My Equifax account was hacked, and Equifax doesn't care

[pakile]

Below is the text of my email to Equifax today.  Note: Separately from below, but for additional context, one of my Chase credit cards kicked off a fraud alert 1 day before the original Equifax email notice.  Apparently, someone was running around Brazil with a physical credit card with my name and number on it.  Chase said that sometimes scammers generate #s on physical cards, try to charge low-value amounts, and when they succeed, ratchet up the amount.

I'm sharing this because this past week has underscored how fragile our credit system is.  Now I'm navigating through credit alerts, reports, and monitoring services, and the process is byzantine and painful.  It feels like an arms race and one group is clearly losing: the customer. The industry needs to come up with a better way to manage this and threats to the system and its users - without making its customers bear the burden, as is happening today.

# part 1/3 #

* My account - and possibly Equifax - was hacked.  The account has been marked for investigation.  However, Equifax possesses information that would help me investigate this breach.  I would like to request that the investigation be expedited and that that information be released to me as soon as possible so I can investigate this. *

On May 28, I received an email notification from Member.Benefits@equifax.com that someone had changed the email address on my account.  A notice had been sent to the old and new email addresses.  The old account was <email address>.  It did not indicate what the new email address is.

The same day, I marked the email urgent in the subject line and wrote back that I did not request a change to my email address, and inquired whether this was a security intrusion.  Since I had not used Equifax or AnnualCreditReport.com recently, I was confident this was an unauthorized third party.

[jeffmould]

I feel your pain. The credit bureaus are antiquated in their processes and make resolving issues a burden on the consumer. That is why I believe identity theft is so prevalent because the thieves know that (a) by the time you catch it they will be long gone, and (b) that the burden really falls on you to prove something is going on buying them extra time to commit the crime.

I had my identity stolen several years ago and am still recovering from it. While most of it has been resolved, from time to time I find issues that have significant impacts. I even tried to get a new social security number but was denied because the amount of damages was not significant enough to trigger a reissue, although I have no idea and was never told what the trigger amount was.

The best advice I can give you, is to do everything by snail mail. Send certified letters (you can even do overnight if you have a few extra bucks for quicker delivery) and keep track of everything. File a complaint with your state attorney office (most have departments dedicated to working with you on this). Send copies of everything to the state attorney as well as the credit bureau. Snail mail takes longer (depending on how you send from a day or two to receive all the way up to a week), but for some reason it actually escalates your issue and does result in quicker resolutions than fighting with people on the phone. It sounds like you caught it fairly quickly. Call the other bureaus as well (Transunion and Experian) and put fraud alerts on your file. It is simple to do with a quick phone call. They will also send you a free copy of your report from them so you can double check. Finally, if you have a good credit card company some will help you with resolving the issue and dealing with the bureaus on your behalf. It is in their benefit to help you if they can.

Good luck.

[pakile]

Thanks. This was very helpful. I had no idea it was even possible to get a new SSN. Mind if I ask:

- Did you find any 3P services like AllClear ID compelling/useful? Sounds like Consumer Reports isn't a fan of these types of services vs. self-monitoring. - You mention snail mail > phone. What about email?

[jeffmould]

Yeah, new SSN is possible but they don't tell you what qualifies you specifically (although they give guidelines) and what doesn't. I have heard it is very random and you really have to present a compelling case to get one, but just depends on how you present it to them.

As for the services, I keep fraud monitoring on from the three credit bureaus now and I have never tried them but I think their product is essentially the same, maybe a few added features here and there but nothing you can't do yourself if just take the time and setup alerts. The only thing that is frustrating to me (but a price you pay for security and piece of mind) is that every time, and I mean every time, someone tries to run my credit I get an alert and if it is me trying to do something (i.e. last year I made changes to my car insurance) I have to authorize the transaction with the credit bureau before it will go through. The more frustrating part is that some companies will just outright deny you and not to you the reason right away so you can't tell them to hold on a second let me fix that and call the bureau to approve the transaction so it goes through.

