

My Equifax account was hacked, and Equifax doesn't care - pakile

Below is the text of my email to Equifax today.  Note: Separately from below, but for additional context, one of my Chase credit cards kicked off a fraud alert 1 day before the original Equifax email notice.  Apparently, someone was running around Brazil with a physical credit card with my name and number on it.  Chase said that sometimes scammers generate #s on physical cards, try to charge low-value amounts, and when they succeed, ratchet up the amount.<p>I&#x27;m sharing this because this past week has underscored how fragile our credit system is.  Now I&#x27;m navigating through credit alerts, reports, and monitoring services, and the process is byzantine and painful.  It feels like an arms race and one group is clearly losing: the customer.  The industry needs to come up with a better way to manage this and threats to the system and its users - without making its customers bear the burden, as is happening today.<p># part 1&#x2F;3 #<p><i></i>* My account - and possibly Equifax - was hacked.  The account has been marked for investigation.  However, Equifax possesses information that would help me investigate this breach.  I would like to request that the investigation be expedited and that that information be released to me as soon as possible so I can investigate this. <i></i>*<p>On May 28, I received an email notification from Member.Benefits@equifax.com that someone had changed the email address on my account.  A notice had been sent to the old and new email addresses.  The old account was &lt;email address&gt;.  It did not indicate what the new email address is.<p>The same day, I marked the email urgent in the subject line and wrote back that I did not request a change to my email address, and inquired whether this was a security intrusion.  Since I had not used Equifax or AnnualCreditReport.com recently, I was confident this was an unauthorized third party.
======
jeffmould
I feel your pain. The credit bureaus are antiquated in their processes and
make resolving issues a burden on the consumer. That is why I believe identity
theft is so prevalent because the thieves know that (a) by the time you catch
it they will be long gone, and (b) that the burden really falls on you to
prove something is going on buying them extra time to commit the crime.

I had my identity stolen several years ago and am still recovering from it.
While most of it has been resolved, from time to time I find issues that have
significant impacts. I even tried to get a new social security number but was
denied because the amount of damages was not significant enough to trigger a
reissue, although I have no idea and was never told what the trigger amount
was.

The best advice I can give you, is to do everything by snail mail. Send
certified letters (you can even do overnight if you have a few extra bucks for
quicker delivery) and keep track of everything. File a complaint with your
state attorney office (most have departments dedicated to working with you on
this). Send copies of everything to the state attorney as well as the credit
bureau. Snail mail takes longer (depending on how you send from a day or two
to receive all the way up to a week), but for some reason it actually
escalates your issue and does result in quicker resolutions than fighting with
people on the phone. It sounds like you caught it fairly quickly. Call the
other bureaus as well (Transunion and Experian) and put fraud alerts on your
file. It is simple to do with a quick phone call. They will also send you a
free copy of your report from them so you can double check. Finally, if you
have a good credit card company some will help you with resolving the issue
and dealing with the bureaus on your behalf. It is in their benefit to help
you if they can.

Good luck.

~~~
pakile
Thanks. This was very helpful. I had no idea it was even possible to get a new
SSN. Mind if I ask:

\- Did you find any 3P services like AllClear ID compelling/useful? Sounds
like Consumer Reports isn't a fan of these types of services vs. self-
monitoring. \- You mention snail mail > phone. What about email?

~~~
jeffmould
Yeah, new SSN is possible but they don't tell you what qualifies you
specifically (although they give guidelines) and what doesn't. I have heard it
is very random and you really have to present a compelling case to get one,
but just depends on how you present it to them.

As for the services, I keep fraud monitoring on from the three credit bureaus
now and I have never tried them but I think their product is essentially the
same, maybe a few added features here and there but nothing you can't do
yourself if just take the time and setup alerts. The only thing that is
frustrating to me (but a price you pay for security and piece of mind) is that
every time, and I mean every time, someone tries to run my credit I get an
alert and if it is me trying to do something (i.e. last year I made changes to
my car insurance) I have to authorize the transaction with the credit bureau
before it will go through. The more frustrating part is that some companies
will just outright deny you and not to you the reason right away so you can't
tell them to hold on a second let me fix that and call the bureau to approve
the transaction so it goes through.

