Custom Search

Thursday, September 21, 2017

Lord Have Mercy! Equifax has been sending consumers to fake site for 2 weeks

As my momma used to say "when it rains, it pours".  If that's the case, Equifax is in the middle of a Hurricane Harvey-esque Cat 5 hurricane of pouring rain.

After "forgetting" to install a security patch to its website which led to the largest data breach in the history of ever, then "forgetting" to tell their 143 million victims that they are and will forever be at risk for identity theft for nearly two months, then "forgetting" to tell anyone about an earlier data breach that Equifax has now confirmed did indeed happen, but "remembering" to let their top execs know about both breaches so they could several million dollars worth of Equifax stock before Equifax stock priced dropped by over a third of its price and "remembering" to donate to their favorite Congressman Barry Loudermilk so he would propose a completely idiotic bill that would provide immense protection to Equifax and the other credit bureaus at the expense of his constituents and the rest of America, NOW it has come to light that, for approximately two weeks, Equifax has been sending victims to a fake website.

Yes, a fake website.  A spoof.  One that puts those victims at even greater risk of identity theft.

Instead of using its own website to help victims of its data breach, Equifax created a whole new site equifaxsecurity2017.com.  Guess that added the year so they can keep their breaches straight.  The problem with using a new website instead of their existing one is that phishers and scammers can much more easily create fake websites using variations of the legitimate website's address.  This would include reversing the order of the words or making sites with common typos of the real site name.  In this instance, a mere day after the launch of the legitimate site, scammers had created 194 phishing websites that used addresses similar to the legitimate site.

What's worse than Equifax's boneheaded move in creating a new site instead of using its own Equifax.com site?  Equifax directed victims of its data breach to the WRONG site.  On three separate occasions, Equifax tweeted the incorrect URL securityequifax2017.com for its victims to use. Two of the tweets occurred on September 9 and the last on September 18 (i.e. three days ago!).

The Fair Credit Reporting Act requires consumer reporting agencies such as Equifax to follow reasonable procedures to assure maximum possible accuracy of the credit reports they generate regarding consumers.  I have been suing Equifax for 18 years for violating that section by failing to have, much less follow, reasonable procedures to assure maximum possible accuracy.  Now the public is getting a taste of what I have been seeing for years ... ignorance on top of ineptitude.

Please remember this if and when your Congressman or Senator votes in favor of Barry Loudermilk's bill designed to harm consumers by protecting Equifax from its own gross negligence and boneheadedness.

Video of Briefing for Senate Staff and Press on CFPB Arbitration Rule and Congressional Review Act Attack on the rule

Here is a link to the streaming video of yesterday's Senate briefing about the Congressional Review Act attack on the CFPB's arbitration rule.

As usual, my colleague Paul Bland did a fantastic job protecting us consumers.  Thanks for all you do, Paul!

Tuesday, September 19, 2017

It Just Keeps Getting Deeper - Equifax Suffered Second Undisclosed Data Breach

Bloomberg.com is reporting that the gigantically huge data breach that Equifax disclosed less than two weeks ago is not the only hack the consumer reporting agency suffered this year.  There was allegedly a hack in March, two or more months before the big data breach that has put 143 million Americans at risk of having their identities stolen and their lives ruined.

According to Bloomberg, Equifax notified a small number of outsiders and banking customers in early March that it had suffered a breach.  At that time, Equifax brought in a security firm to determine the scope of the breach.  What Equifax did not do was tell the general public about the first data breach, either then or in July when it learned of the second, larger breach.

The second, big breach occurred (according to Equifax) when hackers gained access to Equifax's computer system through a known flaw in the company's web software that somehow was not patched until after the breach was discovered in late July.  Was the flaw in the system discovered by the security firm in March and Equifax negligently failed to implement the patch to fix the vulnerability?

While the Bloomberg article focuses on the first hack's implications for the three executives that dumped Equifax stock after the second breach was known by Equifax but before the public was informed and the subsequent stock price drop, one thing the article does not mention is how the timing of the first hack completely undermines Representative Loudermilk's claim that his Equifax protection bill was drafted before the Equifax data breach, not in response to it.  I posted about Loudermilk's position yesterday.

