Today Equifax announced a data breach that occurred in May and July of this year, PII was leaked on 143 million Americans, including Social Security numbers, driver’s license numbers, addresses, and birthdays.

209,000 individuals credit card numbers were accessed.

They are offering those affected free credit monitoring for a year, provided by their own TrustedID service. The TrustedID service contains an arbitration clause in it's ToS, which is a little amusing given the circumstances.

Three executives sold about $1.8million worth of stock after the breach was discovered. It's claimed that they were not aware of the breach.

The 2017 Ponemon Cost of Data Breach Study places the average cost for each stolen record at $141.00, which is down a bit from 2016's $158.00 estimation. I still use a $200 per record figure when calculating what policies to require of my vendors. The lower $141.00 figure would place the cost of this breach at over 20 billion. A few billion more than their current Market Cap.

I've had PII / SPI information about me leaked by both the company I work for (multiple times) and by the US Govt, I see no reason why even more folks shouldn't get in on the act.

http://images.clipartpanda.com/moderation-clipart-jixEg7AiE.png

Equifax did not explain why more than two months passed before it discovered the hack, which also affected an unspecified number of consumers from Canada and the U.K.

LOL

Fire the IT data security team.

And then there is the report that there was a large sell off of shares by management just before the announcement of the breach.

Anyone know this guy's home address? I bet there are a few people who'd like to pay him a visit. (Knowing full well that he won't be tried for his insider trading.)

"Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported."

ref: https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?_r=1

The TrustedID service contains an arbitration clause in it's ToS, which is a little amusing given the circumstances.If true, this sucks even more. I was under the impression that for obtaining credit reports, you had the ability to opt out from the arbitration clause if given written notice within some time period. I'm waiting to find out more about the terms of their new protection service after this breach, and whether we will get screwed by the company twice.

Any suggestions out there for other options?

EDIT: I just read EFX's Arbitration Clause in their ToS which you must agree to in order for them to check whether you have been affected by the breach. I saw no such opt out clause and decided to hold off on taking advantage of their kind generosity in helping the public understand whether we've been impacted by their screw-up. All this occurred between mid-May and July 29th. Took them >5 weeks to report it...

5 Ways to Protect Your Finances After Equifax Data Breach - The Wall Street Journal
https://apple.news/AQS1VosaETauTNOZkk9XT3Q

5 Ways to Protect Your Finances After Equifax Data Breach - The Wall Street Journal
https://apple.news/AQS1VosaETauTNOZkk9XT3Q
Thanks - looks good, but cannot read without subscribing. I'll see if I can dig this up elsewhere.

That's gotta be totally coincidental.

And the tour dee france is doping-free as well!

LOL

And then there is the report that there was a large sell off of shares by management just before the announcement of the breach.

5 Ways to Protect Your Finances After Equifax Data Breach - The Wall Street Journal
https://apple.news/AQS1VosaETauTNOZkk9XT3Q
Thanks - I wasn't able to view w/o a subscription, but I did run across another useful/recent article with some interesting dialogue in the comments section at the end.
http://www.cleveland.com/business/index.ssf/2017/09/devastating_data_breach_at_equ.html

short answer

"we're sorry but please feel free to create a free online account with us so we can monitor activity on your data. just enter your critical information into our robust secure system. we promise it will all be ok."

Ars Technica has some great coverage, starting here: https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/

I decided to wait on checking/enrolling after reading that to see if they improve security.

Hahaha.. this made me chuckle.


short answer

"we're sorry but please feel free to create a free online account with us so we can monitor activity on your data. just enter your critical information into our robust secure system. we promise it will all be ok."

Ars Technica has some great coverage, starting here: https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/

I decided to wait on checking/enrolling after reading that to see if they improve security.


sweet

What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

fight club


remember the ending?

I've read some pretty interesting stuff lately regarding block chain applications, and this is one of the use cases that has a lot of promise.

Rather than allow any company to 'own' your financial data, so that they can provide credit rating analysis, the data could be stored publicly (and visibly to all) with no personally identifying data. When you want to get credit, you allow a third party to access and analyze your particular part of the block chain and provide a credit rating.

This has the benefits of 1) making the data auditable by you, so you can challenge it and make sure it is correct, and 2) Forces competition on the quality of analysis, not on the aggregation of private data.