As for snail mail vs. email. Never tried email. I spoke with a lady at the FTC
(they handle FCRA enforcement) and she told me that anytime I needed to get
something done or changed to use certified snail mail so I always had a record
of exactly when it was sent and when it was received. The credit bureaus have
30 days from the time they receive a letter to correct the issue and/or
respond with why they can't. My understanding was that certified snail mail
shows them you are serious about enforcing the timelines and makes their
antiquated processes actually turn a little faster. :) I honestly never tried
email and just went off what that lady told me. After my initial communication
with the state attorney's office I had a contact and any mail I would send to
the credit bureau I would also send a copy to them as well. I always put at
the bottom of my letters that I was copying the state attorney. Mainly I was
trying to use it as a scare tactic to get the credit bureaus to act positively
and quickly.

I still don't understand why the credit reporting agencies make it so
difficult to communicate with them regardless of method. They have so much
control over your personal information and how it is used yet they want
nothing to do with helping you get things fixed.

Good luck.

------
united893
I have my own subdomain, and every time I'm asked I usually put
<websitename>@mydomain.com.

When Equifax asked for my email address I gave equinox@<my domain>.com

Guess where I started receiving spam shortly thereafter? Yep, their mailing
database was hacked. Proof:
[http://postimg.org/image/j3qwslemb/full](http://postimg.org/image/j3qwslemb/full)

~~~
jeffmould
Most likely they weren't hacked. All of the credit bureaus sell your personal
contact information and it is easily bought. As part of that "data package"
they also include a rating (not credit score) of your credit so that
purchasers may pre-qualify you for offers.

------
bketelsen
[http://www.consumerfinance.gov/](http://www.consumerfinance.gov/) is your
best hope. They've got strong power over the banking/finance/credit industry.
The bureaus are scared to death of them. Find a phone number/complaint address
there and you'll get some action.

------
pakile
I ran into a login error on Transunion, and the password recovery wizard
wouldn’t accept my info. When I called, TU reported that my account had also
been taken over by a Yahoo! email address that wasn’t my own. Unlike Equifax,
however, this time I was able to get the email address.

When I asked Transunion if they could investigate this and/or coordinate with
Equifax, they said they don’t have any ability to investigate fraud like this.
I found this ironic given that they are supposedly in the business of
protecting consumers from fraud. Instead, they recommended I try to contact
the police but acknowledged it would be difficult to catch the person.

Any recommendations for how to catch this person?

------
pakile
# part 2/3 #

3 days later, on May 31, I received a reply that Equifax was unable to locate
the account, and requesting further information. I replied providing this
information. I received another reply from Equifax saying they could not find
the account, closing the ticket, and asking that I call in for support.

That same day (today), I called in and was connected to the Personal Solutions
department. I briefed the representative, Mike, on the background of the
situation and asked if there was a fraud or security department that could
investigate this. I was told no, and the closest department was Disputes,
which was closed on weekends. I indicated that if there was a hacking
involved, this might be time-sensitive, and could affect other Equifax
accounts. I was told there was no other way to get assistance.

I verified my identity with <rep_name>, who created a new account for me, and
was able to view the email change history, but said he could not release the
email address that the account had been changed to.

I requested 6 times to speak with a supervisor and was deflected each time.
After 1 hour and 15 minutes, I was put on hold for 15 minutes, then connected
with <supervisor_name>, the supervisor.

<supervisor_name> was helpful. She marked the account for investigation and
indicated that it would take 7 to 10 business days. I asked if this could be
expedited and she said sometimes it could occur more quickly but there was no
guarantee.

~~~
tzs
> I indicated that if there was a hacking involved, this might be time-
> sensitive, and could affect other Equifax accounts. I was told there was no
> other way to get assistance.

That's typical. A long time ago, I received an offer to sell me 100k stolen
credit cards, complete with phone numbers and zip codes of the card owners.
This was before the era of mega breaches and so 100k was a pretty impressive
list size. The offer included a sample of 10k cards. I did some investigation
and was able to determine that the sample, at least, seemed to be legit.

