Need to know
- Ben White pays $120 for his Equifax credit monitoring and identity protection service, but now he’s lost trust in the agency’s security measures
- Equifax says ‘less than 400’ people saw the credit report and personal details of someone than wasn’t them
- OAIC has received 228 complaints about credit reporting agencies since July 2019
Ben White was more than a little surprised when he logged into his Equifax Australia account – and up popped the credit report and personal details of a person he'd never heard of.
He paid Australia's biggest consumer credit-reporting bureau about $120 a year for its credit monitoring and identity protection service, and he'd received a notification that his credit score had been updated.
(Lenders view your credit history from Equifax and other credit-reporting bureaus when considering a loan application.)
"The details, including personal information, credit enquiries, account and repayment history were not mine, but those belonging to someone else," White tells CHOICE.
It would seem Equifax has a data-integrity issue and it concerns me that someone else may have access to my personal financial informationEquifax customer Ben White
The details also included the stranger's date of birth, driver's licence number, current and previous address, and employer.
"It would seem Equifax has a data-integrity issue and it concerns me that someone else may have access to my personal financial information," White says, adding "ironically, my annual fee includes 'identity guard insurance'. I didn't expect I might have to make a claim on the basis of a data integrity issue from Equifax."
He wasn't sure what to do next.
"I initially attempted to get in touch with Equifax, but to do so, a whole lot of personal information needs to be entered and I'm not sure I trust them with that," White says.
Equifax: Delete the file immediately
When White logged on again the next day, the issue had been resolved. But the incident had shaken his trust in the company.
"My details are back where they should be, but that gives me no confidence in the system Equifax has in place," he says.
Three days after the initial incident, Equifax emailed White with an "important update" and acknowledged what had happened, saying "we have recently experienced an issue which caused the credit report of another person to appear in your Equifax Your Credit & Identity member portal".
Equifax instructed White to delete the credit report "immediately" and reply to the email with the word "Confirmed" to indicate that he'd done so. (White has deleted the credit report).
Hundreds of credit-reporting complaints
We contacted the Office of the Australian Information Commissioner (OAIC), which oversees the credit-reporting industry, to get its view on the Equifax breach. OAIC told us it doesn't comment on individual cases.
But a spokesperson said OAIC "is always concerned by reports of inappropriate disclosure or access to personal information".
Under the Privacy Act, all organisations have to take reasonable steps to protect personal information from unauthorised access.
Credit-reporting bodies have particular obligations to ensure the security of the credit reporting information they holdOAIC spokesperson
The Act also "recognises the importance of protecting the privacy of individuals' credit information," the spokesperson says. "Accordingly, credit-reporting bodies have particular obligations to ensure the security of the credit reporting information they hold."
Credit-reporting agencies in general don't have a great track record in Australia (the other two major players are Experian and illion). Since July 2019, OAIC has received 228 complaints across the sector.
"Typically, complaints about credit-reporting agencies are about the accuracy of the information, access to the information, or security of the information," the spokesperson says.
The accuracy of credit reporting information determines your credit score, which lenders use to assess loan applications.
Spotty track record
This is not the first time CHOICE has reported on Equifax issues.
As part of an investigation in mid-2019, CHOICE staffers accessed 27 reports from Equifax Australia that, according to their recipients, were either surprising, confusing, incorrect or all three.
A surname was misspelt, a birth date was wrong, and a home-loan inquiry was listed that was never made
Credit cards that were no longer in use were still listed, active credit cards weren't listed, home-loan figures didn't reflect the amounts paid off, and active home loans weren't listed at all.
Worse, a surname was misspelt, a birth date was wrong, and a home-loan inquiry was listed that was never made.
In January 2020, we profiled the case of a CHOICE member and IT expert whose Equifax account had been hacked, making the case that Equifax's follow-up procedures left plenty of room for improvement.
$3.5m in penalties
And there have been other Equifax issues.
In October 2018, the Federal Court ordered Equifax to pay $3.5 million in penalties for violations of Australian Consumer Law relating to "misleading and deceptive conduct" and "unconscionable conduct". The Federal Court took action because, over a two-year period, Equifax told consumers its paid credit reports were more comprehensive than its free ones. Yet the information was actually the same in both.
Data of 143 million Americans hacked
And in 2017, Equifax Australia's parent company in the US (also Equifax) suffered a massive data breach when the sensitive personal information of 143 million Americans was hacked.
(The hackers got their hands on people's names, social security numbers, birthdates, addresses and, in some cases, driver's licence numbers. All in all, they stole the credit-card numbers of about 209,000 people.)
Every Australian is entitled to a free copy of their credit report once a year. It's a good idea to check for mistakes.
Equifax responds: 'a trusted custodian'
Although Ben White remains concerned about the security of his credit report and personal details, Equifax tells CHOICE this was a one-off incident.
"Equifax takes its role as a trusted custodian of Australians' credit information very seriously and the security of the data we hold is of utmost importance," a spokesperson told us.
Equifax takes its role as a trusted custodian of Australians' credit information very seriously and the security of the data we hold is of utmost importanceEquifax spokesperson
"Unfortunately in this one-off instance, a credit-reporting process required human intervention and resulted in one individual's credit report being made available to a limited number of Equifax subscribers. Action was taken very quickly to rectify this and measures have been put in place to ensure it does not happen again."
Pressed for details, the spokesperson said the limited number of subscribers were "less than 400".
Keeping your details safe
If you think your personal information has been improperly accessed or disclosed, take the following steps.
- Check your bank and credit-card accounts for unauthorised activity and contact your bank if you see any.
- File a complaint with the credit-reporting agency or other organisation.
- If the agency doesn't resolve the issue quickly and to your satisfaction, file a complaint with OAIC.
An OAIC spokesperson says: "We recommend that individuals respond quickly and take appropriate action if they become aware that their information has been disclosed to or accessed by a third party, such as checking accounts and credit reports, and watch out for scams."