Loudermilk introduced his bill designed to protect Equifax and the other credit bureaus and hurt consumers (such as his constituents) in May, a few weeks before the second breach allegedly occurred.  However, now that we know that Equifax knew of the first breach in March, why would we think that Loudermilk was not attempting to shield Equifax, a donor to his campaign, from liability from the first breach by pushing a bill that does nothing but protect the credit bureau from having to pay for its malfeasance?  The timeline is looking very bad for both Equifax and Loudermilk.  If I were a citizen of the 11th Congressional District of Georgia, I would have some very serious doubts about where my congressman's loyalties lie.

Monday, September 18, 2017

Representative Loudermilk is STILL trying to protect Equifax instead of consumers

U.S. Representative Barry Loudermilk is still trying to give immunity to Equifax for its utter failure to protect the private information of over 143 million Americans and its subsequent bungling of the data breach it allowed to happen.

Prior to the breach (allegedly, since we really don't know when the breach actually happened since we only have Equifax's word that the breach occurred in late May through early June), Representative Loudermilk, who is a U.S. Representative from Georgia, the home state of Equifax, proposed legislation that, if passed, would gut the protections afforded consumers by the Fair Credit Reporting Act.  The proposed legislation, H.R. 2359, would change the Fair Credit Reporting Act in two ways, both of which are very damaging to consumers and, not by coincidence, very favorable to Equifax and the other credit bureaus.

First, it would eliminate punitive damages.  Yes, the one thing that big corporations like Equifax are scared of is a punitive damage award.  Their profits are soooo great that an award of just compensatory damages will never be enough for them to really notice in the long term.  Punitive damages, however, are used to punish a corporation for its wrongdoing.  Equifax, as seen by its shenanigans of first hiding the data breach and then trying to pull a fast one to get its victims to give up their right to sue, is up to its eyeballs in wrongdoing.  Equifax's conduct is the type of conduct that deserves a punitive damages award against it, since their conduct is willful, intentional and not just a mere accident or negligent mishap.  So H.R. 2359 would benefit Equifax in that way.

Further, and more importantly in the context of consumers getting justice for Equifax's negligently allowing the data breach to happen, H.R. 2359 caps what consumers can get via a class action at $500,000.  Not per consumer, per class action.  And, since all of the approximately 100 class actions filed against Equifax for the data breach will ultimately be merged into one big class, that means 143 million plus victims of the data breach (less those who wisely opt out and file individual lawsuits) will have to split a measly $500,000 if Representative Loudermilk's bill becomes law.  If my math is correct, that is roughly 3 cents per victim.  Yes, three cents.  Three shiny pennies.  How is that justice?!

And, instead of backing away from his bill like its a grenade about to explode, Representative Loudermilk released the following statement:

"The data breach at Equifax has placed an unimaginable number of Americans’ personal information at serious risk. Not only must Equifax be held accountable for the breach of their systems, they must also be held accountable for their failure to notify the public of the breach in a timely manner. Businesses such as Equifax that obtain and store massive amounts of information on individuals must be held to the highest data protection standards. I will be working with the Financial Services Committee on investigating this data breach and the inadequate response of Equifax executives. Furthermore, we have already begun working on legislation mandating businesses to notify consumers affected by data breaches in a timely manner.

"Unfortunately, the outrage that followed the announcement by Equifax caused a gross mischaracterization of a bill that I have been working on since early this year. It was falsely reported that this bill (H.R. 2359) was introduced to give immunity to Equifax from any liability over this data breach. This couldn't be further from the truth. The FCRA Liability Harmonization Act (H.R. 2359) was introduced back in May, and is aimed at curbing frivolous class action lawsuits against businesses under the Fair Credit Reporting Act (FCRA). The businesses affected by FCRA lawsuits include community banks, credit unions, auto dealerships, retailers, and many other small businesses that extend credit to consumers.

"Reports that this bill would grant any immunity to Equifax for liability in this data breach are completely false. The bill does not give any immunity from prosecution or civil lawsuits for wrongdoing to any business. Furthermore, data breaches are governed by state laws, not the FCRA, so this bill would not apply to Equifax in this case at all with respect to the 143 million people whose personally identifiable information was compromised.

"Finally, given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action on any bill at this time."

