Protecting Ourselves From the Equifax Data Breach, and Data Brokers in General
7 min read
On September 7, news broke that Equifax's security failed and that 143 million people had their data accessed in a breach. While the breach was discovered in July, people affected by the breach were not notified until September. The information that was accessed included contact information, birth dates, Social Security numbers, and, in some cases, driver's license numbers, credit card numbers, and credit dispute information. As this piece is being written, it's not clear if we have been told the full range of personal information that was accessed.
Equifax is one of three large data brokers in the US that, in addition to making money by collecting and selling information about all of us, also issue credit reports that are considered authoritative. The other two companies are Transunion and Experian. While Equifax is getting the lion's share of attention at present, we need to remember that none of the credit verification companies have stellar records, and that any of them could have comparable sensitive information breached.
A short overview includes:
- Experian sold consumer data to an identity theft ring.
- Transunion and Equifax misled consumers about credit scores.
- This sales brochure from Experian's "Mosaic" offering provides a glimpse into how these companies sort people.
- Experian breached 15 million identities of T-Mobile clients.
Transunion, Equifax, and Experian provide a range of resources around credit verification and risk analysis for industries ranging from rental markets, insurance, and finance. This article from the New York Times gives an overview of the various services offered by data brokers, and Frank Pasquale's Black Box Society remains one of the most informative books on this topic.
Recently, these data brokers were part of the larger story of how the Trump campain used data - and Facebook ads - to suppress the vote in selected districts and spread misinformation.
Trump’s Project Alamo database was also fed vast quantities of external data, including voter registration records, gun ownership records, credit card purchase histories, and internet account identities. The Trump campaign purchased this data from certified Facebook marketing partners Experian PLC, Datalogix, Epsilon, and Acxiom Corporation. (Read here for instructions on how to remove your information from the databases of these consumer data brokers.)
In June, 2017, the Republican National Convention was informed that they had leaked voting data from 200 million Americans. Given that their data strategy incorporated data from Experian, it's possible that this earlier breach leaked a subset of the same data as the Equifax breach.
Of course, as a side note, we can't let Republicans have all the fun. In 2015, NationBuilder leaked voting details on 191 million Americans.
But What Can I Do About The Equifax Breach?
In response to the Equifax breach, there are some immediate things we can do, and a range of secondary things. None of these suggestions are revolutionary, and all of them are a smaller part of good personal data hygiene.
- Get credit monitoring in place. While Equifax, Transunion, and Experian all offer credit monitoring services, I do not recommend giving any of these companies money to perform this service. For example, LastPass - the password manager - offers credit monitoring as an add on service.
- Consider freezing your credit. If you are planning a major purchase where you will need credit (buying a car, getting a mortgage, etc), you will need to un-freeze your credit to allow transaction to happen, but freezing your credit will stop most attempts of credit fraud.
- Get a copy of your credit report, and review it for accuracy. The Consumer Finance Protection Bureau has good resources for this.
- File an Identity Theft Affidavit (pdf download) with the IRS. This can help prevent someone filing a false tax return in your name.
- Opt out of data brokers. Stop Data Mining has a good list. There are also services that do this for a fee, but before giving any information or money to a service research the privacy and business practices of the service.
Secondary responses include standard practices to protect our personal privacy and security.
- In the aftermath of a large breach, be wary of emails coming in "alerting" you to details regarding fraud. The days and weeks after a breach are fertile opportunities for phishing, so don't click on links or download files. Check links using the options outlined in this post.
- Change old passwords, and use a password manager to protect your passwords. This is good practice in general, but especially useful if you have any passwords that incorporate personal information as part of the password.
- Turn on two factor authentication. If you want to go full on, use something like a Yubikey. If you are just getting started, use other methods, with the most popular being a text message to your phone.
As part of a longer term strategy, define what you want to protect, and the steps you are willing to take to protect it. The technical term for this is threat modeling. This process will help you set realistic and achievable goals for protecting your privacy in a way that works for you. For an overview of steps you can take to assess and mitigate risk, review the information in these posts.
Unfortunately, there is no silver bullet to protect us from overcollection of our information by organizations, and the sloppy stewardship of that data. However, taking steps to minimize when we share information, and what we share, can reduce our exposure to risk.
Think about it like handwashing. We all know that, regardless of how often we wash our hands, we will catch a cold at some point. That doesn't mean we stop washing our hands (besides being unhealthy, that's just gross). Sound data practices should be understood in the same way - we take reasonable steps to mitigate risks, with adequate precautions to protect ourselves when bad things happen.
Breaches Are Only Part of the Risk
We tend to get concerned about how our data is used when we learn that it has been breached, but these concerns only address part of the problem. The reason Equifax could compromise information about 143 million of us is because it has information about more than 143 million of us. Equifax, Transunion, Experian, and others have been profiting from our information for years. Their business is selling the details of our lives to companies and people who want to exploit those details. We are not asked if these transactions are okay, and we are not told when they happen.
Image Source: Equifax web site
Moreover, because data brokers are in the business of selling our data to third parties, these data brokers increase our risk of being exposed to fraud and identity theft. It's worth remembering here that, as linked above, at least one data broker sold consumer information directly to an identity thief. When data brokers both sell our information, and sell services that claim to monitor our credit, the data brokers are actually monitoring for misuse of the data that they profit from selling. In this way, data brokers resemble a hedge fund, with the capacity to profit no matter what happens.
The Experian breach illustrates this perfectly. After Experian learned of the breach, several company executives sold their Experian stock. The stock sales occurred over a month before people affected by the breach were notified.
Breaches draw our attention to the risks from unauthorized uses of our data. However, we need to stop kidding ourselves: authorized uses of our data expose us to varying degrees of risk every day. We are almost never informed when our data is used or sold, and data brokers operate with few obligations towards the people whose data they control. Breaches are terrible, but the mechanics of breach disclosure are one of the few times that data brokers are required to be honest with us about the information they have about us.