That's gotta be totally coincidental.

And the tour dee france is doping-free as well!

The comment on the Ars Technica coverage is perfect:

I love the fact that they expect people to buy that their CFO had no idea that there was a data breach. Our CFO is looped in if we suspect even one of our customer's sensitive data has been compromised. The idea that a breach of this magnitude was unreported to some of the C-level for weeks either means that they're willing to go take a bullet for someone who clearly violated a major law, or the company truly is incompetent in its reporting structure, to the point that it should be shut down. Of course, both of those things could be true.

Absolutely true--when I was an admin on a uni network handling confidential patient data (HIPPA), even a hint of someone seriously knocking at the door went up the food chain...

If those of you that understand this type of thing profoundly would make up a bullet list of actions for us normal dummies to take, that will be greatly appreciated.

So I checked and my data "might" have been stolen. Site says if I sign up for monitoring I waive rights. Can they contract away negligence?

If those of you that understand this type of thing profoundly would make up a bullet list of actions for us normal dummies to take, that will be greatly appreciated.

Not an expert on this by any means, but here's two quick steps I'd recommend.

-I'd start by placing a 90 day fraud alert on your file, it's free and requires lenders to contact you if anyone (yourself included) tries to apply for credit. More information on how to do so can be found here (https://www.consumer.ftc.gov/articles/0275-place-fraud-alert).
-I'd also recommend requesting credit reports at annualcreditreport.com (https://www.annualcreditreport.com/index.action) to verify if any lines of credit have been opened without your knowledge. FTC site containing more information on these reports can be found here (https://www.consumer.ftc.gov/articles/0155-free-credit-reports).

If you are a victim of identity theft, then you will want to file a police report and I'd look into freezing your file with all three credit bureaus. More info on that can be found here (https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs). You will also want to fill out and send a Form 14039 (https://www.irs.gov/pub/irs-pdf/f14039.pdf) to the IRS notifying them of the identity theft.

So I checked and my data "might" have been stolen. Site says if I sign up for monitoring I waive rights. Can they contract away negligence?

Yep me too
I just tried to access my credit report from Equifax and got a "the system is down for maintenance" message. I definitely don't want to waive my rights. What a load of crap.

Great info, thanks!

Not an expert on this by any means, but here's two quick steps I'd recommend.

-I'd start by placing a 90 day fraud alert on your file, it's free and requires lenders to contact you if anyone (yourself included) tries to apply for credit. More information on how to do so can be found here (https://www.consumer.ftc.gov/articles/0275-place-fraud-alert).
-I'd also recommend requesting credit reports at annualcreditreport.com (https://www.annualcreditreport.com/index.action) to verify if any lines of credit have been opened without your knowledge. FTC site containing more information on these reports can be found here (https://www.consumer.ftc.gov/articles/0155-free-credit-reports).

If you are a victim of identity theft, then you will want to file a police report and I'd look into freezing your file with all three credit bureaus. More info on that can be found here (https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs). You will also want to fill out and send a Form 14039 (https://www.irs.gov/pub/irs-pdf/f14039.pdf) to the IRS notifying them of the identity theft.

Not an expert on this by any means, but here's two quick steps I'd recommend.

-I'd start by placing a 90 day fraud alert on your file, it's free and requires lenders to contact you if anyone (yourself included) tries to apply for credit. More information on how to do so can be found here (https://www.consumer.ftc.gov/articles/0275-place-fraud-alert).

If you're not planning on opening credit anytime soon, I'd recommend locking your credit vs a simple fraud alert, which prevents anyone (yourself included) from accessing your credit file or opening credit in your name. You're still able to unlock your file as needed, but just takes some advance planning. Cost depends on state and age, but typically costs $5-$10 per reporting agency.

If you're not planning on opening credit anytime soon, I'd recommend locking your credit vs a simple fraud alert, which prevents anyone (yourself included) from accessing your credit file or opening credit in your name. You're still able to unlock your file as needed, but just takes some advance planning. Cost depends on state and age, but typically costs $5-$10 per reporting agency.

Solid advice, I only didn't recommend it as an initial step because it could be slight overkill (in terms of time to contact all three agencies and their associated fees) if there's no indication that your identity has been compromised.

If anyone is choosing to go this route I have the FTC page on freezing your credit linked above for additional info if needed.