So Representative Loudermilk is claiming that his bill would not grant immunity to Equifax?  While technically true, being capped at paying three cents a victim is about as close to immunity as one can get.  For Representative Loudermilk to make this grossly misleading statement is deplorable.  He obviously cares more about Equifax, his campaign donor, than he does about consumers, including his constituents.  I hope the people of the 11th Congressional District of Georgia are paying attention to whose side Mr. Loudermilk is one, because it sure isn't theirs.

Sunday, September 17, 2017

Don't Answer Calls from Equifax

As if the damage done by Equifax's negligence in allowing the massive data breach and its subsequent shenanigans in delaying publication of the data breach and its efforts to further screw consumers by stealing their right is not enough, now scammers (other than Equifax) are trying to profit off the data breach at the expense of consumers.

I have been told that scammers are placing calls to consumers posing as employees of Equifax attempting to "help" after the data breach.  These "employees" then ask for the consumers' personal identifiers (Social Security number, date of birth, full name, etc.) in an alleged effort to verify the identity of the consumer.  However, they really use want your information to use against you, so DO NOT GIVE IT TO THEM!

First of all, Equifax will never call you about anything. This scam has been around for years but usually the scammers claim to work for the IRS.  Just like the IRS, Equifax will only deal with you in writing, so a call from someone claiming to be from Equifax is a big red flag that a scam is happening.

Secondly, after Equifax's blatant interest in only helping and protecting itself in the wake of the data breach its negligence allowed to happen, why would anyone think Equifax would go out of its way to call a consumer to help.  Equifax never helps. It only hurts consumers and does its best to profit from selling all of our information.  Just like Experian and Trans Union, Equifax only cares about profits and avoiding liability for its wrongdoing and malfeasance.

So if Equifax or the IRS is calling, hang up.  It's a scam.

Friday, September 8, 2017

Too Little, Too Late - Equifax Adds Opt Out to Arbitration Provision regarding Data Breach

After a flurry of bad press and social media outrage (including from yours truly), Equifax has now added an opt out provision to the arbitration provision it snuck into the fine print for anyone accepting Equifax's "offer" of "free" credit monitoring and identity theft protection.

Couple of problems.  No one reads the fine print so they don't know about the arbitration clause, much less the opt out provision.  Why can't they just make it an opt in, if arbitration is such a great thing?  Of course, its not and they won't.

Second, the opt out provision is only available for a measly thirty days from when the data breach victim signs up for the "free" credit monitoring.  Equifax kept the data breach secret for longer than that!  Thirty days is way too short.

And, a common ploy on these opt out provisions for arbitration clauses is that, amazingly, the company whose arbitration clause it is almost always denies that the consumer ever opted out and then still try to force the consumer into proving that he or she opted out, instead of the burden being on the company to prove that the consumer agreed to arbitration. Equifax will likely try the same ploy since, as you can see, the play fast and loose with the rules.  Just do a pacer search for lawsuits where they have allegedly violated the Fair Credit Reporting Act.

The data breach is a very bad thing.  But Equifax's reaction to the data breach (i.e. keeping it secret for almost two months and then trying to screw the data breach victims out of their rights) is the worst of all.  Equifax and its executives should pay and pay dearly for this.


Equifax based in Georgia; Georgian Congressman seeks to gut FCRA. Coincidence? I think not!

Equifax is based in Atlanta, Georgia.  Three guesses which state's congressman proposed HR 2359, i.e. the Kill the FCRA bill.  Yep, that's right, Congressman Loudermilk of Georgia.  I wonder who put him up to it?

Representative Loudermilk is now being called on to withdraw his Equifax protecting bill by the National Association of Consumer Advocates (of which I am a proud member) and The Georgia Watch.  Their press release reads:

"NACA, Georgia Watch Call on Rep. Loudermilk of Georgia to Withdraw His Bill That Favors Equifax, Credit Bureaus Over Harmed Consumers

In light of the astonishing announcement of credit reporting agency Equifax’s security breach which impacts the personal information of more than 140 million consumers, National Association of Consumer Advocates and Georgia Watch call on Rep. Barry Loudermilk (R-Ga.) to withdraw his legislation, H.R. 2359, that would drastically reduce remedies for consumers who are victims of credit reporting abuses.

