Late last week, Equifax — one of the ‘Big Three’ credit bureaus in the United States — admitted that its own lax security practices had allowed hackers to steal the personal identities of 143 million US citizens. This corresponds to roughly 44 percent of our entire population, and Equifax didn’t notify the public for more than a month after it detected the breach. If the company had used that time to nail down the specifics of the attack and create a comprehensive plan to address its own colossal screw-up, the five-week delay might be justifiable. Instead, Equifax has continued to find ways to compound its own egregious failure.
There’s one bit of good news buried in all the bad, so let’s address that first. Initially, it appeared that registering for Equifax’s credit monitoring service would force citizens to waive their right to join a class-action suit against the company in favor of mandatory arbitration at an individual level. Equifax has updated their site to clarify that this is not the case; the standard Terms of Service for both the Equifax site and the company’s TrustedID service do not apply to this data breach.
In most other respects, the situation has gotten worse over the past few days. Let’s talk about why.
The TrustedID Bait and Switch
First, while Equifax is offering a free year of credit monitoring for anyone who wants it, this isn’t a philanthropic gesture. Equifax owns Trusted ID. Furthermore, the ToS associated with the product states that customers who sign up for the service will be billed for it thereafter unless they call the company to cancel the product. Equifax has stripped out other clauses in its ToS that deal with service billing in the last 48 hours, but it left the clauses about automatically renewing the service for those who do not cancel.
And let’s be clear: At least some people are going to feel as if they need this kind of monitoring for longer than 12 months. Equifax leaked both social security numbers and birth dates, meaning identity thieves now have everything they need to launch credit-destroying attacks against much of the US population at any point over the next few decades. Neither your social security number or your birth date are going to change, after all. But wait, there’s more!
Let’s say you want to lock your credit file anyway, even though it’ll only protect you from one-third of potential searches. Equifax requires you to input a 10-digit PIN to request an account unlock. A 10-digit code would typically be difficult to break, if Equifax didn’t auto-generate PIN numbers that corresponded to the date and time you requested the lock. If you locked your credit file on September 10th at 11:45 AM, your PIN number would be 0910171145. That’s September 10 2017, at 11:45 AM. It’s also the kind of security one might expect in a Mel Brooks movie, and it’s a horrifying choice for a company whose own servers were just aggressively penetrated and robbed.
Torn-up Terms of Service
Over the past few days, Equifax has gutted its original Terms of Service. The old version of that document ran 7,202 words. The new one is just 2,869. The missing sections included the following:
- Notification that its monitoring services did not (and would not) improve the health or quality of your credit in any fashion.
- Notification that its services would not place a fraud alert with any consumer reporting agency.
- Information on how Equifax calculates its credit scores, that the credit scores it provides are derived from its own internal formula and do not correspond to the ratings used by banks and other financial institutions.
- A great deal of information about service billing, as already mentioned above. The company left in clauses about automatically renewing membership unless you cancel, however, so it’s not clear how this will play out.
- A huge block of information about its identity theft products, their limitations, capabilities, and how they operate. Nearly 1000 words of information were deleted from this section alone.
- Additional information on how disputes, liability, and warranty coverage are to be calculated.
With the exception of the last block of information, which was clearly deleted as part of a response to the lawsuit question, it’s not clear why Equifax has removed these terms now. The company used to say that purchase of its credit monitoring service did not, in any way, imply that Equifax would help you repair your credit rating. But TrustedID isn’t a credit repair tool; it’s a monitoring tool. Presumably, that hasn’t changed, so why remove that text?
There are two ways to read these changes, and we genuinely don’t know which is accurate. If you’re feeling optimistic, Equifax removed these blocks of text because it intends to offer affected citizens additional monitoring and aid that weren’t packaged with the standard TrustedID membership under normal circumstances, and doesn’t want to confuse people about its own product offering.
The cynical explanation is that Equifax removed this text so that people wouldn’t notice how limited its products were and how self-serving the entire affair is. We’ll let you decide.
Now read: 20 Best Tips to Stay Anonymous and Protect Your Online Privacy