Solid advice, I only didn't recommend it as an initial step because it could be slight overkill (in terms of time to contact all three agencies and their associated fees) if there's no indication that your identity has been compromised.

If anyone is choosing to go this route I have the FTC page on freezing your credit linked above for additional info if needed.

The process of freezing your credit has become a lot easier. I think you can do it completely online now. It used to be the only way to do it was to send in a bunch of documentation and wait for their reply. Its much more common now, and most vendors/people don't balk when you tell them you have to first unlock your credit first...I remember when people would give me funny looks when I told them I had frozen my credit file.

Thanks so much.

When you say "there's no indication that your identity has been compromised" - aren't we concerned about this because once this occurred, we have no idea if our identity might be compromised a month from now,with information stolen two months ago?


Solid advice, I only didn't recommend it as an initial step because it could be slight overkill (in terms of time to contact all three agencies and their associated fees) if there's no indication that your identity has been compromised.

If anyone is choosing to go this route I have the FTC page on freezing your credit linked above for additional info if needed.

fight club


remember the ending?

Can't talk about it....

Not an expert on this by any means, but here's two quick steps I'd recommend.

-I'd start by placing a 90 day fraud alert on your file, it's free and requires lenders to contact you if anyone (yourself included) tries to apply for credit. More information on how to do so can be found here (https://www.consumer.ftc.gov/articles/0275-place-fraud-alert).
-I'd also recommend requesting credit reports at annualcreditreport.com (https://www.annualcreditreport.com/index.action) to verify if any lines of credit have been opened without your knowledge. FTC site containing more information on these reports can be found here (https://www.consumer.ftc.gov/articles/0155-free-credit-reports).

If you are a victim of identity theft, then you will want to file a police report and I'd look into freezing your file with all three credit bureaus. More info on that can be found here (https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs). You will also want to fill out and send a Form 14039 (https://www.irs.gov/pub/irs-pdf/f14039.pdf) to the IRS notifying them of the identity theft.Good advice, all. I looked into this a bit this morning and came to this same conclusion, more or less. The FTC site is really pretty good for this.

Ironically, the new Bureau of Consumer Financial Protection recently eliminated the arbitration clause/requirement for banks and other financial institutions, but not credit reporting agencies. There is apparently legislation being introduced in Congress that would roll back that change. I will let you draw your own conclusions as to where that originated.

And last, but not least, I predict the CEO of Equifax will get pinched big time for insider trading. From all I can see from this vantage, he needs to go b-bye....

Sent from my SM-G935V using Tapatalk

Fire the IT data security team.


These guys rarely get the budget that they need to properly do their jobs. I doubt that Equifax was any different. They shouldn't be fired - but some of them will as the fall guy(s).


Three executives sold about $1.8million worth of stock after the breach was discovered. It's claimed that they were not aware of the breach.


These guys SHOULD be fired AND hung!

The comment on the Ars Technica coverage is perfect:



Absolutely true--when I was an admin on a uni network handling confidential patient data, even a hint of someone seriously knocking at the door went up the food chain...

A standard IR program involves a playbook where the executives - including the CFO - are included in the response to an incident. They all have a specific role to play in a breach response. There is NO way in the world that the CFO didn't know about this within minutes of the IR being put into motion.

Thanks so much.

When you say "there's no indication that your identity has been compromised" - aren't we concerned about this because once this occurred, we have no idea if our identity might be compromised a month from now,with information stolen two months ago?

Totally, that was more aimed at the crowd who when checking with Equifax get a response indicating their data wasn't compromised. If that was the case some individuals may be comfortable with just reviewing their credit reports to ensure no unwarranted lines of credit have been opened and then setting a fraud alert to ensure no activity happens in the next few months without their knowledge. As an aside, this fraud alert can be extended, you just have to renew it again after the initial 90 day period.

If Equifax came back stating that your information was likely compromised, then I would certainly consider looking into more drastic measures like a credit freeze, potentially filing a police report, etc. as stated above.

Anyone using something like LifeLock?

I should probably just freeze my credit.

If you're not planning on opening credit anytime soon, I'd recommend locking your credit vs a simple fraud alert, which prevents anyone (yourself included) from accessing your credit file or opening credit in your name. You're still able to unlock your file as needed, but just takes some advance planning. Cost depends on state and age, but typically costs $5-$10 per reporting agency.