On the same day that Equifax announced the massive data breach, a subcommittee of the U.S. House Financial Services Committee held a hearing to consider legislation, including Loudermilk’s bill that would amend the federal Fair Credit Reporting Act to essentially shield credit reporting agencies from full accountability for willful and reckless conduct that upends individuals’ employment and financial lives.

Specifically, the “FCRA Liability Harmonization Act” would eliminate punitive damages, a tool used to punish the worst actors, and would impose an arbitrary $500,000 limit on statutory and actual damages in class actions. These illogical blocks on consumer remedies would obstruct individuals’ legal rights.

“Instead of running to Congress to seek a “get out of jail free” card to avoid accountability for its reckless handling of consumers’ personal and financial information, Equifax and its counterparts in the credit reporting industry should focus on protecting information from identity thieves,” said Christine Hines, legislative director at National Association of Consumer Advocates (NACA).

At Thursday’s hearing, witnesses for the credit reporting industry claimed that their violations of federal protections were merely technical and do not harm anyone despite evidence that consumers have been blocked from accessing credit, housing, and jobs due to industry’s irresponsible handling of consumer information. Industry representatives also used the hearing to bash a rule issued by the Consumer Financial Protection Bureau that would restore consumers’ ability to band together in class actions when harmed by unlawful financial industry practices.

Currently Equifax is rightly being criticized for its handling of the massive data breach. One of many of its missteps – it has inserted forced arbitration clauses in the terms and conditions of various credit monitoring services that it is encouraging affected consumers to enroll in.

“Equifax’s use of forced arbitration clauses and class action bans means that consumers cannot band together in court to seek remedies against it,” said Liz Coyle, executive director of Georgia Watch.  “This is unacceptable and will have disastrous effects on the marketplace.”

NACA and Georgia Watch insist that Rep. Loudermilk withdraw his bill and support consumers’ right to hold bad actors like Equifax fully accountable through the justice system."

Congressional Committee to hold Hearing Regarding Equifax Data Breach

Yesterday, the House Financial Services Committee held a hearing on a bill that would gut the protections of the Fair Credit Reporting Act, which is the only law protecting Americans from the ridiculously inept consumer reporting agencies such as Equifax.

Today, the public learned of a massive data breach of Equifax's treasure trove of secret information regarding consumers, including the full names, Social Security numbers, dates of birth and addresses of approximately 143 Americans.

Now, the House Financial Services Committee released the following press release:

"WASHINGTON – House Financial Services Committee Chairman Jeb Hensarling (R-TX) said his committee will hold a hearing on the Equifax data breach that has potentially compromised the personal information of roughly 143 million Americans.

“This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing.  Large-scale security breaches are becoming all too common.  Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers,” said Chairman Hensarling.

A date for the hearing will be announced at a later time."

Chairman Hensarling, if you want to protect Americans from data breaches and the damage caused by identity theft, your first step should be to kill HR 2359.  Only the Fair Credit Reporting Act stands in the way of Equifax and the other credit bureaus harming Americans by willfully and knowingly reporting erroneous information on Americans' credit reports.  That is the "answer" you seek.  Have you hearing, but start with killing HR 2359 and let the Fair Credit Reporting Act continue to protect Americans.

Equifax's data breach just keeps getting worse!

As if it is not bad enough that Equifax exposed 143 million Americans to the hellacious ordeal of identity theft, now its becoming crystal clear just how inept their response to the data breach was.

For instance, the website ARS Technica (www.arstechnica.com) reported the following:

"What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Another indications of sloppiness: a username for administering the site has been left in a page that was hosted here. ... That by itself wouldn't allow for unauthorized access, but it's still something that should never have happened.

Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So Equifax's attempt to "fix" the damage done by its data breach doesn't just take away the rights of consumers to get justice for the damage caused by Equifax's negligence, it now opens those victims up to more potential privacy problems by using a website with obvious security holes to collect the names and Social Security numbers of the victims.  Sheeeeesh!

Equifax's unwillingness to investigate consumer disputes properly is starting to look like the lesser of their sins.

