Equifax failed to install a security patch after it had been out for two months and got hacked, then failed to notice the hack for two months, then failed to notify the public about the hack for two months. This is obviously one of those WTF moments.
NPR has some tips on what to do to protect your credit: “After Equifax Hack, Consumers Are On Their Own. Here Are 6 Tips To Protect Your Data”
But the root of the problem is this: your Social Security number is used as both an identifier and as a means of authentication. Here’s an analogy: imagine a world where your email address was often both your username and your password. Maybe for some places it’s your username, and other places it’s your password. Stupid, right?
Like it or not, the credit reporting agencies are protected by the First Amendment. So you can’t wipe them out of existence. They also provide a pretty valuable service by providing lenders with a history of your ability to pay your bills so that you can get access to money you haven’t saved.
However, Congress could put in place restrictions on when and how the credit reporting agencies can share this data. This “free speech zone” for credit history could require that the agencies first establish a means of authentication so that only authorized entities could access your credit history. In other words, let’s assume that your Social Security number is out there in public as your username. And the credit reporting agencies need to establish some kind of password with you that you will then use on a case by case basis to unlock your history for a potential lender, employer, or landlord. It’s like when you agree to share your Facebook profile with some iPhone game to unlock some virtual currency. You’re in control of the transaction, your data is secure, and the only thing changing hands is permission to access the information.
Image CC BY Juho Metsävuori