Lifelock offers to protect you from the Equifax breach — by selling you services provided by Equifax
The ID theft protection firm Lifelock is certainly one of the big winners from the big data breach suffered by Equifax, which exposed the personal information of 143 million Americans to hackers.
Lifelock has been going to town on the Equifax breach, with ads and press releases trumpeting how the breach proves how valuable its own services (cost: up to $29.99 a month) can be to protect you from identity theft.
“A major credit bureau just experienced a breach potentially impacting 143 million people,” the firm says on its web page. “Don’t wait to get identity theft protection.” An executive of Symantec, Lifelock’s parent company, told Bloomberg that since the Equifax breach was reported, LifeLock’s web traffic has increased six-fold and enrollments per hour are running 10 times ahead of the pre-Equifax era. “Most are paying the full price, rather than discounts,” the executive said. “It’s a really incredible response from the market.”
Here’s what Lifelock isn’t advertising so widely: When you buy its protection, you’re signing up for credit reporting and monitoring services provided by, yes, Equifax.
The relationship is still active, according to a statement Lifelock issued to me by email late Monday. Lifelock’s terms of service, a small-print 6,000-word document on its website, lists Equifax Consumer Services LLC as one of its “service providers.” It specifies that as a Lifelock customer you’re authorizing Equifax “to obtain your consumer report information, including your credit information, from the personal credit report” maintained by itself and its fellow credit reporting firms, Experian and TransUnion. This enables Equifax to generate a FICO-like credit score for you and to “locate” your credit reports in the three firms’ records.
In its statement, Lifelock said it is “following this situation closely” and “at the conclusion of Equifax’s investigation, we will take whatever steps are appropriate to ensure that they are protecting their data to our satisfaction.” That still leaves Lifelock dealing with the fact that the credit firm it’s purchasing services from is the same firm whose dereliction it’s exploiting in its marketing.
But this may also require you to hand over to Equifax personal data it might not have acquired through its relationships with banks and credit card issuers, the usual sources of the data in your credit report. That’s according to Jeff Bell, the CEO of LegalShield, a Lifelock competitor. LegalShield buys the same services that Lifelock gets from Equifax, but buys them from Experian instead. As it happens, Lifelock used to buy these services from TransUnion, until switching over to Equifax. Bell says customers of firms like his—and presumably Lifelock—are asked to provide driver’s license and passport numbers as well as email addresses, so that potential credit hacks using those data can be tracked and unearthed by the ID theft companies.
The relationships between Lifelock and LegalShield on the one side and Equifax, Experian, and TransUnion on the other underscore how deeply ingrained those three credit reporting agencies have burrowed into our entire credit information system. They’re the repositories of some of our most sensitive personal information, yet also the vendors of services aimed at protecting consumers from the misuse of that very data.
As we’ve reported before, the consumers whose information is on file at Equifax, Experian, and TransUnion aren’t those firms’ customers—they’re the product. Their data is sliced and diced and sold to marketers using the information to target their pitches ever so much more precisely, and offered to banks and credit issuers deciding whether to extend credit, and at what price. Some car dealers won’t even let you take a vehicle out for a test drive before running your credit history first.
This all means that the credit reporting firms have zero incentive to protect your personal information to the last mile. And the early evidence of what caused the Equifax breach points to an alarming indifference at that firm to the consequences of a breach. The evidence is that Equifax had a timely warning that some of the software it was using had a gaping security hole and had been provided with a patch—but didn’t install it. Lifelock doesn’t have an especially sterling record for delivering what it promises to customers. In 2015, the company paid $100 million to settle Federal Trade Commission charges stemming from an earlier complaint that it vastly overstated how well it secured customer data and the level of protection it offered from ID theft.
“LifeLock falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions,” the FTC alleged. The company also “falsely advertised that it would send alerts ‘as soon as’ it received any indication that a consumer may be a victim of identity theft.” The company had agreed to settle the charges in 2010 for $12 million, but failed to comply with the settlement terms. The $100-million penalty that followed was “the largest monetary award obtained by the commission in an order enforcement action,” the FTC said at the time.
This is the same company, by the way, that staged an audacious advertising campaign in 2006 by emblazoning its CEO’s Social Security number on the side of a truck and broadcasting it over the air. The idea was that it could do so with confidence that its services would protect the CEO from identity theft. In reality, his identity was stolen at least 13 times after the campaign began.
The CEO, Todd Davis, tried to spin the fiasco as proof that the service worked, since many more ID theft attempts were tried and thwarted. Davis left his CEO’s job after the $100-million settlement. Symantec bought the company last year.
Date : 9/20/2017