The process of freezing your credit has become a lot easier. I think you can do it completely online now. It used to be the only way to do it was to send in a bunch of documentation and wait for their reply. Its much more common now, and most vendors/people don't balk when you tell them you have to first unlock your credit first...I remember when people would give me funny looks when I told them I had frozen my credit file.

Agreed! Freezing your credit is the way to go at this point versus establishing a fraud alert. At least that's what we're doing. Better to prevent an act of fraud versus reacting to it after the fact.

Here's a good article from Sophos - https://nakedsecurity.sophos.com/2017/09/08/equifax-data-breach-what-you-need-to-know/

I'm amazed that security tools didn't alert on that massive of an exfiltration. Or that the data wasn't better protected via encryption or masking of certain data fields. The post-mortem on this one should be interesting...

Texbike

Wow, with a breach this big, they should be offering complementary credit freezes.

Took the plunge and froze my credit anyways. I'd rather pay $5 to prevent fraud than thousands later to sort out an identity theft


Sent from my iPhone using Tapatalk

...
I'm amazed that security tools didn't alert on that massive of an exfiltration. Or that the data wasn't better protected via encryption or masking of certain data fields. The post-mortem on this one should be interesting...

Texbike
Agreed--and it sounds like the point of origin (unsecured web hack) and the lack of data isolation for confidential data meant some serious deficiencies. This was the part that I thought should be a firing offense since it involves senior people, not minions.

Their business is confidential data--so that is job one.

Anyone using something like LifeLock?

I should probably just freeze my credit.

The concern I have about LifeLock and other similar services is who is watching the watcher. The less people who have my personal information, the better. I prefer to pay the one time fee of $30 (maximum - depending on the state you live in, cost is usually $5-$10, often free if your a senior or a victim of identify theft - need to provide a police report) vs. a recurring fee to a credit monitoring agency. You might also want to see if your homeowners/renters insurance offers an identity theft protection rider...often for very cheap, but would cover you if your identity is stolen. Unlocking credit file has a similar fee of $5-$10 per agench. Believe the pricing is state mandated, otherwise I'm sure the reporting agency would like to charge you a monthly fee for locking your credit...kind of like it costs $ to have your phone number UNLISTED, but I digress.

Wow, with a breach this big, they should be offering complementary credit freezes.

Took the plunge and froze my credit anyways. I'd rather pay $5 to prevent fraud than thousands later to sort out an identity theft


Sent from my iPhone using Tapatalk

Note that you need to freeze at all three reporting agencies, so that should be $15 in total

wow you guys are super helpful!
If you freeze your credit, does that affect your credit cards, travel, etc?

I'm wondering what it affects in your daily use?

Thanks all, really great info in this thread

Agreed! Freezing your credit is the way to go at this point versus establishing a fraud alert. At least that's what we're doing. Better to prevent an act of fraud versus reacting to it after the fact.

Here's a good article from Sophos - https://nakedsecurity.sophos.com/2017/09/08/equifax-data-breach-what-you-need-to-know/

I'm amazed that security tools didn't alert on that massive of an exfiltration. Or that the data wasn't better protected via encryption or masking of certain data fields. The post-mortem on this one should be interesting...

Texbike

Will freezing credit at all three bureaus effect my credit score in any way? Any downside to keeping all three locked pretty much perpetually, except for a week or two when I may be applying for a new line of credit?

Will freezing credit at all three bureaus effect my credit score in any way? Any downside to keeping all three locked pretty much perpetually, except for a week or two when I may be applying for a new line of credit?

No, they still collect all the information on you, they just don't allow access to that information by lenders and whatnot.

wow you guys are super helpful!
If you freeze your credit, does that affect your credit cards, travel, etc?

I'm wondering what it affects in your daily use?

Thanks all, really great info in this thread

Unless you are applying for a new line of credit, it won't effect anything.

That's awesome. I have no plans to apply for another credit card or mortgage for many years, so I think I'm just going to lock it all. Bonus upside, if I ever find myself tempted to open another line of credit, I have to pay $15-25 to "open the gates"!


