On Sunday, 19 March around 10AM I received an email with the subject line IMPORTANT: ProtectMyID Surveillance Alert. I was busy at the time so I flagged the message and moved on with my day. I had received these alerts a few times before when applying for credit cards and getting a home loan. While I hadn't done either of those things lately, I still was not particularly alarmed by the subject alone and had many other things on my mind. Going about the busy day, I promptly forgot about the email.
Before starting the work day the next morning, I noticed and remembered the email in my inbox. Why do I even have ProtectMyId? Because my personal data was part of a breach at some point. Which breach? I don't even recall - there have been so many. I opened the email and logged in to find that a new credit account with a provider I had never used had been opened in my name. Surprise! I am a victim of identity theft.
What do I do now?
Credit Reporting Agencies
First, a bit of background - ProtectMyID is a service available from Experian, one of the three Credit Reporting Agencies (CRAs) responsible for monitoring and "scoring" credit for individuals (whether they know it or not). The USA.gov website defines a CRA like so:
A credit reporting agency (CRA) is a company that collects information about where you live and work, how you pay your bills, whether or not you have been sued, arrested, or filed for bankruptcy. All of this information is combined together in a credit report. A CRA will then sell your credit report to creditors, employers, insurers, and others. These companies will use these reports to make decisions about extending credit, jobs, and insurance policies to you.
Basically, these agencies collect, "score" and sell your personal information to companies and sell your own information back to you in the form of credit reports and identity "protection" services. Not surprisingly, the other two agencies (Equifax and TransUnion) have similar services.
Want to monitor your information at all three agencies? That'll be about $50 per month for basic service. In fact, upon logging in to check this new alert, the ProtectMyID website displayed a big warning box telling me that my service is about to expire and I will need to pay if I want to continue using it. Good timing!
Oh, a discounted rate!
An Attempt to Dispute
Anyway, on to (what I guessed to be) step one: dispute this new account on my credit report. Included with each alert on the ProtectMyID website is a big red Dispute Item button - great, this should be simple! I clicked the button for the fraudulent account and was redirected to a page where, for some reason, I had to click another button indicating that I wanted to dispute an item on my Experian report.
Next, I was asked for a "report number". Taking a look at the help on the page, I realized I did not have one because I didn't have an actual credit report, just the ProtectMyID alert. I navigated my way back to the alert page and found a "Credit Report" link. I clicked the link and was greeted with a blank page - no error, no content, just blank. Upon doing this I recalled the exact same thing happening multiple times in the past. At least once, I received an "error" message explaining that this was not part of the free service.
In fact, the actual credit report is not even part of the paid service, that costs extra!
Lacking an actual credit report, Experian provides another path - provide all my personal information and answer a series of questions about the contents of my report in order to access it and dispute the item. My options in this round, each with a multiple choice list of answers including a NONE OF THE ABOVE, included:
- A current or previous phone number that is associated with you.
- The last four digits of your primary checking account number.
- A person you have lived with in the last 10 years.
- A city that you have previously resided in.
This has happened every single time I have attempted to verify myself to Experian in particular (Equifax and TransUnion have worked fine). I have not always been entirely sure of the answers, but in this case (for this blog post) I am actually 100% sure I answered them all correctly.
So this leaves me with two options: print and mail a letter to Experian and wait for the response or try something else. Let's try something else...
Included with the alert on ProtectMyID is a phone number for the reporting company (bank, creditor, etc.) so I decided to check that for the fraudulent record and reach out directly.
The "phone" entry for the new account alert: "BYMAILONLY". Helpful.
I scrolled through the rest of my alerts and found the same bank again, along with two other unknown entries! All three of these entries were for "hard" inquiries - meaning a company received my credit report at "my" request (see also: Hard vs. Soft Inquiries), only I didn't make any of the requests and all three occurred on February 20, nearly a month prior to my alert!
