Anybody who’s ever tried to get something erroneous or outdated wiped off their credit report knows just how tightly companies like Equifax cling to our information — even when it’s wrong.
Disputes go nowhere. Inept investigations drag on for months. In Massachusetts, dozens of people in recent years have had to hire lawyers and file lawsuits just to get Equifax to acknowledge obvious errors that show up whenever someone applies for credit. New mortgages, credit cards, apartment leases, and more all hang in the balance.
So it was particularly galling to hear that Equifax, one of the big three credit reporting agencies, had been hacked between May and July, giving up the sensitive personal information of some 143 million people. That data includes everything someone would need to steal an identity: Names, addresses, social security numbers, and in some cases drivers license numbers and credit accounts.
If Equifax protected the personal information of millions of Americans with the same zeal it reserves for overdue bills from six years ago, maybe this wouldn’t have happened.
“It’s like trying to get into Fort Knox to get it changed when there’s something wrong,” said Joe Culik, a Boston lawyer who represented a Haverhill woman in her 2016 lawsuit against Equifax. “But for other people to be able to get in? They didn’t use the kind of security they needed.”
When Philip Cole was working to repair his credit, Equifax was one of the companies that made sure his every youthful fiscal misstep followed him wherever he went.
Now, thanks to the company’s failure to secure sensitive data from hackers, the financial identity Cole spent years rebuilding is probably for sale to the highest bidder on the internet.
Cole, 28, is the named plaintiff on a lawsuit against Equifax, filed in federal court in Boston on Monday as a precursor to a class action. The lawsuit alleges that Equifax was negligent in failing to protect millions of people’s personal information.
Similar lawsuits have been filed in Oregon, California, and elsewhere in the days since news of the massive hack broke.
“I’ve worked pretty damn hard and paid tens of thousands of dollars to get my credit back where it needs to be,” Cole said on Monday. If the data taken from Equifax is used to steal his identity, all that work will have been for nothing.
“It’s extremely ironic. And it’s scary frankly, that a company like that can be breached,” said Nicholas Ortiz, the Boston lawyer representing Cole.
But Cole’s lawsuit was just the most recent against Equifax. Several others detail just how difficult it is to get the company to do right by people over whose lives it holds too much sway.
A Beverly man whose identity was stolen alleged in a 2012 complaint that he sent police reports, certified letters, sworn statements and more to Equifax over the course of two years, pleading with the company to remove bogus information form his report before he finally sued.
A Jamaica Plain man sued Equifax in 2014 after the company refused to remove an erroneous item from his report even though public housing court documents showed the error.
And an Everett man sued in August when Equifax and the other reporting agencies allegedly refused to remove supposedly delinquent loans that had actually been consolidated. There are dozens more.
They paint a picture of a company whose often invisible and unsteady hand dictates much of our lives — where we can live, what and whether we can drive, how comfortable or hungry the wait until payday will be. And while it’s true that we are not directly the credit agencies’ customers, any entity with this much say in our lives owes us better than this. At the very least, they have a duty to keep this information secure, no matter how much that effort cuts into their bottom line.
In another irony, the near-certain identity theft enabled by the hack is likely to torpedo the credit of countless people who will have to do battle with — you guessed it — Equifax to get the fraudulent debts removed from their record.
“I think people have a really hard time getting Equifax and other credit reporting agencies to remove inaccurate information,” said Culik, who said he has handled several cases involving unresponsive credit reporting agencies. “The disputes . . . just tend to go into a black hole.”
Equifax did not respond to e-mails seeking comment.
Cole, a single father of two who lives in Methuen and works as a helicopter paramedic out of Dartmouth-Hitchcock hospital in New Hampshire, said he relies on credit to make ends meet each month, floating expenses earlier in the week until payday.
He has been unimpressed by the company’s attempts at assuaging the millions of people it hung out to dry — unsurprisingly, a company dedicated to making sure our mistakes are never forgotten is bumbling its way through its own screw up.
“Equifax so generously offered me a year free of their credit protection, or whatever,” Cole said. You could almost hear his eyes rolling over the phone: The fine print of that offer, available to anyone affected, appeared to contain language that waives users’ right to sue (Equifax has said that language doesn’t apply to the hack). And it turns out the special personal identification numbers the company was giving out to people seeking to lock their credit reports so no one can apply for new credit in their names were based on the date and time of the request — and almost comically easy to guess, potentially allowing the accounts to be unfrozen (Equifax switched to randomly generated PINs after the vulnerability was discovered).
None of this — nor the months-long delay between the hack and when the company revealed it publicly — inspires much confidence that things are being straightened out, and our identities are protected. Instead, the company is asking all of us to do something it never would: Take their word for it.Nestor Ramos can be reached at firstname.lastname@example.org. Follow him on Twitter @NestorARamos.