Need to know
- An Equifax breach has led one tech-savvy CHOICE member to call for better protections
- The member’s sensitive personal information is now in the hands of cybercriminals
- Does Equifax limit how long its credit search bans last for commercial reasons?
Australia's largest consumer credit reporting bureau, Equifax, has a duty to keep our personal information safe from cyber criminals. But the recent experience of one consumer suggests the company's safeguards leave plenty of room for improvement.
John, a CHOICE member who describes himself as a retired IT expert and cyber-security buff, discovered in September 2019 that he and his wife's Equifax credit reports had been illegally accessed.
"I suspect that the cybercriminals obtained some of my personal information elsewhere first, then used their existing captive account of an innocent small company to log in to the Equifax credit search portal," John tells CHOICE. "Equifax has since notified us that they have shut down the compromised company account."
We were effectively watching the cybercriminal activity unfold in real timeJohn, victim of Equifax data breach
John was alerted about the breach via Secure Sentinel, an information and identity protection service owned by Equifax (and no longer available to new customers).
"We received an immediate alert that the unauthorised credit search had occurred, and were able to notify Equifax immediately to place a ban on our credit files," John says. "We were effectively watching the cybercriminal activity unfold in real time."
Equifax acted quickly and blocked further access to John and his wife's credit reports.
Inaccurate information in your credit report can mean the rejection of a loan application.
As well as contacting Equifax, John got in touch with IDCare, a nonprofit anti-ID theft service, which referred the case to Equifax's head of fraud prevention. John says it "helped expedite things", adding: "I wanted to make sure that I had proactively nipped this in the bud, because if it gets out of control it can turn into a personal disaster and often there is little the authorities can do."
The breach meant the cybercriminals had John and his wife's personal information in their hands, including their:
- dates of birth
- driver licence numbers
- occupations and employers
- credit ratings
- credit histories.
It's the kind of information criminals can use to steal your identity and take out a loan or credit card in your name, among other things.
Inadequate credit report protections
John says that what bothers him about Equifax's handling of the security breach is its refusal to rethink its approach to keeping consumers' credit reports safe from cybercriminals.
After the breach was confirmed, Equifax offered an initial 21-day ban on access to John's and his wife's reports, as is standard policy.
It was followed by a three-month ban, but John had to make a strong case to Equifax to put this longer ban in place.
I don't believe the durations of these credit file freezes are anywhere near adequate. Once someone's personal information has been compromised, it is potentially in circulation in criminal databases for the rest of that person's lifeJohn, victim of Equifax data breach
The three-month ban can be renewed, as it has been in John and his wife's case, but only on request. And Equifax has the right to deny that request.
"I don't believe the durations of these credit file freezes are anywhere near adequate," John says of the current timeframes. "Once someone's personal information has been compromised, it is potentially in circulation in criminal databases for the rest of that person's life. All the criminals have to do is wait three weeks to a year before they exploit the data."
John says he also thinks 12 months' access to Equifax Ultimate and its credit file alert service, which Equifax offers free to victims of breaches, is too short.
The service alerts consumers when a lender accesses their credit report, indicating someone has tried to take out a loan or get a credit card in their name. Without this service, the consumer might never find out.
Aside from what he sees as inadequate protection, John says he has another issue with Equifax: he hasn't been able to activate his free subscription, despite trying many times.
Credit search bans – not good for business?
John says he suspects that a commercial motive lies behind Equifax's lack of flexibility on the time limits.
Like its parent company in the US and credit reporting bureaus in general, Equifax Australia gets much of its revenue from lenders who pay a fee to access the credit reports of prospective borrowers to determine their creditworthiness.
Equifax Australia says it holds data on 19.4 million individuals. The consumer credit reporting industry in Australia currently generates about $727 million in yearly revenue.
I think Equifax should be more accountable for the security of their systems, and offer a lot more long-term protection when that security is breachedJohn, victim of Equifax data breach
"Equifax earns its living by selling access to citizens' credit file information, and it appears to me that they want to minimise the time it is in ban state," John says.
"Equifax makes a few dollars per search, while the victims of breaches may have their life savings stolen. I think Equifax should be more accountable for the security of their systems, and offer a lot more long-term protection when that security is breached."
In September 2017, Equifax in the US announced a security breach that happened in July 2017 and could have affected about 143 million US consumers.
"I expect they will not want to extend the free data protection concessions," John says. "If those numbers were repeated, they could go out of business."
Equifax refuses to budge
Events overseas didn't stop John from pressing his case with Equifax Australia and asking that the ban on access to his credit report and his subscription to Equifax Ultimate last longer.
But, in the end, his efforts proved fruitless.
"I have surrendered," John says. "If 143 million data-breached US citizens, with their army of lawyers and congressmen cannot negotiate a better deal, then I give up."
Equifax has repeatedly renewed the three-month ban on access to both John and his wife's credit reports on request, but John says the company could do much better.
"I am a retired IT expert with an interest in cyber security and free time on my hands, and I have found it extremely difficult and time-consuming to work my way through the Equifax bureaucracy to get results, which I have still not fully achieved after three months," he says.
John says holding Equifax to its promise of a free 12-month subscription to Equifax Ultimate and its credit file alert feature has been frustrating. The service normally costs $14.95 a month.
I am a retired IT expert with an interest in cyber security and free time on my hands, and I have found it extremely difficult and time-consuming to work my way through the Equifax bureaucracyJohn, victim of Equifax data breach
"It has been as difficult as extracting teeth to receive the offer letters, then obtain the process to subscribe, then subscribe," he says. "Ninety-five days after the security breach event, after much follow-up with Equifax, my subscription is still not active for either my wife or myself.
"The latest roadblock is an error message when I attempt to create an online account: 'oops, something went wrong. That action is not allowed. Thanks for your understanding.' I tried four different browsers and two different Windows PCs. I am wondering if Equifax really wants to give away these free subscriptions."
What Equifax Australia says
First, we asked Equifax whether John's hunch was correct – that it wants to limit the time a credit report is banned from access for commercial reasons.
Second, we asked whether Equifax was deliberately making it difficult for John to access his free 12-month subscription to Equifax Ultimate, preferring instead to collect the regular fee of $14.95 a month.
Equifax corporate communications manager Belinda Diprose responded: "We're disappointed to hear that the CHOICE member who contacted you has had difficulty in accessing his free Equifax Ultimate subscription, this is certainly not our intention.
"We would need to look into the specific details of this case to help resolve it as quickly as possible."
Diprose did not respond directly to our first question, although she did make it clear that Equifax would extend the three-month ban indefinitely if it received a formal request.
Meanwhile, John says he's been in touch with the company again and again about his free Equifax Ultimate access. But instead of a resolution, he's been getting the runaround.