Sent from my iPhone using Tapatalk

Credit Freeze vs. Fraud Alert (from the FTC, https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs):

A credit freeze locks down your credit. A fraud alert allows creditors to get a copy of your credit report as long as they take steps to verify your identity. For example, if you provide a telephone number, the business must call you to verify whether you are the person making the credit request. Fraud alerts may be effective at stopping someone from opening new credit accounts in your name, but they may not prevent the misuse of your existing accounts. You still need to monitor all bank, credit card and insurance statements for fraudulent transactions....

...To place a fraud alert on your credit reports, contact one of the nationwide credit reporting companies. A fraud alert is free. You must provide proof of your identity. The company you call must tell the other credit reporting companies; they, in turn, will place an alert on their versions of your report.
A credit freeze will also not affect your credit score.

Credit Freeze vs. Fraud Alert (from the FTC, https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs):


A credit freeze will also not affect your credit score.

A freeze is the way to go. There is very little downside.

It's much easier to deal with than an actual fraud event could cost you thousands of dollars, negatively impact your credit score, and take years to clean up.

Texbike

Thanks to everyone. Without this thread, I probably would have just let it slide and hope. Just froze all three credit score companies. As Texbike said, small hassle to prevent a huge one. This article has direct links to each company to freeze your credit scores.

https://www.nytimes.com/interactive/2017/technology/how-to-protect-data-online.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news

Yeah, kudos to everyone here. Probably wouldn't have taken any action without having read this thread. Better safe than sorry.


Sent from my iPhone using Tapatalk

I went to TransUnion from the NYT link, and I had to create an account, and it wants my SSN. Isn't that what we don't want to give these guys? Sorry if I'm obtuse - they need that to freeze credit?

A freeze is the way to go. There is very little downside.

It's much easier to deal with than an actual fraud event could cost you thousands of dollars, negatively impact your credit score, and take years to clean up.

Texbike

I went to TransUnion from the NYT link, and I had to create an account, and it wants my SSN. Isn't that what we don't want to give these guys? Sorry if I'm obtuse - they need that to freeze credit?

They already have it, they are merely using it as a way to identify you as you.

I was successful at TransUnion and Equifax, but Experian won't let me put a credit freeze online (filled out the forms twice) but rather wants me to do this by mail. Suggestions please?

I watched some news coverage of this thing this evening, including a couple of business shows to see what the comments/recommendations were, and of course, they were all over this. However, not a one mentioned the arbitration clause if you accept the terms of Equifax's credit monitoring service....

I had the same experience with experian online - would not accept form.

I called and worked via phone. 1-888-397-3742

According to the suspected perpetrators Darknet page, the information stolen sans credit card numbers is stated to be released at 4pm UTC on the 15th unless a 600btc ransom is paid.

Appears to have used a vulnerability in Struts. The question of the day is rather or not it was the exploit made public in March, or one made public on September 4th. My money is on the former.

[QUOTE=seric;2231180

unless a 600btc ransom is paid.

[/QUOTE]

i picture Dr Evil, shouldn't they add a few zeros?

More info on how f'ed up a company Equifax is. And why asking them if your info has been breached is a scam. What bastards.

https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/?utm_source=tcfbpage&sr_share=facebook

I've now read a few reports saying that Equifax scam may not be legal and I think NY is already saying it is illegal to waive rights in this manner. We will see but Equifax is the worst.

https://www.cnet.com/how-to/equifax-breach-find-out-if-you-were-one-of-143-million-hacked/

More info on how f'ed up a company Equifax is. And why asking them if your info has been breached is a scam. What bastards.

https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/?utm_source=tcfbpage&sr_share=facebook

I don't want to check with Equifax...why give your name and majority of SSN to the company that JUST lost all your info? :no:

i picture Dr Evil, shouldn't they add a few zeros?

600 bitcoins at $4321 equals about 2.6 million dollars.

600 bitcoins at $4321 equals about 2.6 million dollars.

Versus million. Seems cheap for nearly 150 million accounts hacked

More info on how f'ed up a company Equifax is. And why asking them if your info has been breached is a scam. What bastards.

https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/?utm_source=tcfbpage&sr_share=facebook
They are indeed all smoke-and-mirrors. Not everyone is blind to the forced arbitration clause, however. From an article linked within the above:
The company clarified the forced arbitration clause in its terms of service after outcry by consumer advocates, including New York Attorney General Eric Schneiderman, who called the requirement “unacceptable and unenforceable.”

The company also now claims that 'the arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident'.

Further from the article (https://techcrunch.com/2017/09/08/equifax-says-it-wont-bar-consumers-from-joining-breach-related-lawsuits/)
In other words, if you use the service, any dispute regarding the service itself (e.g. the protections fail to work) would be forced into arbitration — but legal action relating specifically to the breach is not affected. I’ve contacted Equifax for more specifics, but their press office is likely being bombarded right now so it may be a while before they respond.
Ths article claims that you can opt out of the arbitration clause by writing a snail mail letter to the company at:

Equifax Consumer Services LLC,
Attn: Arbitration Opt-Out,
P.O. Box 105496,
Atlanta, GA 30348,
including your name, address, and Equifax User ID, as well as a clear statement that you do not wish to resolve disputes with Equifax through arbitration.

I would send it certified, myself.

Ths article claims that you can opt out of the arbitration clause by writing a snail mail letter to the company at:

In this day and age, that is one stinking pile of dog ****.

One advantage that I experienced when I froze my accounts several months ago, was that I do not receive five to seven credit card offers each week. Less junk mail to deal with.

One advantage that I experienced when I froze my accounts several months ago, was that I do not receive five to seven credit card offers each week. Less junk mail to deal with.

You can also opt out of prescreened credit card offers without a credit freeze...I'd recommend doing both though:

https://www.consumer.ftc.gov/articles/0148-prescreened-credit-and-insurance-offers

I checked and I don't seem to be among those affected. Either way, I'm covered because Equifax is already monitoring my file from when the Canadian government lost my personal info in a security breach a few years back. THAT class action lawsuit is still working its way into the courtroom ...

What's a little more risk? FML!

KJ

LOL

Fire the IT data security team.

And then there is the report that there was a large sell off of shares by management just before the announcement of the breach.

These guys rarely get the budget that they need to properly do their jobs. I doubt that Equifax was any different. They shouldn't be fired - but some of them will as the fall guy(s).

These guys SHOULD be fired AND hung!

I'm an IT guy and yes we don't get the budget, we get the scraps that are left over which is barely enough. My stuff I'm responsible for is patched and always up to date. No matter how much I raise a stink though, other systems are present that are vulnerable and I can't do anything about it because people higher up the totem pole in other departments say so. It bugs me to no end but whatever, I've made my case of why something is a bad idea (systems vulnerable to wannacry, etc).

It is total BS that higher-ups were unaware. Every company I have worked for over the past 20 something years, knowledge traveled fast and swift. What was done with that knowledge, well that is another story.

Equifax would not allow me to freeze today. They want a letter. Did I answer one of the questions incorrectly. It was the only credit bureau where I did not have a freeze because of a similar issue last year.
Can anyone say why?

Equifax would not allow me to freeze today. They want a letter. Did I answer one of the questions incorrectly. It was the only credit bureau where I did not have a freeze because of a similar issue last year.
Can anyone say why?

I'd guess it may be, as you say, a missed question. Those questions took some thinking and remembering. I think I got lucky to get them right.:rolleyes:

Regarding a credit freeze at Equifax:

If a hacker has all the same information about you that Equifax had, what's to stop said hacker from requesting that your credit be unfrozen?

Regarding a credit freeze at Equifax:

If a hacker has all the same information about you that Equifax had, what's to stop said hacker from requesting that your credit be unfrozen?
I believe that you can update your password and request additional security questions/information be added to your profile at the time of the freeze request.

Regarding a credit freeze at Equifax:

If a hacker has all the same information about you that Equifax had, what's to stop said hacker from requesting that your credit be unfrozen?

When you freeze your credit file, you will receive a credit agency generated PIN that will be required to unlock your credit.

Equifax would not allow me to freeze today. They want a letter. Did I answer one of the questions incorrectly. It was the only credit bureau where I did not have a freeze because of a similar issue last year.
Can anyone say why?

That's the issue with the online credit freeze (or unfreeze for that matter)...no room for you to get a question wrong. System is set up to ask a series of questions, and if you miss one, automatically bounces you to send a letter. No chance to answer additional questions. Also, its possible they have an old address for you in the system, which also messes things up when you try to do an online freeze. You could also try calling Equifax, but I suspect at this stage, it may be quicker to send that letter.