Privacy SOS

Just after launching data breach website, credit reporting agency sent password to user in plaintext

Equifax is one of the three large credit reporting agencies in the United States, which means it has a huge influence on whether or not you’ll get a loan to buy a house or send your kids to college, or even whether or not you’ll get a job. The company maintains a lot of personal information about you, including your social security number and date of birth, among many other sensitive details. That’s why it is extremely troubling to see that, according to one customer, Equifax sends passwords to users over email in plaintext:

In 2013, an Oregon jury awarded a woman nearly $19 million after Equifax bungled her credit report and refused to fix the errors. Julie Miller first became aware of the problems at Equifax when she was denied a loan in 2009. ABC news reports:

She requested and eventually received a copy of her report, which, she discovered, contained false identifying information, an incorrect Social Security number, a false birthday and false, derogatory collection accounts attributed to her.

She began disputing these inaccuracies starting in 2010. She repeatedly contacted the company and was repeatedly told Equifax needed further information before it could process her dispute.

Later in 2010 Miller was denied credit by Key Bank, based on her Equifax report.

After filing further protests with Equifax about the inaccuracies in her report, Equifax representatives told Miller her data had become "mixed" with another person's. They told her she would need to dispute the false information directly to her creditors.

In all, Miller tried eight times to get her report corrected. Finally, she brought suit in Oregon Federal District Court in October 2011.

The mixing of Miller's credit data with another person's meant that at the same time Miller was being sent the other person's un-redacted personal information, her own unredacted personal information, including her social security number, were being sent to others.

The Miller lawsuit revealed that Equifax was contracting out the handling of consumer complaints to a firm based in the Philippines. Perhaps the company also subcontracts work dealing with its users' online engagement, leading to the emailing of passwords in plaintext? Ironically, in February 2014 the company launched a website to deal with large data breaches. A Vice President of Equifax Canada said, "To avoid being the next headline, businesses that collect and store data about their customers or employees must be pro-active in their efforts, and be better equipped and prepared to deal with [data breaches], as inevitably they impact all organizations, big and small." Good advice; Equifax might want to take it to heart!

Credit reporting companies have immense power over our economic well-being, and are notoriously unresponsive to consumer complaints. A 2013 survey found that while Equifax provided relief regarding over half of consumer complaints made to the Consumer Financial Protection Bureau, its competitor Experian provided relief in only five percent of reported cases. To see if your reports are correct and to learn how to fix them if necessary, follow the instructions provided by the US Public Interest Research Group. And be careful with your passwords.

© 2021 ACLU of Massachusetts.