fingers holding social security card

Equifax, one of the country’s main credit reporting companies, revealed last week that a data breach exposed up to 143 million Americans’ social security numbers and other personal information. Lawmakers are now calling for stricter rules protecting consumer data and for a probe of Equifax, three of whose managers reportedly sold company stock in July. We’ll discuss the scope and impact of the breach and what consumers should do to protect themselves.

Major Equifax Data Breach Prompts Demands for Investigation, Tighter Consumer Protection Rules 13 September,2017Mina Kim

Craig Timberg, national technology reporter, Washington Post

  • Pontifikate

    Many of these companies are little more than protection rackets who will sell your information and then tell you that thousands are viewing your information, then asking for money to protect your identification. Congress must investigate if that isn’t an oxymoron when their pockets are lined by these companies.

  • Noelle

    the irony is that I was given the free Equifax credit monitoring when some other data breach happened a few years back. Equifax deserves to go down!

    • Another Mike

      It is beyond ironic that an agency that declares how responsible people are with their money can be irresponsible with their handling of our data.

  • Another Mike

    I didn’t give Equifax the right to collect my personal information. By whose authority did they collect it?

    • Noelle

      This is totally irresponsible, they did not have the highest level of cybersecurity…as for your question: if you don’t want to have credit, own a home or a car, then you can live off the grid and maybe these credit reporting agencies wont collect your info?

      • Another Mike

        I could just give three references and let it go at that.

  • William – SF

    What if any government regulations apply to credit reporting companies?

    • Noelle

      Let’s hope CFPB can investigate this, and that Congress will not gut this agency now

      • Another Mike

        They need to be federally licensed, like nuclear reactors, if they could ruin the lives of millions of people through carelessness.

        • Noelle


    • GregFieler

      I wish someone would answer this. I don’t want to have anything to do with Equifax and I don’t want them to have any data about me – for any purpose.

      It was bothersome for me to hear the initial headline for this 143M “Customers.” I have had the misfortune of having to deal with Equifax to correct wrong information, over and over, on my credit report (actually it would be more accurate to say ‘the report Equifax makes up about me.) It was most definitely not a ‘customer’ feeling interacting with them. Why is the burden on me to prove they are wrong? The burden should be on them to prove their sources of information are right.

      As an example. Several years ago Equifax told me that I could not challenge alias names on the report. Somehow a name showed up with my first name and my wife’s last name. She had kept her previous married last name so her name would be the same as her children from her previous marriage. Someone, probably Equifax, decided to manufacture this name as an alias for me – I could not get it removed.

      The best outcome of this in my opinion would be the right to opt-out from Equifax obtaining information about me and the ability to force Equifax to securely remove any information about me.

      Yep – probably puts them out of business….i’m fine with that.

  • William – SF

    Equifax has offered a free credit freeze if initiated within 30 days, and a year of credit monitoring without cost. So all criminals need to do is wait a year, at most – how is this considered a meaningful remedy?

    • Gene K.

      It should be the rest of your life not 1 year.

  • pm05

    My ss card says that card/number cannot be used for identification.
    So… anyone – these credit agencies – should be sued for using it ????

  • Gene K.

    I tried the Equifax “check your number” website and it gave the same result no matter what combination of name and numbers you put in. It was a total sham.

  • Noelle

    Yes, the best protection is credit freeze. My sister-in-law was victim of ID theft, someone convinced her bank to change password and they were able to steal her ID to try to make some cash(she was able to close her accounts before too much damage was done). My husband was victim of ID theft too. They both have become very paranoid about ID theft and both have put credit freeze on their accounts.

  • nicole christie

    Why is our most sensitive financial information automatically given to the 3 credit rating services? Why do consumers not have a choice to opt out?

    • Noelle

      The only way to opt out is to live off the grid and live without credit,mortgage,car payments. Pay for everything in cash. Not practical if you want a typical mainstream life. Also, don’t join Facebook and give away your information about yourself for free.

      • nicole christie

        The bottom line for me is that it is my information and it should be in my possession unless I opt to share it for a specific purpose and to a specific lending agency. The credit reporting should be encrypted from the originating source and sent directly to the holder of the account. More than half of the items listed on my credit report are incorrect or outdated as well as my personal information. There are also credit inquiries listed that have requested information about me that I have never approved or even heard of. Apparently there is some option to refuse these types of inquiries but if you aren’t aware it’s even happening how would you know to request this option?

        I’ve also read about a call for banning the use of ssn’s

        • Noelle

          Write your representatives to get them to do something since the free market has not found a solution.

  • Lucky Luke

    I forget where, but I read that there is also a ransom demand. Did your guest come across any information about that?

