By now, you've probably heard that 143 million Americans had their names, Social Security numbers, birthdays, addresses, and other information hacked by a massive breach in Equifax's (EFX +0.12%) database. If you run the numbers, it means there's a better than 50-50 chance that you (yes, you) are included in this breach.
But that's not where the troubling news ends. In fact, as details start to emerge about the company's efforts to mitigate the risk to consumers, the ways it's trying to cover its tracks, and the behavior of some senior executives following the breach, the picture is getting decidedly murky.
Image source: Getty Images.
Here are the three biggest things you need to know.
1. You have to provide personal information to see whether you've been hacked -- and the answer may be unreliable
The company has set up a website where you can check to see if your information has been compromised. The problem is that once you enter all of your information, the detail you'll receive is scant. When I typed in my information, I got a message that read: "Thank you. Based on the information provided, we believe that your personal information may have been impacted by this incident."
In short, I gave six (rather than the usual four) digits of my Social Security number to an agency that just lost a trove of personal information, all just to find out that my personal information may have been stolen. To many people, that will sound a little too risky to be worth it.
Additionally, some research by ZDNet and other outlets has concluded that Equifax's hack-checking tool gives seemingly arbitrary, perhaps even random, results. Some visitors to the site have reported getting a response even when they type in made-up names and Social Security numbers. Others who have submitted their own information multiple times say they've gotten differing responses.
Keep in mind that Equifax has had over a month to prepare for this.
2. Equifax's credit monitoring service initially came with a scary catch
Once you've learned that your information may have been compromised, you have the option to enroll in Equifax's TrustedID Premier service. Equifax CEO and chairman Rick Smith described it this way: "We are taking the unprecedented step of offering every U.S. consumer in country a comprehensive package of identity theft protection and credit file monitoring at no cost."
TrustedID offers you copies of your Equifax credit report, monitoring of your credit file from all three credit agencies, the ability to lock your report from being accessed, Social Security number monitoring, and up to $1 million in identity theft protection.
That sounds like an appropriate response to the situation...except the first people who registered for the service have reported that some language in the contract they had to agree to could significantly affect their legal rights if this hack leads to significant personal loss.
The Washington Post reported that the contract's fine print included an "arbitration clause." What does that mean? A 2015 article by The New York Times put it this way: "By inserting individual arbitration clauses into a soaring number of ... contracts, companies ... devised a way to circumvent the courts and bar people from joining together in class action lawsuits, realistically the only tool citizens have to fight illegal or deceitful business practices."
In fact, the Consumer Financial Protection Bureau (CFPB) has a rule that's set to take effect within the next month barring the use of the clause. CFPB spokesman Sam Gilford had this to say on Friday: "It is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company's breach put their personal information at risk. Equifax could remove this clause so that consumers can receive this service without condition."
And that's what the company is apparently doing, although it certainly dragged its feet in doing so. In response to the initial backlash to the arbitration clause, Equifax said TrustedID members could opt out of it by sending the company a written request. Consumers, rightly, were not mollified; after all, Equifax was asking fraud victims to jump through hoops to preserve their legal rights. By the end of the weekend, the company had finally removed all of the arbitration clause language.
The fact that the company tried to tie the hands of those who were victimized speaks volumes.
3. Questionable stock sales
Finally, there's the question of whether insiders sold shares of Equifax after the breach was known internally, but before the general public -- and investors -- were aware.
Here are the three questionable stock sales that happened within days of the discovery of the breach. None were part of a pre-determined trading plan.
|
Name |
Position |
Date Reported |
Shares Sold |
Proceeds |
|---|---|---|---|---|
|
John Gamble |
CFO |
July 31, 2017 |
6,500 |
$946,374 |
|
Joseph Loughran |
President, U.S. Information Solutions |
July 31, 2017 |
3,000 |
$584,099 |
|
Rodolfo Ploder |
President, Workforce Solutions |
Aug. 1, 2017 |
1,719 |
$250,458 |
Data source: Yahoo! Finance.
The company responded by saying that none of these executives knew of the breach when they sold shares and that these were relatively small amounts of their total holdings -- 13%, 9%, and 4%, respectively.
And indeed, a look at the selling history of these three offers some cover. Loughran and Ploder each have several other open-market sales over the past year, for a combined total of over $1.6 million.
Gamble, on the other hand, has been with Equifax for just three years and has only made one other open-market sale in the past two years. It occurred just two days after a large option grant in May of this year.
What this means, and what you can do
In the end, there's nothing incriminating here, nor is there a smoking gun. But the fallout might be just as bad.
Here's why: The company waited 40 days after discovering this breach to reveal it to the public. With a data breach of this scale -- especially coming from a company that has information as sensitive as Social Security numbers -- if Equifax wants to maintain consumer trust, it needs to bend over backward for everyone affected. It also needs to get out in front of eyebrow-raisers like the fact that executives were making money off stock sales immediately following the breach's discovery.
But that hasn't happened. At first, you were giving up your legal recourse to find out how your information had been compromised. Only after outside pressure was exerted did Equifax change its stance -- and even then, the company was still making you jump through hoops to maintain your rights. The outcry from that change finally led to a full resolution.
The details surrounding the stock sales are equally confusing. Management could have known about them beforehand and decided not to share key details like when the executives were informed of the breach. Alternatively, management may have only become aware of the sales after others brought it to their attention and then simply trusted the word of said executives, which would be negligent.
In any case, management has not acknowledged the trades or shared the specific dates when each transactor learned about the breach, and that should give consumers pause. Using Equifax's products to track your own personal information is certainly an option -- but be sure to opt out of the arbitration clause. You can also get similar products with the other two credit agencies -- Experian or TransUnion -- or companies such as LifeLock. While you'll have to pay for those services, you'll also be avoiding Equifax for the time being.
And you can always freeze your credit quickly by contacting the credit unions and paying a small fee. Then, only existing creditors and you can access your credit report, making it impossible for thieves to open new accounts using your information.
If my family decides to seek help in monitoring our personal information, we'll be using one of the three non-Equifax services in the future, and it's at least worth considering whether you should do the same.