NCLC's statement regarding the Equifax data breach

Below is a statement from the National Consumer Law Center regarding the Equifax data breach. NCLC fights for the rights of you, the consumer, every day, even though you probably didn't know it and, for a large segment of America, vote for the very politicians that are doing their best to strip you of your rights and protect the big businesses that trample your rights every day.

Statement of National Consumer Law Center Staff Attorney Chi Chi Wu on the Equifax Data Breach that Affected 143 Million Consumers

The massive Equifax data breach is one of the largest in our country’s history, affecting half of the United States population and nearly three-quarters of consumers with credit reports. Chances are, this affects YOU. Plus, the stolen information is the mother lode of sensitive personal data that can be used for identity theft: Social Security numbers, dates of birth, and in some cases, driver’s license numbers. Also, was highly revealing credit reporting account information stolen, such as student loan or mortgage payment account numbers and payment histories? This information could be used for phishing schemes or other fraud.

Equifax should immediately pay or reimburse fees for security freezes to affected consumers at all three of the major credit bureaus, i.e. Experian and TransUnion in addition to Equifax. A security freeze is the most effective measure against “new account” identity theft, because it stops thieves from using the consumer’s stolen information. Equifax is offering one year of its credit monitoring and identity theft prevention product in response to the security breach, which it states includes “the ability to lock and unlock Equifax credit reports.” That is a first step, as the ability to lock Equifax reports is better than credit monitoring alone. Credit monitoring only informs consumers after the fact when there has been an attempt to open a fraudulent new account using the consumer’s personal information. However, consumers need the ability to “lock down” or freeze their credit reports at all three major credit bureaus, and for more than one year, because the stolen information could still be used to fraudulently apply for credit using a report from Experian or TransUnion as well.

Equifax should immediately remove the forced arbitration clause and class action ban from the Terms of Use for its website and any credit monitoring or identity theft prevention services it offers. The arbitration clause does give consumers the ability to opt out of forced arbitration by notifying Equifax in writing within 30 days, which consumers should do.  However, most consumers will not see that fine print and will be forced to give up their access to the courts. Through those terms, Equifax is purporting to prevent affected customers from access to the courts or the right to join together with the other hundreds of millions of injured consumers to jointly pursue claims against Equifax. A new rule by the Consumer Financial Protection Bureau would bar such forced arbitration clauses with class action bans, but members of Congress have threatened to block the rule.

Consumers affected by the breach should not wait to see if Equifax will pay for freezes at the other two credit bureaus; they should get freezes immediately if they are worried about identity theft. If consumers do not want to get a freeze, there is also the option of putting a 90-day “initial fraud alert” in their credit report that tells businesses they should verify your identity before they issue credit. The initial fraud alert must be renewed every 90 days.

Another risk of this massive data breach is tax identity theft, where crooks file phony tax returns in the consumers’ name. The Internal Revenue Service (IRS) had previously made available Identify Theft PINs for consumers in Florida, Georgia, and the District of Columbia, and consumers in those states should consider getting the pin (which they should do before getting a freeze). The IRS should make Identity Theft PINS available to all affected breach victims.

It’s ironic that, on the same day that Equifax announced this data breach, Congress was considering a bill that would dramatic reduce the consequences of violating the Fair Credit Reporting Act (FCRA) for the credit bureaus and other industry players. H.R. 2359, the so-called FCRA Liability Harmonization Act, was just heard yesterday by the House Financial Services Committee and would eliminate punitive damages plus limit class action damages under the FCRA. While the FCRA may or may not be directly implicated by the Equifax data breach, we need stronger, not weaker, consequences when companies violate long-standing privacy laws, such as the FCRA. Credit bureaus, such as Equifax, should not be rewarded with reductions in legal accountability given these recent events

###

Since 1969, the nonprofit National Consumer Law Center® (NCLC®) has used its expertise in consumer law and energy policy to work for consumer justice and economic security for low-income and other disadvantaged people, including older adults, in the United States. NCLC’s expertise includes policy analysis and advocacy; consumer law and energy publications; litigation; expert witness services, and training and advice for advocates. NCLC works with nonprofit and legal services organizations, private attorneys, policymakers, and federal and state government and courts across the nation to stop exploitative practices, help financially stressed families build and retain wealth, and advance economic fairness.

Equifax Data Breach Puts 143 Million Consumers at Risk

On July 29 (yes, nearly two months ago), Equifax discovered that it had suffered a data breach between mid-May and July.  The massive data breach exposed the personal identifiers of approximately 143 million Americans.  That means approximately half of the population of the United States just became even more likely to have their identities stolen.

The information that Equifax allowed to be stolen is the holy grail for identity thieves.  The names, Social Security numbers, dates of birth, addresses and, in some cases, driver's license numbers of 143 million Americans were pilfered from Equifax.  Even worse, Equifax sat on this information for nearly two months before alerting the public of Equifax's malfeasance putting them at risk.

Equifax is one of the last companies that should allow something like this to happen.  Equifax chose to enter the business of collected and disseminating the most private of information on nearly all Americans.  Equifax's credit reports are used nationwide for obtaining home loans, car loans, credit cards, bank loans and lines of credit.

Equifax's credit reports are used by many employers to decide whether to hire someone, particularly if there is any responsibility for financial accounts involved in the job description.

Equifax's credit reports are used by government agencies to determine whether you can have or keep a security clearance.  I have had many clients lose their security clearances (and thus their jobs) due to Equifax reporting erroneous information about them and the willfully refusing to correct the errors.

Equifax's credit reports are used by insurance companies to determine if you qualify for car insurance and homeowner's insurance.  And, if you do qualify, you may find that your premiums are higher because of the contents of your Equifax credit report.

Now, all of that uber sensitive information entrusted to Equifax (not that the consumer is given an option) has been exposed to identity thieves and hackers and is no doubt going to be sold on the dark web and used to victimize consumers across the country.

But what is even worse than Equifax allowing this tragedy to happen and then keeping its misdeeds secret for nearly two months?  Now, Equifax is offering free identity theft protection and credit monitoring to the victims of its data breach.  Sounds good, right?  Wrong!  Included in the sign up for that "free" identity theft protection are arbitration clauses that take away your rights to sue Equifax for the damage its data breach causes you.

When my wife woke me up this morning at 2:00 a.m. when she read about the Equifax data breach and then told me that Equifax was offering free credit monitoring and identity theft protection, I mumbled in my half awake state "do not sign up for it, they'll  have something bad in the fine print". How did I know this?  Well, for one, I have been suing Equifax for consumers they have wronged for nearly 18 years now.  Second, Equifax has done this type stuff before.  For instance, consumers are entitled under the Fair Credit Reporting Act to one free credit report per year.  But Equifax thought it right to make consumers agree to give up their right to a lawsuit to be able to exercise their right to a free credit report.  So Equifax stuck some arbitration language in the fine print of anyone accessing their free credit report online.  I warned you about this all the way back in 2009 - fcralawyer.blogspot.com/2009/05/truly-free-credit-report.html.  So it was no surprise that they would pull something like this again, especially since they are the root cause of the problem this time.

So, if Equifax's data breach causes your identity to be stolen which then causes your life to become a financial hell when your legitimate credit cards get closed, you lose your job and your home and auto insurance and then, due to the stress of it all, your health goes kaput, Equifax skates by free and clear because your only option is to bring an arbitration proceeding to be decided by Equifax's arbiter. Talking about heaping injustice on top of tragedy!

So, whatever you do, do not sign up for Equifax's "free" monitoring or identity theft protection.  To do so will cause irreparable harm to any potential lawsuit you may have if, God forbid, Equifax's data breach leads to theft of your identity.  And, if you do become the victim of identity theft, contact the Kittell Law Firm at 662-298-3456 or at ckittell@kittell-law.com.  I will sue Equifax in any jurisdiction in the United States for any victim of identity theft whose credit report is damaged as a result of Equifax's data breach provided that you have not agreed to throw your rights away by falling for Equifax's trap of "free" credit monitoring.


Monday, August 14, 2017

Equifax Continues to Profit from Identity Theft

Equifax has purchased identity theft protection company ID Watchdog for approximately $63 million.  ID Watchdog is a company similar to LifeLock that consumers and/or businesses pay to monitor their credit and "protect" them from identity theft.

Once again, Equifax is turning identity theft into a profit center for its bottom line.

