Longtime readers know we have a low opinion of credit bureaus, with Equifax scraping the bottom of the barrel in terms of their depraved indifference to computer security.
This is, after all, the company that in 2017 had virtually its entire database of consumer credit reports stolen by hackers – nearly 150 million in all.
The attack occurred because Equifax failed to patch a software vulnerability it had known about months before the breach occurred.
The company wound up paying a $575 million fine, but for a company as large as Equifax, a fine of that magnitude is only a small bump in the road.
And of course, Equifax isn’t the only credit bureau. Indeed, both Experian and TransUnion, the other two credit bureau giants, have serious deficiencies in how they protect your “confidential” credit records.
For that reason, ever since 2007, we’ve recommended to our readers that they place a “security freeze” on their credit records. That limits access to your credit report to companies that already have you as a customer.
If you have a security freeze in effect and a hacker succeeds in impersonating you, they’ll find it almost impossible to benefit financially from having your information.
But last October, we reported that hackers had succeeded in undoing security freezes on Experian. Apparently, they used Experian’s automated “forgot email/username” feature and convinced the company that they were the person they wanted to impersonate.
All the attackers needed to do was to answer a few questions drawn from public records that can often be easily guessed. They could then change your email address, password, and PIN, and lock you out of your own account.
Remarkably, this deeply flawed system persisted until late 2022. Then, the company experienced another serious security breach.
A security researcher learned on the dark web that hackers could trick Experian into granting access to anyone’s credit report. All that was needed was the name of the target, the target’s SSN, address, and date of birth. The hacker could then retrieve the credit report by editing the address in their browser’s URL bar during the verification process.
It took Experian nearly seven weeks to fix this problem. In the meantime, the same security researcher discovered a similar problem – but even worse – with TransUnion, the last of the “big 3” credit bureaus.
By using the “inspector” function in his browser, which allows anyone to view and edit a webpage’s source code, the researcher was able to retrieve anyone’s credit report on TransUnion with almost no security verification.
It’s fair to say that all three credit bureaus suck. But now we have a reason to hate Equifax the most. Because, in effect, they’ve become (in the words of anti-monopolist Matt Stoller), “a private IRS.”
It’s not well known, but credit bureaus don’t just sell your credit files to third parties. Indeed, Equifax has a virtual monopoly on a line of business called The Work Number. This product is advertised as providing landlords, lenders, and employers “differentiated and proprietary data that can give you a more holistic view of applicants.”
Or as Stoller puts it:
Equifax is sort of a tax information agency, which sells information about our salary and income to third parties.
But it’s much more than that. Equifax also maintains:
…data on pay for every payroll cycle, your overtime amount, the start and end date for your job, your title, your health care provider, whether you have dental insurance, and if you’ve ever filed an unemployment claim.
You might wonder how Equifax gets all this information. It turns out the company has a symbiotic relationship with hundreds of thousands of employers nationwide. If an employer is willing to turn over data on its employees to Equifax, the credit giant will assume responsibility for answering questions about their work history from other companies. The Human Resources department saves time and aggravation, and Equifax gets to build a lucrative line of business. And it effectively has a monopoly in this space. So much so, that the company boasts about it.
Last December Equifax CEO Mark Begor gave a presentation at a Goldman Sachs investment conference, where he said:
We have meaningful pricing power … only Equifax has that income and employment data.
CEOs don’t ordinarily go around bragging about having a monopoly. It’s the sort of thing that could get a company into hot water with the Federal Trade Commission (FTC), which enforces federal anti-trust laws.
But Begor appears not to be worried about the FTC. And he has good reason not to be worried about federal regulators. Quite the opposite, in fact.
Indeed, only a few months after Equifax suffered its catastrophic 2017 hack, Congress overturned a proposed regulation by the Consumer Financial Protection Bureau (CFPB) that would have banned mandatory arbitration provisions for many financial institutions, such as banks and credit bureaus.
The intent of the CFPB proposal was to help consumers who had been injured by wrongdoing at financial giants like Equifax. But Congress, which is bought and paid for by financial giants like Equifax, didn’t approve. Consumers can still sue credit bureaus individually. But they’re barred from banding together to file class-action lawsuits against these financial institutions.
But frankly, most people don’t bother suing, no matter how good a case they have. And in practice, it’s hard to recover damages unless you can prove you experienced a financial loss.
And if Equifax wants to sell information about your salary and whether you’ve ever filed an unemployment claim, there’s absolutely nothing you can do about it. All that you – or any other American whose data resides at Equifax – can do is to fume about it.
In the meantime, we suggest that you maintain a credit freeze at the Big 3 credit bureaus. A credit freeze won’t stop Equifax from selling data about you in its Work Number business. But it will hopefully stop hackers from stealing your identity the next time they penetrate the ludicrously insecure online platforms these credit giants maintain.
Follow these links to get started: