Over the years, we’ve repeatedly criticized US credit bureaus, which maintain detailed financial records of nearly every adult American – well over 200 million people.
Credit reports are gold mines of information about you. Your credit report contains your Social Security number, birth date, current and previous addresses, telephone number, credit payment status, and employment details. It also lists judgments, state, and federal tax liens, repossessions, bankruptcies, lawsuits, and criminal convictions, all available at the click of a mouse.
You have limited rights over the use of this data because you don’t own it – credit bureau giants like Equifax, Experian, and Trans Union do. And they have an extremely relaxed attitude toward the misuse of this data. As security expert Bruce Schneier puts it:
The companies that collect and sell our data don’t need to keep it secure in order to maintain their market share. They don’t have to answer to us, their products. They know it’s more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?
Schneier wrote these words in 2017, shortly after Equifax suffered a massive data breach, in which hackers stole more than 150 million credit records. The attack occurred because Equifax failed to patch a software vulnerability it had known about months before the breach occurred.
To defend yourself from the depraved indifference companies like Equifax have to the security of your credit data, since 2007, we’ve suggested that our clients place a security freeze on their credit report. Current instructions on doing so are at this link.
A security freeze limits access to your credit report to only those companies that already have you as a customer. Even if someone manages to find your Social Security number, date of birth, etc., with a security freeze in effect, they’ll find it almost impossible to borrow money in your name.
But hackers have figured out how to undo security freezes. Last October, we reported on how by using Experian’s automated “forgot email/username” feature, hackers were able to reverse security freezes. And in February, we described how hackers could trick Experian into granting access to anyone’s credit report.
Thanks to a law enacted in 1970 called the Fair Credit Reporting Act, “consumer reporting agencies” (CRAs) like Equifax can sell or share data in your credit report only for specific purposes; e.g., if you’re applying for a loan. The law also requires CRAs to take reasonable measures to maintain accurate data in credit reports and gives consumers the right to dispute errors. Amendments to the law require CRAs to allow consumers to inspect their own credit reports at least annually.
But the FCRA has quite a few loopholes. One of the most significant loopholes relates to the sale of “credit header data.” This information, which appears at the top, or header, of a credit report, generally includes your name, date of birth, current and prior addresses, Social Security number, and telephone number.
Since the header doesn’t contain details on who you’ve borrowed money from or your payment history, credit bureaus and data brokers don’t treat it as a credit report subject to the FCRA’s restrictions. But it still contains enough information for someone to use the data to steal your identity – or publish those details online in a doxing attack.
Instead, credit header data is subject to a law with much looser restrictions on how it’s shared: the Gramm-Leach-Bliley Act (GLBA). The data can be sold to anyone “holding a legal or beneficial interest relating to the consumer” or to “prevent fraud.” In many cases, the data is then resold to private investigators or even to intelligence agencies, as we described in this article.
It’s clear that credit bureaus have lost control over the credit header data they sell. In August, a report from 404 Media, which focuses on technology issues, revealed that criminals have access to this data and sell it on the dark web for as little as $15 per record.
The communities where this tool is advertised include chat rooms focused on swatting, where criminals place bogus calls that result in a heavily armed police response to a specific location; SIM swapping, in which hackers take over a victim’s phone number to then receive login codes and break into their online accounts; and physical violence, where criminals hire one another to rob, shoot, or assault their enemies and vandalize the target’s home.
Since credit header data isn’t subject to the same restrictions as a full credit report, there’s almost nothing you can do to prevent it from being disclosed. Even a security freeze won’t keep it off the dark web.
There are proposals to make header data subject to the stricter provisions of the FCRA. For instance, the Consumer Financial Protection Bureau (CFPB) is considering a rule that would restrict the ability of credit bureaus to disclose contact information for certain categories of people, such as domestic violence survivors.
We don’t think the CFPB has the authority to do this, because the GLBA specifically permits the sale of data that is already in the “public domain,” such as your name, address, and birth date. Credit bureaus and data brokers will surely contest any effort the CFPB makes along these lines in court.
There’s also a challenge to CFPB’s funding mechanism before the Supreme Court. Unlike most federal agencies, the CFPB is funded through the Federal Reserve System. Last November, a federal appeals court concluded that this type of funding was unconstitutional. If the Supreme Court agrees, every regulation the agency has ever issued might be considered invalid.
Of course, Congress could always amend the law to curtail credit header abuse. This isn’t likely, because the banking industry and other groups with heavyweight lobbyists in Washington, D.C. oppose any significant restrictions on the use of this data. They claim any such restrictions would “harm consumers,” “facilitate fraud, identity theft, and other crimes, and “thwart know your customer efforts” that are required under federal anti-money-laundering rules.
The only long-term solution to this debacle is to adopt a suggestion we’ve made many times: to recognize that every individual has an ownership right to their own data, including data held by credit bureaus, data aggregators, and the government. We recognize that the companies profiting from unfettered surveillance capitalism are unlikely to favor this model. But at the same time, we need more control over the electronic versions of our lives. Giving individuals ownership rights to their own personal information establishes a framework from which to take back control.