By KEN SWEET
Equifax has been scrambling to explain itself since disclosing last week that it exposed vital data about 143 million Americans — effectively most of the U.S. adult population.
Equifax has come under fire from members of Congress, state attorneys general, and people who are getting conflicting answers about whether their information was stolen.
The company keeps track of the detailed financial affairs of all Americans in order to gauge how much of a risk they are for borrowing money. That means it and its competitors, TransUnion and Experian, are a detailed storehouse of some of the most personal and sensitive information of Americans' financial lives. And all of it could be used for identity theft.
The Equifax response
Equifax is trying again to clarify language about people's right to sue, and said Monday it has made other changes to address customer complaints.
The company is trying to staff up its call centers more in order to handle the increased customer service calls. It also now says people will get randomly generated PINs when they try to put a security freeze in place. People had complained about PINs being based on the time and date requests were made.
Equifax also acknowledged that its language particularly over the right to sue has been confusing at best, and said it was removing that language from their website. "Enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action," it said.
Some lawyers have already announced suits that they hope will be class-action cases.
Who has been affected?
Equifax initially discovered the hack July 29, but didn't publicly announce it until more than a month later. People trying to find out if they were affected have gotten some confusing or contradictory information. Consumers calling the number Equifax set up complained of jammed phone lines and uninformed representatives, and initial responses from the website gave inconsistent responses. Many got no response, just a notice that they could return later to register for identity protection. Equifax says it's fixed the issue of inconsistent responses, in which people could get one response on the computer and a different one when checking on the phone.
The site is www.equifaxsecurity2017.com and the number is 866-447-7559. Equifax also says it'll send a notice to all who had personally identifiable information stolen. Equifax is offering free credit monitoring for a year, which people can sign up for at the website.
But considering the size and scope of the breach, it's probably better just to assume you were part of it.
How to respond to the breach
Ultimately, the onus will probably be on consumers to try to protect themselves. People should do all the things they're probably already heard about:
— Closely monitor their own credit reports, which are available free once a year, and stagger them to see one every four months.
— Stay vigilant, possibly for a long time. Scammers who get ahold of the data could use it at any time — and with 143 million to choose from, they may be patient.
— Consider freezing your credit reports. That stops thieves from opening new credit cards or loans in your name, but it also prevents you from opening new accounts. So if you want to apply for something, you need to lift the freeze a few days beforehand.
John Hall, president of United Bank in Newnan, said, “Consumers can look on their statements to see if they don’t have charges.”
“We (United Bank) have a text-secure feature with our accounts. This is optional where you get a text when your debit and/or credit card has been used. It’s very cool and immediate.”
United Bank also sent a help guide to all of its customers with information on how to respond to the breach.
In a email statement, Kim Holder, director, UWG Center for Economic Education, said she was concerned that the breach occurred in May, was discovered at the end of July, and consumers were not notified until September.
“You cannot prevent a loss of personal information that already occurred,” Holder said.
“Now the big push should be staying aware of what is going on in your financial life and what steps you can take to be better protected next time around, because it will happen again at some point from some company somewhere. Nothing is foolproof.”
Holder said the breach, apparently, did not include unauthorized access to the credit (consumer/commercial) reporting database, so actual credit information may be safe, but personal information such as a Social Security number, an address, or date of birth may have been compromised.
“Many of the items that are breached are items that people often divulge unintentionally anyway,” Holder said. “An example is a personal home address that they ‘check-in’ via Facebook, or driver’s license numbers with the date of birth that they post a picture of when they get their license at 16.”
Holder said to keep calm, but be aware. Some steps to take include:
Check your existing account balances – checking, savings, credit cards, etc. Both the online account balances and actually review your paper statements.
Take the usual steps. Come up with good passwords, log out of websites, shop online safely (be careful where you shop), shred documents, use passcodes on your phone, don’t share financial info or simply ask “why,” and be choosy about who you give your info to such as zip codes and emails when checking out at retail locations.
Holder said she hopes to be able to teach information such as this and financial literacy in a new program she is developing called Dollars Making Sense, that promotes financial literacy.
Investigating the breach
A host of state and federal authorities as well as politicians have stepped in to investigate. Credit bureaus like Equifax are lightly regulated compared to other parts of the financial system. Expect more scrutiny from regulators over the credit bureaus.
The chairmen of at least two U.S. House committees say they want to hold hearings. Like the Wells Fargo sales scandal, the Equifax breach is causing bipartisan outrage and concern, but there has been no talk of any new laws to further regulate the industry. Several state attorneys general have also said they would investigate, which could result in fines at the state level.
Lastly, the Consumer Financial Protection Bureau, the nation's watchdog entity for financial issues, says it has the authority to investigate the data breach, and fine and sanction Equifax if warranted.
Company executives are also under scrutiny, after it was found that three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach, according to documents filed with securities regulators. Equifax said the three executives "had no knowledge that an intrusion had occurred at the time they sold their shares."
Given the seriousness of the breach, there are worries about the long-term future of the company. The sole purpose of why Equifax and the other credit bureaus exist is to be a secure storehouse of crucial financial information. Equifax failed at that.
The stock has fallen more than 25 percent since Thursday and the company is meeting with investors this week in New York in hopes to contain the fallout.
Kandice Bell contributed to this story.