CEO Richard Smith, who stepped down after the breach, endured a bipartisan shaming Tuesday at a hearing of a House Energy and Commerce subcommittee. | Chip Somodevilla/Getty Images

The no-bid contract was issued last week, as the company continued facing fallout from its massive security breach.

The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.

A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award.

The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.

Lawmakers on both sides of the aisle blasted the IRS decision.

“In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed,” Senate Finance Chairman Orrin Hatch (R-Utah) told POLITICO in a statement.

The committee’s ranking member, Sen. Ron Wyden (D-Ore.), piled on: “The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this. I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”

The IRS defended its decision in a statement, saying that Equifax told the agency that none of its data was involved in the breach and that Equifax already provides similar services to the IRS under a previous contract.

“Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems,” the statement reads. “At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation.”

Equifax did not respond to requests for comment.

Equifax disclosed a cybersecurity breach in September that potentially compromised the personal information, including Social Security numbers, of more than 145 million Americans — data that security experts have described as the crown jewels for identity thieves. The company is one of three major credit reporting bureaus whose data determine whether consumers qualify for mortgages, auto loans, credit cards and other financial commitments.

The company has subsequently taken criticism for issuing confusing instructions to consumers, which contained language that appeared aimed at limiting customers’ ability to sue, as well as tweeting out a link to a fake website instead of its own security site. The Justice Department later opened a criminal investigation into three Equifax executives who sold almost $1.8 million of their company stock before the breach was publicly disclosed, Bloomberg has reported.

Former Equifax CEO Richard Smith, who stepped down after the breach, endured a bipartisan shaming Tuesday at a hearing of a House Energy and Commerce subcommittee. The full committee’s Republican chairman, Greg Walden of Oregon, proclaimed: “It’s like the guards at Fort Knox forgot to lock the doors.”

Reps. Suzan DelBene (D-Wash.) and Earl Blumenauer (D-Ore.) separately penned letters to IRS Commissioner John Koskinen demanding he explain the agency’s rationale for awarding the contract to Equifax and provide information on any alternatives the agency considered.

“I was initially under the impression that my staff was sharing a copy of the Onion, until I realized this story was, in fact, true,” Blumenauer wrote.

The IRS, which has suffered its own embarrassing data breaches as well as a tidal wave of tax-identity fraud, has taken steps to improve its outdated information technology with the help of $106.4 million that Congress earmarked for cyber security upgrades and identity theft prevention efforts.

Hatch questioned the agency’s security systems in a letter to Koskinen last month. Hatch said he was concerned that the IRS lacked the technology necessary “to safeguard the integrity of our tax administration system.”

Equifax Hackers Demand $2.6 Million Ransom In Bitcoin

“We’re Just Trying To Feed Our Families”

Two days after credit-monitoring company Equifax revealed that, because of its staggering negligence, hackers had managed to penetrate the company’s meager cyber security defenses and abscond with up to 143 million social security numbers and a trove of other personal data – including names, addresses, driver’s license data, birth dates and credit-card numbers – the cyberthieves responsible are threatening to sell the data to the highest bidders unless they receive a ransom payment of 600 bitcoin – worth about $2.6 million, according to CoinTelegraph.

In the ransom note, which was published on the dark web, the hackers said they were just two regular people trying to get by – and that, while they don’t want to hurt anybody, they need to monetize the information as soon as possible. They promised to delete the data as soon as the ransom was received.

“We are two people trying to solve our lives and those of our families.

We did not expect to get as much information as we did, nor do we want to affect any citizen.

But we need to monetize the information as soon as possible.”

The hackers have now made a ransom demand, stating on a Darkweb site that they will delete the data for a ransom payment of 600 BTC, worth approximately $2.6 million.

The demand said that if they do not receive the funds from Equifax by September 15th, they will publicize the data.

https://i0.wp.com/www.zerohedge.com/sites/default/files/images/user245717/imageroot/2017/08/19/2017.09.09equifax.JPG

Meanwhile, as we reported last night, two plaintiffs have filed a $70 billion class-action lawsuit against Equifax in a Portland, Ore. federal court – a case that has the potential the crush the company with a massive payout.

In the lawsuit, lawyers from Olsen Daines PC, who filed it on behalf of plaintiffs Mary McHill and Brook Reinhard, alleged that Equifax was negligent in failing to protect consumer data, and that the company chose to save money instead of spending on technical safeguards that could have stopped the attack.

Imagine how much angrier they would be if they found that instead of “saving” the money, the company used it instead to buy back its own stock (in this case from selling executives)?
the two plaintiffs in the case filed in Portland, Ore., federal court has every single merit to ultimately crush Equifax for what is nothing less than unprecedented carelessness in handling precious information.

Of course, in what will likely be remembered as a massively stupid public relations blunder, Equifax “neglected” to specify that an arbitration waiver included in an online portal allowing customers to check on the status of their information “does not apply to this cybersecurity incident.”

…We wonder, which incident does it apply to then?

Here’s the company’s full statement from the company, courtesy of the Washington Post:

Equifax issued a statement Friday evening. “In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident,” the company said.

Meanwhile, one reporter who was examining the company’s web portal pointed out what is either a hilarious glitch, or an ominous indication that the most troubling reveal is yet to come

https://pbs.twimg.com/ext_tw_video_thumb/906247597127499776/pu/img/UKdsqBdw9CL0zOPU.jpg

Source: ZeroHedge