Why didn't I receive alerts about these hard inquiries from ProtectMyID? How has this terrible infrastructure failed this time? It didn't, actually. The emails went to an address I had recently migrated away from and I forgot to update my address with ProtectMyID. I checked the old email and, sure enough, all three alerts were there. Oops.
The hard inquiry alert for Bank #1, unlike the open account alert, does contain a phone number. I gave that number a call and quickly got connected to an agent who was very helpful - this was a nice relief when other avenues were failing me. The first thing the rep asked for was my full name, then my address, then my social security number... this conversation gave me a bit of pause, but ultimately it's understandable that all this information is needed in order to verify my identity. Nonetheless, it left a bad taste in my mouth to be providing this sort of information over the phone in response to its being compromised and used fraudulently.
It turned out that the account was opened, but immediately flagged for suspicious activity and, luckily, no charges were made with the account. The rep closed the account, initiated an internal investigation and provided me with some ideas for next steps. Overall very positive.
Next, I called the number for Bank #2 associated with its hard inquiry. Again, I was able to get to a rep pretty quickly. Again, I was asked to provide my name and address. However, in this case I was only asked for the last four digits of my social security number. This was at least a bit more comforting. The rep found the fraudulent application, denied it, started an internal investigation and provided me with a reference number. Quick and easy.
Here again no phone number is provided with the alert, so I went searching for a number on the bank's website. Interestingly, they have a page dedicated to identity theft which basically says "Don't call us, call the FTC". Undeterred, I dug up another number, gave them a call and quickly discovered that they have no interest in to talking to anyone other than account holders...
After about five minutes of responding to the same prompts with the same answers and pounding keys, I managed to get an actual person on the phone. Here again I had to provide all the same identifying information to get the issue addressed. The rep found and closed the application, but did not say anything about investigating or provide any reference number.
Getting My Credit Reports
Everyone is entitled to a free credit report once per year (how lucky!). I was not at all surprised to find that searching for "free credit report" online turns up more than a few phonies. The actual website associated with the law is AnnualCreditReport.com.
I walked through the process and had relatively little trouble. Equifax and TransUnion both provided sane verification questions and allowed me to download the report immediately. Experian, on the other hand, once again provided some odd questions and was not able to verify me. Apparently, I will receive a letter and code (to access my report) via the mail within three weeks. Three weeks.
I reviewed the Equifax and TransUnion reports closely and, despite finding a number of things that surprised me, did not find any additional fraudulent entries.
While I am relieved that I was able to retrieve two of the three reports and that nothing additional was found, I find it rather perplexing that this information is kept so secret from the people that it "rates". The fact that these reports can only be retrieved once a year and otherwise must be paid for is terrible. If I had not happened to have a service provided because of a breach at just the right time, it may have taken me years (and potentially a denied credit application or worse) to find this or more serious damage.
While these Credit Reporting Agencies maintain and "score" such deeply personal and potential harmful information, protective services should be provided to individuals free of charge.
Credit Report Protections
With all this information in hand, I began thinking about the future and wondering how on Earth I can prevent having to go through this headache again. Eventually, I found that there are a couple of options to protect a credit report in various ways. While not exactly what I was thinking, it seemed like a good enough start. There are generally three options:
1. Fraud Alerts
This is a 90-day alert that adds a requirement of placing a phone call with a number associated with the alert to verify any new inquiries or accounts. It can fall off or be renewed after 90 days. This also, apparently, entitles you to a free credit report, but I did not test this. (Fraud Alerts)
2. Extended Fraud Alerts
This alert goes quite a bit further. It lasts seven years, entitles you to two free reports from each agency and takes your name off pre-screened offer marketing lists for five years. Each agency must be contacted separately to enable this alert and it may require additional paperwork and proof of actual identity theft. (Extended Fraud Alerts)
3. Credit Freezes
This most serious of the three options, a credit freeze prevents almost all access to a credit report. The durations and rules for credit freezes vary from state to state and, unlike fraud alerts, most credit freezes require paying a fee (unless you have a police report, in some cases). Generally, except for state-imposed limits, this type of protection lasts until you have it lifted. (Credit Freezes)
Placing a Fraud Alert
I chose to place an initial 90-day fraud alert because the credit freeze option seemed a bit extreme and the requirements of the extended alert, as indicated by Experian, seemed daunting. I used Experian's Fraud Alert Center to walk through instructions that eventually gave me a phone number to call. The number was a fairly straight forward automated system that took a few pieces of information, supplied me with a confirmation code and set the alert.
