So my wife came up to me this morning, phone in hand, ready to type, and asked me for the last 6 digits of my social security. Being a very security conscious person, I asked why she needed six digits of my social security number as in my head I was thinking the usual amount of "verification" information is four digits. Six digits seems like a lot. There's only nine digits in a social security number, so if she were to enter six of the last digits into something, there's only 999 variations for someone to try before they've got my full SS number (as oppposed to 99999 variations if the last four digits are entered). So that's putting a little more of sensitive information out there than I typically like.
So I started looking into the breach further and wanted to verify where she was entering my information was legitimate.
It turns out that it was a legitimate Equifax website made specifically for their latest security breach of information where sensitive information, including social security numbers, were compromised.
It seems pretty unnecessary to me that they are asking for six digits along with your last name instead of the usual four digits and last name.
Reluctantly, on the Equifax security breach verification website, I entered my last name and the six digits required to check if my personal information was compromised.
Subsequently, I was angered by the response I received from the tool.
"Thank You. Based on the information provided, we believe that your personal information may have been impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier."
This just made me angry, because they aren't telling me which of my personal information was impacted. Was it my full name? My address? My credit card information? My Social Security Number?
Most people don't realize, but losing your credit card number isn't a huge deal as long as you regularly check your statements. Credit card companies don't want people to be afraid of using credit cards so all the protections are in favor of the credit card user (the business that sold the item is who gets screwed in cases of detected fraud). It's pretty quick and simple to file a fraud claim, get your money back and get a new credit card number (the annoying part is having to change your card on all your automatic payments).
All I really care about is my Social Security number. That can't so readily be changed.
That's why Equifax's response message makes me so angry. It doesn't help me determine if I really need their protection service.
Now beyond that, the protection service they are offering is THEIR OWN SERVICE! Why should I trust the company that just lost my information to help protect me going forward!
But what really makes me angry is that this company, to which I never gave my sensitive personal information, lost my information, and then offers me a pathetic 1 year of their own protection service.
I think if you lose my social security number, something I never gave you and which I can virtually NEVER change, you should protect me for as long as I have that sensitive information attached to me, not just give me one year free protection and then start charging me thereafter; thus profiting from me going forward based on a problem you caused.
Seriously, what does 1 year of protection do for me? Will my social security number in the files that were downloaded suddenly erase themselves in a year?
Their whole response to this breach of information crisis feels more like a sales scam than like they are trying to help me out in the situation.