Granite Staters fume over EquifaxBy SHAWNE K. WICKHAM
New Hampshire Sunday News
September 17. 2017 1:07AM
How to protect yourself after data breachEquifax, one of the three major credit reporting agencies, announced a data breach on Sept. 7 that potentially exposed personal information of about 143 million Americans.
1. FIND OUT IF YOUR INFORMATION WAS EXPOSED:
Visit www.equifaxsecurity2017.com. Click on the “Potential Impact” tab and enter your last name and the last six digits of your Social Security number. (Make sure you’re on a secure computer and an encrypted network connection.) This will tell you if you’ve been affected by this breach.
2. SIGN UP WITH EQUIFAX FOR CREDIT MONITORING, OTHER PROTECTIONS:
Whether or not your information was exposed, Equifax is offering consumers free credit file monitoring and identity theft protection. The site will give you a date to come back to enroll. On that date, return to the site and click “Enroll.” (You have until Nov. 21 to enroll.)
3. CHECK YOUR CREDIT REPORTS FROM EQUIFAX, EXPERIAN AND TRANSUNION FOR FREE AT ANNUALCREDITREPORT.COM:
Accounts or activity that you don’t recognize could indicate identity theft.
4. CONSIDER PLACING A FREEZE ON YOUR CREDIT REPORT:
A security freeze on your credit report generally prevents new credit and accounts from being opened in your name. You’ll get a PIN number to use each time you want to freeze and unfreeze your account. You must contact each credit reporting company.
Because of the data breach, Equifax is offering consumers free credit freezes. Go to www.equifaxsecurity2017.com or call (800) 685-1111 and follow the prompts. The other credit reporting companies can charge $10 to place — and to lift — a freeze. To reach Experian: www.experian.com or (888) 397-3742. To reach TransUnion: www.transunion.com or (800) 680-7289.
5. CONSIDER PLACING A FRAUD ALERT ON YOUR FILES:
A fraud alert, which lasts 90 days, requires creditors to take steps to verify your identity before opening a new account, issuing an additional card, or increasing the credit limit on an existing account.
When you place a fraud alert on your credit report at one of the nationwide credit reporting companies, it must notify the others.
6. MONITOR YOUR EXISTING CREDIT CARD AND BANK ACCOUNTS CLOSELY FOR CHARGES YOU DON'T RECOGNIZE.
7. FILE YOUR TAXES EARLY:
Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. File as soon as you have the tax information you need — before a scammer can.
8. VISIT IDENTITYTHEFT.GOV/DATABREACH TO LEARN MORE.
Source: Federal Trade Commission (ftc.gov) and Consumer Financial Protection Bureau (consumerfinance.gov)
CONCORD - The Attorney General's Office gets about a dozen reports every week of data breaches that potentially could compromise the personal information of consumers here.
But the scope of the data breach recently disclosed by Equifax, one of the major credit reporting agencies, was "eye-popping," says James Boffetti, chief of the AG's Consumer Protection and Antitrust Bureau.
His office has been getting lots of calls from angry, nervous consumers about the Equifax breach, which could affect 143 million Americans - 600,000 of them in New Hampshire.
It's one of the largest data breaches to affect folks here, eclipsed only by the 2015 Anthem breach, which compromised the personal data of nearly 668,000 New Hampshire customers.
Boffetti said consumers have no control over the amount of private data the credit reporting agencies collect on their mortgages, car loans, credit cards and other debts. "It's not like we have a choice," he said.
"They certainly have a lot of personal information about me and about millions of others that they keep in order to do their job. But it's exactly that information that was not properly secured," Boffetti said.
"So that's, I think, why people are so agitated about this, and so exasperated."
Equifax is offering free credit monitoring and identity theft protection to all U.S. consumers, regardless of whether their data was exposed. The company created a dedicated web site (www.equifaxsecurity2017.com), where consumers can see if they're among those affected by the data breach.
When Boffetti did so, he learned that he's on the list; as a state employee, he also got caught up in the Anthem breach two years ago.
Once your name, date of birth and Social Security number have been compromised, the risk of identity theft can last the rest of your life, Boffetti said. "I think we have to be vigilant forever," he said.
The irony, he said, is that the typical advice he gives consumers after a data breach is to monitor their credit reports regularly.
