Who will pay to clean up massive T-Mobile hack?
It seemed like old times, only worse. Once again, there was a corporate data breach. Once again, the personal information of unwitting consumers was siphoned off by the global fraud and identity-theft industry.
This time, however, it wasn’t a health insurer or hardware chain that got hacked. It was one of the three national credit bureaus that’s supposed to protect us from such abuses, whose tendrils reach into every corner of our financial lives. And what got stolen wasn’t just credit card data but birthdates and social security numbers – everything a fraudster needs to create a whole new you.
Last Thursday, T-Mobile announced that the personal data of 15 million applicants for its phone service had been stolen from Experian, the credit bureau that processes its applications. Once again, personal-finance pundits across the land issued the same sage advice: do what Time calls the “one foolproof thing you can do to prevent this kind of identity theft: Freeze your credit report.” That way, when fraudsters apply for credit in your name, the figurative teller’s window will drop shut in their faces.
But that advice carries a stinger: You have to pay for that protection. Experian and the other credit bureaus routinely provide free credit alerts, but they charge a fee ($10 in this state) to freeze your credit. They charge again each time you lift the freeze to apply for credit yourself, and again when you refreeze it. They do provide these services gratis if you provide a police report showing your identity has been stolen – i.e., if the horse is out of the barn and the barn’s burning down.
This adds insult and a little injury to injury. You’re supposed to pay the guy who just spilled gasoline all over you not to light a match.
Yesterday I asked representatives of Experian, T-Mobile, and the Washington Attorney General’s Office if they might be doing anything to fix this situation. “I’ll have to refer you to Experian on the credit freeze and fraud alert services they’re offering, as I know they’re planning to provide some more information on this very shortly,” T-Mobile’s Clint Patterson replied. Experian hasn’t responded yet to repeated inquiries.
The AG’s office offered some news. “We have a preliminary agreement in principle with Experian’s counsel that they will waive costs to consumers for credit freezes,” says AG’s spokesman, Peter Lavallee. He doesn’t know if that agreement will also cover credit freezes at Transunion and Equifax, which are necessary for meaningful protection or what other redress Experian may provide pending any regulatory or class actions.
“The overall relief they’re going to offer is still under discussion.” But it won’t just include T-Mobile customers in Washington, Lavallee says. “We’re acting with other states as well as on our own. There’s a working group involved through the National Association of Attorneys General.” Speed may be key to heading off fraud attempts, but when the free freezes will become available is “still being worked out with the company.” Anxious consumers will still have to decide whether to pay for freezes now or wait.
That’s some consolation, but questions remain about not just Experian’s behavior, but that of T-Mobile and so many other vendors greedy for personal data. Why does the company need to get your social security number and conduct a credit check, subjecting you to one more vulnerable database, just to give you month-to-month phone service? It’s already run your credit card.
UPDATE, 10/13/15: The Washington Attorney General's Office announces that Experian will provide free credit freezes to T-Mobile customers affected by its data breach. But this freeze will not apply to Transunion and Equifax; customers must obtain (and pay for) separate freezes there.
One reader, Thane Walkup, reports that he was able to obtain a police report of identity theft from the Mukilteo Police Department after he was among the millions whose personal data got stolen in the Premera cyberattack last January. He used that to obtain free credit freezes and lifetime unfreezing as needed from all three credit bureaus.
Mukilteo's police are more obliging than Seattle's. Following Walkup's example, I tried to to report the theft of my personal data to SPD and was told I'd have to show actual fraud – money, not just identifying data – stolen before they'd take a report.