Equifax Breach: Making Sense of ‘Identity’ Theft

Equifax made news recently for being the victim of a hack; their systems were compromised and data was accessed by person(s) that weren’t authorized to have it. Unfortunately, this is not an uncommon occurrence these days. Hacks happen all the time, to companies both large and small. Individual hacks aren’t really noteworthy any more. But what is particularly noteworthy about this incident is the data that was accessed: the personal (and supposed-to-be private) information of roughly half of the US population.What information? Well, in addition to your “credit score” they have your social security number, current home address, home addresses going back several years, payment history on all your credit cards, your water bill, your cable TV bill, and who-knows-what else. This information is used by companies to determine whether or not you are a good credit risk. Whenever you apply for a loan, or a credit card, or rent an apartment (or do a host of other things), there’s a fair chance that your credit report is requested from Equifax or one of the other reporting agencies. This is how things have always been done. And, as a system for assessing credit risk, it works just fine.

The problem is, there’s an implicit assumption that your credit record (the information that Equifax et al collects about you) actually identifies you.

And that’s ridiculous.

Occasionally someone has their identity “stolen.” I never liked that phrase. Movies notwithstanding, they can’t peel your face off, suck your brains out through a straw, or transport their conscience into your body. All they can do is pretend to be you by accumulating enough information about you that someone who doesn’t know you will think they’re you. Usually the “someone who doesn’t know you” is a bank or a store, the someone pretending to be you wants something from them (money or merchandise), and the information is your SSN (traditionally a “secret number,” much like a password) and your address and phone number. The pretender hands the vendor your info, the vendor hands the pretender the goods, and then the pretender disappears with the goods, leaving the bill on the counter (to be picked up by you and/or the vendor).

Your identity isn’t something that someone can take from you. You are not data. And the data that gets collected about you does not constitute an identity. Are you your phone number? No? Then why would you be your SSN? Or any other data point? It’s pretty ridiculous, and that data should never have been used in that fashion, but it was, and it’s now loose on the internet.

But that’s okay, because Equifax is offering a year of free credit monitoring. Sure, that will fix the problem. As if data on the internet disappears after a year. Or two. Or ten.

There’s an old adage in economics: If I owe you a hundred dollars, I have a problem; if I owe you a hundred million dollars, YOU have a problem. That sentiment succinctly sums up my thoughts on this hack, to wit: If you have your identity stolen, you have a problem; if half the population of the US has their identity stolen, then EVERY VENDOR THAT DEALS IN CREDIT has a problem.

Just imagine: Half the US population. A 50% chance that anyone that applies for credit isn’t who they say they are. Take a moment and let that sink in.

Is that a data problem? Or an identity problem? And… do you like those odds?


Consider this: If all that data had been encrypted, would this particular hack have caused such a huge problem for so many people? Even better, if all that data wasn’t being misused to establish identity, would it even matter if it was encrypted?