The Equifax data breach announced this week in which hackers stole personal data of 143 million Americans gives us insight into how many ways people can be screwed over by credit monitoring bureaus.
You are screwed when your credit score is calculated by proprietary credit-bureau formulas that are kept secret. You are screwed because you have no leverage over these bureaus; they will calculate a score for you whether you like it or not. You are screwed when you try to correct errors and are confronted with unnavigable bureaucracy. You are screwed when the bureaus fail to protect your data from hackers and those hackers steal your identity, a crime that is made easy and scalable due to the centralization of credit reporting within the three major credit bureaus. You are then screwed for as long as thieves want to keep trying to open credit in your name, leaving you to negotiate with the credit bureaus over every new account, disputing medical bills, cable subscriptions, car loans, tax returns, and phone lines.
I ordered my first credit report in college, around the time that the FreeCreditReport.com scam was putting all those commercials on TV. I had been told by my bank that my credit score had dipped below a certain level for the first time, and I wanted to figure out why.
This is when I learned about credit bureaus, which collect consumer financial information and sell it to credit card companies and other lenders so they can make decisions about loans. There are three dominant credit bureaus in the U.S.: Experian, Equifax, and TransUnion. These firms, which are private and for-profit, originally served regional markets, but they gobbled up smaller credit bureaus and consolidated until they became national players. All three collect the same types of data, including basic identifying information as well as financial information that establishes your credit history: loans you’ve taken out, payments you’ve made, credit you’ve applied for.
The system by which these agencies rate humans is terrifyingly complex
Each bureau collects this information on its own. The bureaus have slightly different dossiers and may differ in how up-to-date they are at any given time, meaning your credit score varies from bureau to bureau. Historically, these scores were based on the proprietary FICO Score developed by the public data analytics firm FICO (formerly known as the Fair Isaac Corporation). But the credit bureaus developed an alternative version of the FICO score, called VantageScore, as well as their own internal scores and risk-assessment models. The bureaus are a black box; the way they track credit and calculate scores is a closely held secret, and they will speak publicly about it only in vague terms. The same goes for FICO.
I don’t remember which bureau I ordered my report from, but it had a long memory. My student loans were there. The American Eagle credit card I opened in exchange for 20 percent off at the register was there. And then there was a line item for a credit card that was opened in 1999. It had missed payments. Was this the thing knocking my score down? And given that I was in middle school in 1999 and did not open any credit cards, whose was it?
The mystery didn’t take long to solve. The line of credit belonged to my parents. It was on my report because they printed an extra card with my name on it. I don’t remember the details of how I tried to get this corrected, but I do remember it was challenging enough that I gave up.
Thanks to regulation including the 1970 Fair Credit Reporting Act and 1977 Fair Debt Collection Practices Act, credit reporting agencies are required to keep accurate records and scrub old information. A 2016 settlement with 31 states attorneys general also forced the three bureaus to stop collecting certain types of civil judgment and tax lien information, which boosted consumer scores (and sparked complaints from mortgage lenders). But the system by which these agencies rate humans is still opaque and terrifyingly complex. It’s a sprawling bureaucracy made up of millions of data transactions from every sector. Schools, the government, landlords, insurance companies, employers, collection agencies, anybody with a court order, American Eagle — they all request and share information with Experian, Equifax, and TransUnion. The stakes are high for people who need to buy things, while accountability for the bureaus is low.
The New York Times headline for its story about the enormous Equifax data breach referred to the 143 million victims as “customers,” which is not reality. These people never signed up for Equifax. The best (imperfect) analogy I can think of is Yelp. Most businesses don’t sign up for Yelp, nor can they remove themselves. There are some things they can do, like “claim” their listing and respond to reviews, but mostly they are supposed to sit back and be rated, and the scores they receive can make or break them.
Equifax users are faced with the labyrinthine task of first finding out if they were affected by the breach and then protecting their information. There is no database in which you can search your name, and the customer service representatives answering phone calls are uninformed. “I called Equifax and the customer service agent said 1.43 million people were impacted and I had to correct him that its 143 million,” Businessweek reporter Polly Mosendz said on Twitter.
I was able to get through to Equifax customer service and OMFG it's a huge mess pic.twitter.com/6XRRBM2Yl6
— Polly Mosendz (@polly) September 7, 2017
For those who are able to find out if they were affected by the breach, enrolling in the courtesy identity protection service that is being offered to victims at first waives some of your rights to sue unless you opt out. If you do sign up for the proposed class action lawsuit that was filed yesterday, which an attorney said would be seeking up to $70 billion in damages, your compensation would be less than $500.
And if you want to freeze your credit — one of the only ways to protect yourself from identity theft after a hack — Equifax will, insult-to-injury style, charge you a few bucks for it. If you are already the victim of identity theft, the credit bureau will likely waive the fee, but you have to prove it. In this case, Equifax writes, “please submit your request to Equifax in writing and provide Equifax with such police report or appropriate document so you will be eligible for any benefits associated with ID theft victims.”
so @Equifax lets my data be compromised and then charges me $3.00 to freeze my credit #databreach#scumbagspic.twitter.com/JZEDvJkUjX
— BooRadley (@brad30097) September 8, 2017
The only escape is to let your credit be destroyed so the thieves no longer want to be you. This means opting out of the credit economy and paying cash for everything. Good luck.