  • Lucky Luke

    I went through a lot in the past few days trying to make sense and get more control of this cluster-mess. Just sharing what I learned, but please do your research as well. I read a good deal of articles that popped up on my feed, and they all seemed to give incorrect or uninformed advice. I am not sure if they were just poorly researched, or if it just a matter of so many variables being applicable to each consumer.

    – there is a fourth smaller CRA called Innovis.

    – A credit/security alert is free with all 4 CRAs. It is good for 90 days, and will require that you provide a phone number where you are supposed to be contacted by anyone who wants to extend credit on the basis of your credit file. An ongoing credit alert will require that you mail in a police report, or proof from another agency (like IRS, etc) that shows there was identity theft (so, if no-one has tried to use your information you obviously cannot have a permanent security alert).

    – A security/credit alert is probably a good idea for most everyone. But again, it is only for 90 days.

    – credit freezes in the three big CRAs have associated costs, depending on state of residence, age, etc, Even if they let you enroll for a credit freeze for free, lifting it temporarily or permanently will cost you money (that is a profit center for the CRAs). Confusingly, they also offer other products that may cost more and per month. Generally it is not as easy to get to all the information up front, or clearly. You may end up not having to pay to enroll in a credit freeze, but they will not tell you that you may have to pay to have it lifted at any time. Innovis does not charge anything for credit freeze operations.

    – with a credit freeze you get a PIN number which you are supposed to use in order to do a temporary or permanent lift. This is not a number to loose.

    • William – SF

      Emphasizing one should contact all credit reporting agencies.

      • Lucky Luke

        Yes, that is true, and I should add that I never got to the bottom of which aspects of your record, or history is shared across all CRAs. I have read that a 90-day security alert only need be done at one of the 3 (or four?) CRAs.

        Seriously, the amount of confusion and misinformation about what you can and should do is really working against consumers. They really do not care about the consumer, just their data.

        I’ll add that I had a very positive experience with Experian when I had to call them to cancel a credit freeze. The folks I spoke with were so incredibly sweet. Doing the same thing with Equifax was outrageously grating. They made me grovel and beg. I don’t why or know how I kept my polite tone.

        To all: do not be fooled by the announcement from Equifax to lift the credit freeze enrollment fee. They have said they will and I trust that they will honor that, but it is not clear if they will charge you when you need to lift the freeze. Every time you apply for credit it will cost you $10 or whatever it is so your lender can look at your credit file.

        Given how tone-deaf they are, I’d assume they do all they can to fool you into paying them the $10 as many times as they can.
        143 million X 10 = do the math for how much they can rake in.

        And just to pile on, it was uncovered that the Equifax PINs for a credit freeze were made up of the date and timestamp. That is an incredibly and pathetically insecure PIN to issue. It’s like giving you 12345 as a password.

  • Another Mike

    One problem is that these agencies could not possibly take in enough money to cover the consequences of their negligence. So the first million people could sue, but anyone after that would be out of luck.

  • Lucky Luke

    I am a techie, and want to corroborate something the guest alluded to. Equifax seems to be a backwater of either ineptitude, clueless-ness or laziness. The reason for the security breach was apparently an outdated software component (STRUTS) used by their web apps, which of course enabled the breach to propagate to another also out-of-date software stack.

    This is absolutely stunning, especially given that patches to the specific security flaws were available for a few months now. Anyone who has any software engineering experience in mission critical applications will tell you that any packages you rely on in your code will have a team that is fully immersed in keeping track of security flaws, fixes, and updates and driving changes to the live site as necessary.

    I have worked for many tech firms large and small, and granted, some are really bad at it. Any company that keeps personal data is practically a tech company, whether they like it, or not. There is absolutely nothing in this that tells me Equifax knows how to handle data, or whether they realize what their role is in the lives of people.

    Providing a secure site is a constant effort, and requires a multi-pronged approach. Companies that take security seriously will plan for the unthinkable but eventual breach, and re-architect their data and infrastructure so that it becomes practically impossible for anyone to get to all of it, or to make use of it. Companies that go that route still understand that it is theoretically possible for someone to break in but they’d have to be insiders to make sense of what to do once they got in. That is why in many mission critical applications only very few key individuals understand the complexities and interdependencies of the whole architecture.


Mina Kim

Mina Kim is KQED News’ evening anchor and the Friday host of Forum. She reports on a wide range of issues affecting the Bay Area and interviews newsmakers, local leaders and innovators.

Mina started her career in public radio at KQED as an intern with Pacific Time. When the station began expanding its local news coverage in 2010, she became a general assignment reporter, then health reporter for The California Report. Mina’s award-winning stories have included on-the-scene reporting of the 2014 Napa earthquake and a series on gun violence in Oakland.

Her work has been recognized by the Radio Television Digital News Association, the Society of Professional Journalists and the Asian American Journalists Association.

Mina grew up in St. John’s, Newfoundland and Oak Park, CA. She lives in Napa.

Sponsored by

Become a KQED sponsor