I then contacted the credit card companies, figuring they would be interested
in this. I figured they would take the samples, analyze them to find out the
common factors to identify where the cards were stolen from, and then flag
those cards, and the people they were stolen from and the merchants they were
going to be fraudulently used at would be protected by the next day.

Boy, was I wrong.

This was a Friday and it was after 5 PM. The best I got was one card company
gave me an email address that I could mail the 10k sample cards and the
information about the offer for 100k cards to, and someone would look at it
Monday.

I also tried law enforcement. The FBI suggested that I call the Secret
Service. The Secret Service was not interested.

I mailed the information to the email that the one credit company provided,
and gave up trying to get someone interested.

------
pakile
# part 3/3 #

I am deeply concerned that my account - and possibly Equifax itself - has been
hacked, and would like to request the following:

\- Please expedite the investigation into this intrusion. \- Please release
the email address that the account was changed to, so I can investigate this.
Otherwise, please work with the email provider and authorities to locate the
person who breached my account.

In addition, I would like to request that Equifax please fix it's protocol for
handling this type of situation. For instance:

\- In the original email notice, Equifax asked me to email back if the change
was not initiated by me. I did, but no one responded for 3 days, and when they
did, they did not act on the information and instead closed the ticket. When I
called, I was told I should call back during a weekday. Equifax should treat
this as a security issue and act quickly, and have a way for issues like this
to be addressed immediately instead of waiting days.

\- <rep_name> didn't have anyone to transfer me to. Equifax should have a
phone number or email to report fraud - not outside of Equifax, but affecting
Equifax's systems.

\- <rep_name> didn't have access to my full account info and was unable to
release any information that would help me investigate this fraud. Equifax
should have an escalation process for situations like this. Ideally, Equifax
should investigate potential breaches; and if they are unable to, should
release information to the user to help the user investigate breaches on their
account.

Sincerely,

<my name>

------
vba4lyfe
Its primarily because most people that contact the bureaus ARE full of shit.

------
lstrope
I found out around the same time as you that I was a victim of identity theft.
I live in S.F. and this punk lives in Las Vegas Nevada.

The person(s) in question opened several accounts using my Social # and my
name. They applied for loans and linked all these accounts back to the same
address in Las Vegas.

I am in the process of fighting it. You need to go here and do what they say
[https://www.identitytheft.gov/](https://www.identitytheft.gov/) (FTC
sponsored site.).

I suggest you go to
[https://www.identitytheft.gov/](https://www.identitytheft.gov/) and complete
the FTC affidavit. Once you have done that take it with you to the Police
Department in your area and have a police report filed.

I live in S.F. and the police department seemed perturbed to have to make a
police report for me - the amount of information I provided created too much
paperwork for them I think. They stated many times they aren't the ones who
would be investigating it and asked if I still want to file a police report -
to which my answer was YES ITS REQUIRED BY THE FTC.

I have found resistance throughout the entire process, from the crediting
agencies to the businesses that had the accounts in collections all the way to
the collection agencies and the Police. They all assume you are FOS.

The burden is completely on you and likely nothing positive will happen for a
while.

After paying $1 to get my TransUnion credit report they gave me identity theft
insurance (through TransUnion) which covers certain expenses... so save all
your receipts and file a claim against that insurance to get your money back.
I'm using this to get reimbursed for all the trips and time spent away from
work as well as the expenses of using FedEx's services/computers to get the
fax work done.

You need to check your Social Security account to make sure it has not been
compromised. [http://www.ssa.gov/](http://www.ssa.gov/) DO THIS BEFORE you
place a credit alert on your accounts or you will not be able to accss your
SSA account online and you will need to go to a brick/mortar location to gain
access to this information. Once a credit alert is placed on your account you
are one step closer to being safe... so do this right away.

A few key pieces of information you are going to need is \- Dates of all
fraudulent transactions, \- Phone numbers tied to the account, \- Addresses
tied to the account

You are going to need to provide proof it was not you - so you need some sort
of transactional proof that you were NOT in Brazil using a credit card.
Anything can help here - bills paid, rent, etc... I only hope that the period
in question was long enough to show that you could not have possibly been out
of the country for that long.

