49 Equifaxes

Many eggs in many baskets

In this digital age, almost everybody will have some piece of sensitive personal information leaked into the ocean of the Internet. It’s surprising, however, just how many groups have legal ownership of sensitive personal data and how few people know that these groups exist. Sadly, out of all the government agencies, the one that protects everyday consumers isn’t talked about all that often. Hint: it’s the Consumer Financial Protection Bureau (CFPB).

As a side note, I only speak for a US audience and on concrete sensitive info (address, birthday, phone number, SSN, driver’s license, etc.). User behavior and preference tracking – e.g. Facebook and Cambridge Analytica – are a different privacy topic that won’t be discussed.

Tracking back from Equifax

If you follow the Equifax 2017 breach remediation site or read some popular articles on credit bureaus and agencies you might end up freezing or locking your credit report with the three major agencies. That might seem like sufficient protection.

If you’re thorough and do some more research, you might end up at the Reddit post on dealing with Identity Theft and also learn about ChexSystems and Innovis. Now you’re covering a few more bases that you most likely haven’t heard about.

At this point it seems weird that you needed to address any credit reporting agencies beyond the “Big Three” of Equifax, Experian, and TransUnion. Indeed, if you look further, you might find bits and pieces of other agencies such as here, here, and here. So there are even more groups that have big chunks of your financial and personal profile. But it still doesn’t seem like there’s a full list of these agencies and bureaus anywhere to be found – shouldn’t this info be readily available?

The group that you’re looking for would be the bigger class of consumer reporting agencies. The CFPB lists 49 (as of January 2018): dozens of smaller speciality reporting agencies serve similar financial purposes as the three major credit reporting bureaus (Equifax, Experian, TransUnion). Together, they capture all of the personal information anyone would ever want to know about you to make financial decisions based on your identity and history. Keep in mind that this list isn’t comprehensive: it only covers companies “that have identified themselves as consumer reporting companies or provide consumers access to their consumer reports.” See the blog post from the Obama administration on the rule created by the CFPB in 2012 to increase federal oversight on consumer financial data.

Full breakdown from the CFPB

The actual breakdown of consumer reporting agencies listed by the CFPB and broken down by category is as follows:

• Nationwide consumer reporting companies (3)
  • Equifax, Experian, TransUnion
• Employment screening (14)
• Tenant screening (8)
• Check and bank screening (6)
• Personal property insurance (4)
• Medical (2)
• Low-income and subprime (5)
• Supplementary reports (4)
• Utilities (1)
• Retail (1)
• Gaming (1)

For reference, see the CFPB’s blog post from January 2018.

If you’re as curious as you should be, the current list from the CFPB can be found as a PDF here.

A lot of smoke, some mirrors

What really sucks is that many consumer reporting agencies are woefully brick-and-mortar.

The bigger players allow you to request or freeze your report online. But even then, they sometimes make choices that put their technological prowess into question. For instance, the official website Equifax stood up for disseminating information on the 2017 breach is https://www.equifaxsecurity2017.com/. Rather than setting up the site under the official https://www.equifax.com/ domain, the address instead resembles a fake URL cooked up for a phishing attempt and violates one of the cardinal rules for resisting phishing: never trust an address that’s not from the official root domain. This is especially ironic for a site whose purpose is to help people who have already had sensitive personal information leaked online.

Some smaller agencies don’t even have a website and their existence can only be confirmed digitally via other third-party websites posting phone numbers and addresses. In these cases, it makes it extremely difficult to find out that these agencies even exist, let alone try to request or freeze your report.

Another interesting diversion is the concept of a credit lock rather than a credit freeze. A lot of the major credit reporting bureaus offer a credit lock that appears to be a more convenient and cheaper way to get all of the benefits of a credit freeze. But the biggest difference between the two is rarely highlighted: a credit freeze offers you protections guaranteed by law, whereas a credit lock “is simply an agreement between you and the credit monitoring company”. In other words, if you’re deciding between a lock or a freeze, it’s a good idea to pay the nominal fee of $5-$10 for the credit freeze.

Simple advice

How to really avoid being hurt

Fortunately, there are a couple of ways you can avoid being hurt by leaks of information from consumer reporting agencies. Here are a few suggestions:

1. Be a criminal or some other financially serious offender
2. Be dead or nonexistent
3. Live off the grid and never interact with society

Actual practical guidance

The best thing you can do to protect yourself is to regularly check your consumer reports, as suggested by the CFPB and White House links already mentioned above. It’s funny that so few people know about free annual credit reports and how fishy the website looks.

Finally, you might as well initiate credit freezes on your most important accounts. It’s better to pay those $5-$10 fees to freeze and unfreeze your report each time it gets requested by another authority than to compromise your most sensitive personal and financial information.

Checking and, to a lesser extent, freezing reports across all the consumer reporting agencies takes a little money and a lot of time. So even if all the information were well-publicized and clearly laid out, most people probably wouldn’t bother going all the way to lock down their consumer identities anyways.