As for snail mail vs. email. Never tried email. I spoke with a lady at the FTC (they handle FCRA enforcement) and she told me that anytime I needed to get something done or changed to use certified snail mail so I always had a record of exactly when it was sent and when it was received. The credit bureaus have 30 days from the time they receive a letter to correct the issue and/or respond with why they can't. My understanding was that certified snail mail shows them you are serious about enforcing the timelines and makes their antiquated processes actually turn a little faster. :) I honestly never tried email and just went off what that lady told me. After my initial communication with the state attorney's office I had a contact and any mail I would send to the credit bureau I would also send a copy to them as well. I always put at the bottom of my letters that I was copying the state attorney. Mainly I was trying to use it as a scare tactic to get the credit bureaus to act positively and quickly.

I still don't understand why the credit reporting agencies make it so difficult to communicate with them regardless of method. They have so much control over your personal information and how it is used yet they want nothing to do with helping you get things fixed.

Good luck.

[united893]

I have my own subdomain, and every time I'm asked I usually put <websitename>@mydomain.com.

When Equifax asked for my email address I gave equinox@<my domain>.com

Guess where I started receiving spam shortly thereafter? Yep, their mailing database was hacked. Proof: http://postimg.org/image/j3qwslemb/full

[jeffmould]

Most likely they weren't hacked. All of the credit bureaus sell your personal contact information and it is easily bought. As part of that "data package" they also include a rating (not credit score) of your credit so that purchasers may pre-qualify you for offers.

[dave1619]

Wow, and Equifax probably either has no clue they've been hacked or they're hiding it because they don't want to scare people.

[bketelsen]

http://www.consumerfinance.gov/ is your best hope. They've got strong power over the banking/finance/credit industry. The bureaus are scared to death of them. Find a phone number/complaint address there and you'll get some action.

[pakile]

I ran into a login error on Transunion, and the password recovery wizard wouldn’t accept my info. When I called, TU reported that my account had also been taken over by a Yahoo! email address that wasn’t my own. Unlike Equifax, however, this time I was able to get the email address.

When I asked Transunion if they could investigate this and/or coordinate with Equifax, they said they don’t have any ability to investigate fraud like this. I found this ironic given that they are supposedly in the business of protecting consumers from fraud. Instead, they recommended I try to contact the police but acknowledged it would be difficult to catch the person.

Any recommendations for how to catch this person?

[pakile]

# part 2/3 #

3 days later, on May 31, I received a reply that Equifax was unable to locate the account, and requesting further information.  I replied providing this information.  I received another reply from Equifax saying they could not find the account, closing the ticket, and asking that I call in for support.

That same day (today), I called in and was connected to the Personal Solutions department.  I briefed the representative, Mike, on the background of the situation and asked if there was a fraud or security department that could investigate this.  I was told no, and the closest department was Disputes, which was closed on weekends.  I indicated that if there was a hacking involved, this might be time-sensitive, and could affect other Equifax accounts.  I was told there was no other way to get assistance.

I verified my identity with <rep_name>, who created a new account for me, and was able to view the email change history, but said he could not release the email address that the account had been changed to.

I requested 6 times to speak with a supervisor and was deflected each time.  After 1 hour and 15 minutes, I was put on hold for 15 minutes, then connected with <supervisor_name>, the supervisor.

<supervisor_name> was helpful.  She marked the account for investigation and indicated that it would take 7 to 10 business days.  I asked if this could be expedited and she said sometimes it could occur more quickly but there was no guarantee.

[tzs]

> I indicated that if there was a hacking involved, this might be time-sensitive, and could affect other Equifax accounts. I was told there was no other way to get assistance.

That's typical. A long time ago, I received an offer to sell me 100k stolen credit cards, complete with phone numbers and zip codes of the card owners. This was before the era of mega breaches and so 100k was a pretty impressive list size. The offer included a sample of 10k cards. I did some investigation and was able to determine that the sample, at least, seemed to be legit.

