VIDEO: Latest on the hack -- Freezes should be free, and we know how but not why
Click to watch me talking with Tom Costello on the TODAY show.
Consumers are still struggling with what to do in the wake of the huge Equifax hack, and the credit reporting agencies aren't necessarily helping much. Trans Union's website for credit freezes is still showing an "unavailable" message (You can, however sign up for...). Meanwhile, Equifax still hasn't provided additional details about the incident to help consumers make intelligent choices about what to do next. Here's a roundup of where things stand on Friday, one week after the hack was first disclosed:
UPDATE 9/18 -- FREE FREEZES FOR ALL?
The Identity Theft Resource Center, a non-profit that helps folks recover from ID theft, has joined the common-sense chorus calling for free credit freezes for all Americans. If you don't need new credit, you should be able to block anyone else from getting new credit in your name, too. And it shouldn't cost you money. The agency is pushing a Change.org petition and a #FreeFromAll3 hashtag on Twitter.
“Credit freezes are an important tool in the fight against identity theft. While credit freezes are not right for everyone, the issue of cost should not factor into a consumer’s decision on whether or not to utilize one” says Eva Velasquez, CEO and President of the Identity Theft Resource Center. “It is our hope that the credit reporting agencies will consider this and allow consumers to protect their identity, no matter their financial situation.”
One good reason to do this: People won't spend money on the wrong protection in the wake of the hack. See my story about this here: https://bobsullivan.net/cybercrime/he-wanted-a-credit-freeze-but-ended-up-with-a-20-a-month-trans-union-service-instead/
Speaking of that:
TRANS UNION FREEZE SITE BROKEN. BUT YOU CAN SIGN UP FOR A 'LOCK'
The most popular site on the Internet right now might be Trans Union's "This website is temporarily unavailable" page where its credit freeze instructions used to be. What's worse, the firm is steering visitors towards its TrueIdentity product instead. I wrote extensively about this here. Starting to feel like more than just heavy traffic bogging down a website.
SO WHAT SHOULD I DO?
Keep trying. But maybe wait a week or so. I have a long set of explicit 'what now' suggestions here. But the short version is: Don't sign up for any products right now. You have time to think about it. Heck, I saw an email from Costco this week offering ID theft services. Just take a breath and wait to see how this shakes out. I believe it's going to end with free credit freezes for everyone, and that's the best outcome.
WARREN CALLS FOR A NEW LAW
Sen. Elizabeth Warren (D-Mass) has introduced the Freedom from Equifax Exploitation Act. It would require a lot of common sense things. Here's its main provisions:
Would create a federal requirement for credit reporting agencies to freeze (as well as temporarily or permanently unfreeze) access to credit files at a consumer's request and at no cost.
Would also prevent credit reporting agencies from profiting off of consumers' information during a freeze, enhance fraud alert protections, and provide the opportunity for consumers to receive an additional free credit report following the Equifax data breach.
Would force Equifax and the other credit reporting agencies to refund any fees they charged for credit freezes in the wake of the Equifax data breach.
INVESTIGATIONS UNDER WAY
The Federal Trade Commission took the unusual step of saying it was investigating the Equifax incident. It normally doesn't comment on ongoing investigations. Also, Warren and others in Congress have called for additional investigations. Meanwhile, CEO Richard Smith will testify before Congress at a hearing on Oct. 3. It's in my calendar.
MUSIC MAJOR WAS HEAD OF SECURITY
You'll hear about this soon if you haven't already: Equifax's "Chief Security Officer" is a woman named Susan Mauldin. Yesterday, geeks who were asking each other who she was -- most security pros know each other -- discovered that, according to her LinkedIn profile, there was a good reason no one knew her. She had a bachelor's and master's degree in music composition, and no apparent educational qualifications for the security job. As of right now, her LinkedIn profile has been changed to say "Professional at Private," an obvious reaction to this story. It's entirely possible she was, and is, good at her job, and learned on the job. Also, there are certainly other high-ranking officials inside Equifax who have technical backgrounds. But this looks bad. UPDATE: Equifax's CSO and CISO have resigned.
EQUIFAX DIDN'T PATCH
The firm confirmed earlier reports that hackers broke in through an unpatched vulnerability in software called Apache Struts (Good technical details here). Even by generous calculations, the firm had about two months to update its systems and failed to do so. The flaw was announced in March and actively exploited immediately. A security pro I know and respect told me he went to work THAT NIGHT to start patching his firm's systems. Why Equifax waited, we will probably never know. It's sad to think none of this had to happen.
WE KNOW HOW, DO WE KNOW WHO, OR WHY?
Nope. And that's still the most important thing for consumers. Was it a kid on a joyride of a nation-state? There's plenty of speculation about the latter, but that's such a serious claim I'll wait for serious evidence to make it.
In the meantime, if you want to keep up to date on this story, try the alert tool below. I've partnered with Alert.Me to make it easier for people to follow multi-day stories like this as they evolve. You'll just get an email or text the next time I write about Equifax.
AlertMe If you've read this far, perhaps you'd like to support what I do. That's easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.