Boffetti said state attorneys general are working together to press Equifax officials for information about what happened, and how they plan to address those harmed by the breach.
That pressure apparently led Equifax to remove a clause posted on its website, requiring consumers to waive their rights to arbitration and class-action in order to sign up for the credit protection, Boffetti said. "That came up against some pretty vociferous objections from the state AGs," he said.
"It does seem to offend public policy that they could require a condition like that when in fact their company is the one responsible for causing the harm," he said.
In a statement posted on Friday, Equifax said it "never intended for these clauses to apply to this cybersecurity incident."
Ray Shakir of North Conway checked the Equifax website last week and learned that while his wife's name was not on the list of those potentially affected, his name was. But he balked at registering for protection because he had read that it meant giving up his rights to sue the company down the road. "The whole process makes me leery," he said.
Shakir, a retired construction manager, said Equifax "should be in a position where they're above reproach ... and they continue to update their systems so that they're essentially hack-proof."
Instead, he said, the massive data breach reveals that "there are holes in the dike."
"And that makes me leery about giving any of my personal information to anybody," he said.
Boffetti said another issue for the attorneys general is why it took so long for Equifax to report the breach. By the company's own admission, the hack was discovered on July 29, but only made public Sept. 7.
By law, companies must report a data breach immediately, unless a law enforcement or national homeland security agency deems that notification would impede a criminal investigation or jeopardize national security, Boffetti said.
It's possible, he said, for federal law enforcement agencies to ask a company to hold off on making such information public, so they don't tip off the criminals responsible for a breach. "If they know we're looking for them, we have a harder time finding them," he said.
But Boffetti said it's a fair question to ask why Equifax delayed notifying the public for six weeks. "And Equifax, I think, owes the public, and certainly owes the state AGs, an answer to that question."
In a statement Friday, Equifax said its security team observed "suspicious network traffic" on July 29 associated with its U.S. online dispute portal web application. It blocked that traffic and continued to monitor network traffic.
When suspicious activity continued on July 30, the company said, it took the web application down.
Equifax now says that "unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017."
Equifax also announced on Friday that its chief information officer and chief security officer are "retiring."
So what can consumers do to protect themselves? Boffetti said one option is to put a fraud alert on their accounts, which requires lenders to make sure someone is who they say they are before opening a new account.
A more serious step is a credit freeze, which prevents anyone from accessing your credit report without a special PIN. That's a good option, he said, if you're not planning to open any new accounts or apply for a loan in the foreseeable future.
You only have to sign up for a fraud alert with one of the credit monitoring agencies; it will be transferred to the others. But for a credit freeze, you'll have to sign up with all three agencies, Boffetti said. And under New Hampshire law, companies are allowed to charge up to $10 to place, or lift, a credit freeze.
That means it can cost consumers $30 to place a credit freeze with all three credit reporting companies - and $10 each time they want to lift a freeze to open an account or apply for a loan.
Last week, Equifax belatedly announced that it will waive the usual fees to those affected by the data breach and will reimburse anyone who already paid them.
But Rep. Edward Butler, D-Harts-Location, wants to take it a step further. He got a call from a constituent asking why he has to pay a $10 fee for a credit freeze to protect himself "because of Equifax's problems," he said.
By law, if a consumer can prove he's a victim of identity theft, he doesn't have to pay the fee. But Butler said, "You shouldn't have to prove anything."
He's working with Boffetti on a bill to require companies to waive that fee when a customer has been notified of a data breach. "If it has been shown that there has been a significant breach like that with Equifax, then there should be no reason to impose a fee in order to have a security freeze," he said.
Boffetti also expects the state attorneys general will push Equifax to cover the cost of credit freezes at all three companies in this case. "It was Equifax that was breached, and so if a consumer decides that they want to put a freeze on their credit, they shouldn't have to pay," he said.
There's another risk after such a massive data breach, Boffetti warned. Hackers often package the stolen personal data and sell it to criminals who then send out scam emails or calls, seeking personal information such as bank account numbers. "The general rule of thumb is you never give out any personal information to anyone unless you are absolutely sure of who you're dealing with," he said.
And if you do notice an uptick in scam calls or emails, he said, "That may be another indicator that you need to take more active steps."