How does this appear on a credit report? On my TransUnion report, in the form of this simple note:
SECURITY ALERT: Initial Fraud Alert: Action may be required under FCRA before opening or modifying an account. Contact consumer at (xxx) xxx-xxxx. (Note: This alert is set to expire in 07/2017.)
Why do I know this? Despite setting the fraud alert on 20 March, I received a new ProtectMyID alert email noting the addition of the same fraudulent account to my TransUnion report. While I can accept some amount of lag between systems, it greatly concerns me that this addition was not prevented three days after I placed fraud alert.
The lack of urgency, shoddy technical systems and poor usability of these CRA tools make the industry seem entirely out of touch with the feeling of urgency I suspect most people have when something like this happens.
Alerting the FTC
As my final step (for now), I created an account and filed a report at IdentityTheft.gov. The guided questions leading to the sign up form were actually quite useful in helping me remember which breaches my data has been caught up in.
Side note - I attempted to verify one breach that I wasn't sure about and was rather disappointed when, after submitting all my info (yet again), I landed on a simple page explaining that I would receive a response by mail within some weeks.
Once signed up and logged in, the site provides a detailed checklist-style tool for walking through all the basic response steps. Many of these things I had done already, but I was happy for some extras such as links relating to protection services offered by specific breached companies and ready-to-send form letters for banks and other institutions.
Ultimately, this was a vital tool and probably would have been a better starting point for the entire ordeal. One particularly interesting fact I picked up from reviewing things with this tool is that the identity theft "report" provided should be all I need to add an extended alert to my credit report. The FTC puts it rather simply:
If you’ve created an Identity Theft Report, you can get an extended fraud alert on your credit file.
Compare that statement to this one from Experian's Fraud Alert Center:
If you are a victim of identity theft and submit a copy of a valid identity theft report that you have filed with a Federal, State or local law enforcement agency, then you may request an Extended Fraud Victim Alert, which lasts for 7 years.
As it turns out, the FTC is a federal law enforcement agency, so Experian's statement is essentially true but perhaps misleading. If the IdentityTheft.org report (which is basically a letter of attestation) is truly all that is needed - why not simply link to the site? The statement as it stands would likely deter anyone who hasn't suffered significant harm and already filed a local police report.
I am currently waiting for two items in the mail:
- My Experian credit report
- A confirmation letter from a large breach
Once those items arrive, I will review and take any necessary additional steps. I will also probably make use of the extended fraud alert. Some information in my Experian report is necessary for that so I have some time to think it over.
If I were doing this all over again (and hey, maybe I will!), I would follow these steps in this order:
- File a report at IdentityTheft.gov.
- Call the involved banks (or other institutions).
- Get a credit report from each CRA (either from AnnualCreditReport.com or by adding initial fraud alerts).
- Add an extended fraud alert to each CRA's report.
Despite the fact that these agencies talk amongst each other and that the banks claimed they would repeal the fraudulent information, I am compelled to use every possible avenue to report and correct things. The lack of urgency displayed by the agencies in particular does not instill any confidence.
In the end, I am still left feeling quite vulnerable. My information is definitely out there - I already knew that and wasn't happy about it. But now it has been used, and thus confirmed, in the wild. This is information that does not expire and is not easily changed, and I'm supposed to be content with one year of free "protection" (which is just monitoring)?
All of the protective services, credit reports and scores offered by these agencies should be provided to the individuals they affect at no charge. If Experian, Equifax and TransUnion are to profit from such sensitive, private information by selling it to third parties, they must also bear the burden of monitoring and protection.