Equifax is charged by the Fair Credit Reporting Act to perform reasonable investigations of disputes made to it by consumers regarding inaccuracies on their Equifax credit reports.  Many times these errors are actually credit cards, car loans or mortgages opened fraudulently as a result of the theft of the consumer's identity.  Sometimes they are collection accounts placed on the consumer's credit report for the purpose of collecting a debt that was fraudulently incurred by the identity thief in the consumer's name.

Unfortunately for the victims of identity theft, Equifax often does not properly investigate the disputes it receives, particularly those resulting from identity theft.  Instead of investing in its investigation department to make it better and thereby possibly comply with the Fair Credit Reporting Act and eliminate a lot of the problems caused by identity theft, Equifax instead turns identity theft into a means to profit by investing in a company that sells identity theft protection.

If Equifax consistently did the job that it is required by the Fair Credit Reporting Act to do and actually investigate the disputes it receives, consumers would not need to pay for additional identity theft protection or pay for multiple credit reports per year or monitoring services to monitor their credit.  But instead of doing what it is required to do, Equifax instead chooses to profit from the misery of identity theft victims.

Equifax makes millions each year from the sale of credit monitoring services and the sale of extra credit reports to consumers worried about the contents of their credit report because their identities have been stolen.  A quick glance at Equifax's website makes it clear that Equifax's emphasis is on profiting from credit monitoring rather than properly investigating consumer disputes.  Equifax sells no less than 5 different plans to "monitor" and "protect" the contents of your credit report.  They give these plans catchy names like Premier Plans, Advantage Plans, Family Plans, Patrol and even Patrol Premier, but they all have the same goal, to play on consumers' fear of identity theft to line Equifax's pockets.

The purchase of ID Watchdog provides Equifax with another mechanism to use to prey on consumers' fears.  Instead of fixing the problem by deleting fraudulent accounts when disputed, Equifax wants consumers scared so they will buy more credit reports and purchase more monitoring plans.  Not that Equifax is likely to delete any fraud accounts found by the consumers using Equifax's monitoring products.

Equifax needs to be held accountable for its decision to put its profits over the well being of consumers.  The government has put in place the mechanism to hold Equifax accountable when it passed the Fair Credit Reporting Act.  Now it is up to juries and judges to show Equifax and the other credit bureaus that putting profits over people will not be tolerated.

Tuesday, August 8, 2017

When to Check Your Child's Credit Report


When will your child have a credit report?  When should you check?  When should you be worried that your child does have a credit report or his or her credit is being used illegally?  These are all questions that parents should ask themselves but often do not.

Typically children do not have a credit report until they actually obtain their first credit card, car loan or other financial account that is reported to the credit bureaus.  This should not be until they reach the age of majority in your state and can legally enter into contracts.  Or possibly when you add them as an authorized user on your credit cards, not that I am advising that you do that!

However, children are often the victim of identity theft long before they are old enough to obtain their own credit.  Oftentimes, it is the children's own parents that are the identity thieves.  A credit application appears one day bearing the child's name.  A quick application later and a credit card is issued in the child's name.  An unscrupulous parent can then make charges that never are re-paid and that do not affect the parent's credit report.

And it does not have to be a parent that commits the crime.  Children can be the victims of identity thieves that are complete strangers.  Or they can be "merged" with another adult consumer whose name, Social Security number or other personal identifiers are similar to your child's. While the credit bureaus should never allow this to happen by simply complying with the Fair Credit Reporting Act, it does happen because the credit bureaus are known to utilize faulty matching logic that allows such mergers of credit files to happen.  And when it does, the adult consumer's credit can and will land on your child's credit report, which can cause your child to be saddled with a bad credit history before he or she even begins their adult life.

So how do you protect your child's credit?  What are the warning signs that a child has become the victim of identity theft?

You should check your child's credit report with the big three credit bureaus (Experian, Equifax and Trans Union).  I suggest doing so when your child turns 16.  At that point, the response from the credit bureaus should be that they have no file on your child.  But, if there is a file, then you should obtain a copy (as the parent and guardian of your child) and confirm that no accounts have been opened in your child's name.  If there have been, dispute them to the credit bureaus, including a copy of your child's birth certificate to prove that he or she is under age and thus not legally capable of entering into a contract to open the fraudulently opened account(s).

