When it comes to dealing with the aftermath of Equifax’s massive data breach, it’ll be up to consumers to be on guard against data thieves, experts say.
Last week, the credit-rating company disclosed that it was hacked earlier this year, leaving 143 million U.S. consumers’ personal information exposed. Equifax now faces numerous lawsuits, a huge stock price hit and several state and federal investigations.
Its slow and incomplete response continues to anger people all over the country, leaving many consumers wondering what — if anything — they can do to protect themselves if the company tasked with safeguarding their credit can’t even make its phone lines operate.
Lisa Gerstner has been tracking Equifax’s bungled response, both as a possible victim and as a writer for Kiplinger’s Personal Finance.
“The call lines have been flooded to them; I think their call centers are overwhelmed,” Gerstner says. “When I tried to call it last Friday about it, I got a busy signal then it hung up on me, so I went online.”
But there, too, as of Thursday, problems continued with Equifax’s website, with some users encountering system error messages. The company says that as of Tuesday, 11.5 million people had signed up to monitor their reports.
Equifax declined an interview. It has tried to respond to public outcry, removing legal language on its site, for example, that appeared to waive consumers’ rights to sue.
It has also had to explain why executives sold off company stock days after the breach and why it took Equifax over a month after discovering the problem to disclose it to the public.
Gerstner was also offended by Equifax and other credit agencies’ attempts to capitalize on the traffic by selling data-protection services, “which I think is also something that makes this Equifax breach galling to people … it’s the same company selling us services to protect ourselves that’s now given up our data,” she says.
It’s not just consumers and investors coming down hard on Equifax. Legal and political powers are also demanding answers and justice.
Massachusetts Attorney General Maura Healey, who plans to sue the company, called Equifax’s breach “the most brazen failure to protect consumer data we have ever seen.” Several other states and the Federal Trade Commission have said they have opened their own investigations. Members of Congress have demanded criminal investigations and a full accounting of what happened.
Meanwhile, security experts say the burden will fall mostly on consumers to manage the aftermath.
“The tools that consumers have are things they have to do themselves,” says Robert Schoshinski, assistant director of privacy and identity protection for the Federal Trade Commission. (He says his agency’s IdentityTheft.gov site is a resource for concerned or affected consumers.)
Freezing your credit — a service Equifax says it is offering temporarily free of charge — can protect against people trying to establish new accounts. Experts also urge consumers to regularly check their credit reports, monitor every bank statement, put fraud alerts on credit cards, and file tax returns as early as possible to try to prevent fraudulent filings.
When it comes to consumer measures, Avivah Litan, a security analyst with Gartner, is an even bigger pessimist — or realist — depending on your point of view.
“This was a horrible event, but this data has already been leaked,” she says.
Litan says freezing credit prevents fewer than 5 percent of financial crimes. Sadly, she says, because the three credit agencies have a virtual monopoly, there are no decent alternatives.
Doug Johnson, a vice president and cybersecurity expert at the American Bankers Association, says, “There’s never complete certainty associated with any security measure.” Freezing and monitoring accounts may help, he says, but “it’s all incremental.”
Consumers like Jacob Palenske of Dallas now take a different approach.
“The change now is that because I feel like there is no such thing as true privacy when it comes to data, that instead of depending on, and trusting the organizations that I give my data to to keep it protected, I’ve taken that upon myself now to say, ‘All right, I have to be very proactive and not assume that they are protecting it.’ ” Palenske says.
And that, experts say, is unfortunately about all you can do.