I then contacted the credit card companies, figuring they would be interested in this. I figured they would take the samples, analyze them to find out the common factors to identify where the cards were stolen from, and then flag those cards, and the people they were stolen from and the merchants they were going to be fraudulently used at would be protected by the next day.

Boy, was I wrong.

This was a Friday and it was after 5 PM. The best I got was one card company gave me an email address that I could mail the 10k sample cards and the information about the offer for 100k cards to, and someone would look at it Monday.

I also tried law enforcement. The FBI suggested that I call the Secret Service. The Secret Service was not interested.

I mailed the information to the email that the one credit company provided, and gave up trying to get someone interested.

[pakile]

# part 3/3 #

I am deeply concerned that my account - and possibly Equifax itself - has been hacked, and would like to request the following:

- Please expedite the investigation into this intrusion. - Please release the email address that the account was changed to, so I can investigate this.  Otherwise, please work with the email provider and authorities to locate the person who breached my account.

In addition, I would like to request that Equifax please fix it's protocol for handling this type of situation.  For instance:

- In the original email notice, Equifax asked me to email back if the change was not initiated by me.  I did, but no one responded for 3 days, and when they did, they did not act on the information and instead closed the ticket.  When I called, I was told I should call back during a weekday.  Equifax should treat this as a security issue and act quickly, and have a way for issues like this to be addressed immediately instead of waiting days.

- <rep_name> didn't have anyone to transfer me to.  Equifax should have a phone number or email to report fraud - not outside of Equifax, but affecting Equifax's systems.

- <rep_name> didn't have access to my full account info and was unable to release any information that would help me investigate this fraud.  Equifax should have an escalation process for situations like this.  Ideally, Equifax should investigate potential breaches; and if they are unable to, should release information to the user to help the user investigate breaches on their account.

Sincerely,

<my name>

[vba4lyfe]

Its primarily because most people that contact the bureaus ARE full of shit.

[lstrope]

I found out around the same time as you that I was a victim of identity theft. I live in S.F. and this punk lives in Las Vegas Nevada.

The person(s) in question opened several accounts using my Social # and my name. They applied for loans and linked all these accounts back to the same address in Las Vegas.

I am in the process of fighting it. You need to go here and do what they say https://www.identitytheft.gov/ (FTC sponsored site.).

I suggest you go to https://www.identitytheft.gov/ and complete the FTC affidavit. Once you have done that take it with you to the Police Department in your area and have a police report filed.

I live in S.F. and the police department seemed perturbed to have to make a police report for me - the amount of information I provided created too much paperwork for them I think. They stated many times they aren't the ones who would be investigating it and asked if I still want to file a police report - to which my answer was YES ITS REQUIRED BY THE FTC.

I have found resistance throughout the entire process, from the crediting agencies to the businesses that had the accounts in collections all the way to the collection agencies and the Police. They all assume you are FOS.

The burden is completely on you and likely nothing positive will happen for a while.

After paying $1 to get my TransUnion credit report they gave me identity theft insurance (through TransUnion) which covers certain expenses... so save all your receipts and file a claim against that insurance to get your money back. I'm using this to get reimbursed for all the trips and time spent away from work as well as the expenses of using FedEx's services/computers to get the fax work done.

You need to check your Social Security account to make sure it has not been compromised. http://www.ssa.gov/ DO THIS BEFORE you place a credit alert on your accounts or you will not be able to accss your SSA account online and you will need to go to a brick/mortar location to gain access to this information. Once a credit alert is placed on your account you are one step closer to being safe... so do this right away.

A few key pieces of information you are going to need is - Dates of all fraudulent transactions, - Phone numbers tied to the account, - Addresses tied to the account

You are going to need to provide proof it was not you - so you need some sort of transactional proof that you were NOT in Brazil using a credit card. Anything can help here - bills paid, rent, etc... I only hope that the period in question was long enough to show that you could not have possibly been out of the country for that long.