Should you ever check your child's credit before their sixteenth birthday?  Yes - if your child starts receiving credit card applications, collection letters, collection calls or anything indicating that they have been active in the credit arena.  This could be an indication that your child's identity has already been stolen.  At that point, despite your child's age, you should check his or her credit report and dispute anything that is not your child's credit.

Ideally, such disputes will lead to the child's credit reports being corrected.  But, as often is the case, the credit bureaus will not perform reasonable investigations of the disputes.  At that point, you should consult an attorney like me who specializes in Fair Credit Reporting Act litigation.

Monday, August 7, 2017

Nigerian Citizen Living in North Carolina Arrested for Phishing Scheme Targeting Connecticut and Minnesota School Districts


Nigerian citizen Daniel Adekunle Ojo was arrested last week at his residence in Durham, North Carolina.  He is being charged with fraud and identity theft charges filed by Connecticut U.S. Attorney Deirdre Daly.  

According to prosecutors, an employee of the school district in Glastonbury, Connecticut was duped by a phishing scam which Ojo was allegedly behind.  A phishing scam is one where an e-mail that appears to be legitimate asks for private information or asks the recipient to log into an account via a link in the e-mail that leads to a fake site.  Any information obtained via a phishing e-mail can then be used to commit financial crimes.

In the scam in this case, Ojo allegedly spoofed the e-mail address of one school employee to make it appear that that school employee had e-mailed the duped school employee requesting tax information for approximately 1600 school district employees.  Not realizing that the e-mail was not legitimate, the school employee provided the requested information, which was then allegedly used to file 122 bogus tax returns for nearly $600,000.00 in tax refunds.

At least six of the fake tax returns were successful, resulting in $37,000 in refunds being electronically deposited into various bank accounts.

It is also believed by authorities that Ojo is not a first time phisher.  Ojo's e-mail address is allegedly linked to a phishing scam in Bloomington, Minnesota earlier this year and that he may have been involved in a similar phishing scheme that targeted the school district in Groton, Connecticut.

A federal magistrate judge has ordered that Ojo be transferred to Connecticut for prosecution.

My advice on phishing:  Never, ever, ever click a link in an unsolicited e-mail even if it looks like it legitimately came from a company with which you do business.  Phishers used to be easy to spot due to their poor grammar and odd phrasing used in their e-mails.  But they have gotten better and thus less easy to spot.  So think hard before you click.

Sunday, August 6, 2017

Former Member of U.S. Air Force Sentenced for Identity Theft

A Chicago federal judge has sentenced former U.S. Air Force member Ronnie Allen II to four years in prison for identity theft.  Allen, a 28 year old from Greensboro, North Carolina, used his position in the Air Force to illegally steal an Air Force personnel roster.  The roster contained the private identifying information of approximately 1400 Air Force members stationed in Idaho at Mountain Home Air Force Base.  The personal identifiers contained on the illegally obtained roster included the names, Social Security numbers and dates of birth of the Air Force personnel.

According to prosecutors, Allen distributed the private information contained on the stolen personnel roster with the hopes of profiting financially from the information's dissemination.  The information was then used to file tax returns and fraudulently open financial accounts using the names and other personal identifiers of the Air Force personnel on the list.  It is unclear how many Air Force members were affected by the dissemination of their personal identifiers.

Identity thieves often open credit cards and obtain loans using the names and other personal identifiers of their victims.  The criminals then make purchases using the credit cards and loans.  The charges are never paid, thereby ruining the victims' credit history while the criminals profit without any consequence unless caught.

Forged tax returns are a slightly different version of identity theft and has become more prevalent in recent years.  Instead of opening new financial accounts, the identity thief completes a fake tax return in the name of his or her victim.  This is usually done as early in the year as possible before the victim files his or her real return.  The taxes on the forged tax return are calculated in such a way as to result in a refund, which is then received by the identity thief instead of the victim.  The IRS has been cracking down on this type of identity theft over the past few years, including issuing pin numbers to persons who have been victims in the past to prevent the crime from reoccurring.

While four years seems like a light sentence to me (the damage to the victims' credit histories will last longer than that), it is good to see an identity thief like Allen being forced to spend at least some time behind bars.