I Finally Froze My Credit Report and Why You Should Too
If you’ve not been the victim of identity theft, it’s only because the bad guys have not gotten around to you yet.
A half century ago, I started my career in enterprise IT with consumer credit reporting. At my first job at Macy’s, I was responsible for transmitting Macy credit records to TRW Credit Data (now Experian). Three years later, I went to work at TRW itself. Later in my career, I had several business associates who had been executives at Experian, including my late business partner. So, all this to say, I understand consumer credit reporting.
Now, as we have all seen over the years, consumer credit records are increasingly a source for identity theft. In fact, the Federal Trade Commission identified more than one million identity theft reports in 2023, resulting in total losses of over $10 billion. At the same time, on a more personal level, through services like Have I Been Pwned, I’ve been receiving an increasing number of notifications of personal data being exposed. Plus, my wife and I receive several letters a year from providers notifying us of compromised personal data.
Yet, over all these years, we never took the step to freeze our credit reports.
The Straw that Broke the Camel’s Back
Last month, my wife received another such notice, this one from some outfit called Change Healthcare (CHC).
Who the heck is Change Healthcare, and what are they doing with our personal data? The first paragraph of the notice gives a clue. (An online version of the full letter is on the CHC website.)
We are sorry to tell you about a privacy breach…. We work with many doctors, health insurance plans, and other health companies to help provide health services or benefits.
In other words, they are a business process outsourcing provider, that one or more of our healthcare providers or insurance companies is apparently using.
The letter continues,
…a cybercriminal was able to see and take copies of some data in our computer system.
So, what data did they steal? Here’s where my blood started to boil:
“The data … includes contact information (name, address, date of birth, phone number, and email) plus one or more of the following: [underlined in the original]
Health insurance data…
Health data…
Billing, insurance claims and payment data (such as… payment cards, financial and banking, and balance)
Other personal data (such as Social Security number [emphasis mine], driver's license or state ID number, or other ID number).
All of this is bad. But, especially, why on earth would this outfit need to store my social security number? [1]
I also wanted to know what specific steps CHC has taken to ensure this does not happen again. The letter gives no information other than this:
We are…making our computer systems even stronger than before. We do not want this to happen again.
Well, that’s reassuring—not.
A more detailed accounting of this security breach can be found on the Wikipedia page for Change Healthcare. It was a ransomware attack. In addition to damages to individual consumers, the financial damages are enormous for many healthcare providers.
To Freeze or Not to Freeze, That Is the Question
CHC is offering free credit monitoring services for two years for affected individuals. That seemed to me to be too little, too late, like monitoring the whereabouts of the horse once it has left the barn. We finally decided we needed to freeze our credit reports.
But first, some background. In 2018, the US government mandated the credit reporting agencies (CRAs) allow consumers to freeze their credit and/or place a one-year fraud alert on their credit report at no charge. According to the Federal Trade Commission, a credit freeze (or, security freeze) “restricts access to the consumer’s credit file, making it harder for identity thieves to open new accounts in the consumer’s name.”
A fraud alert, on the other hand, only requires a business to get the consumer’s approval before opening a new account. To freeze your credit, which can be permanent, you need to contact each credit bureau separately. To set up a fraud alert, which can last from 90 days to one year, you only need contact one of the credit bureaus, which notifies the other two. You can do both a freeze and a fraud alert, if you so choose.
Considering the increasing threat, and the fact that the credit freeze and fraud alert are free, you would think consumers would be signing up in droves. But that’s not the case. According to Lending Tree, in 2022 only about 17% of U.S. consumers had established either a credit freeze or fraud alert.
So, like a lot of people, I had been hesitant in the past to take this step. How difficult would it be to freeze our credit? And how difficult would it be to unfreeze (thaw) our credit record when needed?
So, I asked my LinkedIn connections. Had any of them done a credit freeze and what was their experience? Several friends indicated they had done so, and the experience was painless. One said that the credit freeze had “saved his bacon” on several occasions. That’s all I needed to hear.
But the larger consideration was, what choice do we have? As someone said recently, if you’ve not been the victim of identity theft, it’s only because the bad guys have not gotten around to you yet.
We opted to go with the credit freeze and skip the fraud alert.
Experiencing the Freeze
With the decision made, I contacted the three big CRAs through their websites. Here’s now it went.
Establishing an account with each CRA was relatively painless. The TransUnion website was a bit clunky, but I got through. In my case, it appears to work better with Chrome than Firefox.
To establish an account, each CRA sent a confirmation text to my mobile phone to confirm my identity. But none of them offer multi-factor authentication on subsequent logins. This surprised me, as all you need to do to unfreeze an account is to log in. For this reason, I set very strong passwords. But still, I’m not super comfortable with the lack of multi-factor authentication. [Update, Sep. 10: Transunion does appear to require two factor authentication, while Experian makes it optional. Equifax does not offer it.]
I practiced freezing and thawing my credit reports. The process really is painless.
I found it necessary to be careful in navigating the CRA websites. They are using the FTC mandate as an opportunity sell more services. For example, they offer the mandated free credit freeze but also something called a credit lock, which is not free. (It is still not entirely clear to me how a credit lock differs from a credit freeze). They also offer to alert you every time someone tries to access your frozen credit report—again, for a fee. There are also other paid services, which frankly I didn’t spend time researching. My advice is, be sure you know if you are signing up for the free service or some paid service. I see no need to pay for anything.
Once I had my accounts set up, I repeated the whole process for my wife.
The contact information for the big three credit reporting agencies (Experian, Equifax, and TransUnion) is on the FTC website. [2]
Fortunately, my wife and I are at a point in life where we don’t need a lot of credit, so having to unfreeze our credit reports is not something we should need to do often. And if we do need to, the process appears painless.
A Modest Proposal
I wonder, therefore, if, in the public interest, it would be better to have credit reports frozen by default and require consumers to unfreeze them when there is a legitimate need to give access, for example, when applying for a credit card or opening a bank account. I realize that this would place a significant burden on consumers and credit providers alike. However, too many organizations have shown that they cannot be trusted to protect consumer data. Freezing credit reports by default is not a panacea, but it would go a long way to cutting down on identity theft. [3] [4]
I sent a first draft of this post to my friend John Caruthers, CISO at Triden Group and former FBI supervisory special agent of the San Diego FBI Division’s National Security Cyber Squad.. He commented specifically on this point:
I agree 100% that perhaps credit should be frozen by default. The government mandated the freezing of credit to be free, which was a good thing and a response to "why doesn't the government do something here?" Going a step further and mandating credit be frozen be default would be great (understanding that no matter what they do, swaths of humans will still complain). I did a TEDx talk in 2017 and the theme was exactly your point: We live in a world where we are forced to give our most personal data to third parties, AND THEN trust those same parties to protect it. And, they're falling short. This was seven years ago!
John’s TEDx talk, Why We Need to Wake up and Acknowledge the Cyber Threat is still relevant, and well worth watching.
End Notes
[1] It’s bad enough that many health care providers still have patient forms that ask for social security number. They have my Medicare number. They don’t need my SSN. I never give it to them, and not once has a provider insisted that I reveal it. They are just too lazy to change the form.
[2] Complicating matters, there are smaller CRAs that also maintain information on consumers. To be thorough, it is worth establishing a credit freeze for these as well. These include Innovis, ChexSystems, LexisNexis, and Clarity Services. Here is an overview with contact information for each of these.
[3] I am only using Change Healthcare as the latest example. There are many other organizations that have suffered massive theft of consumer data. Unfortunately, these include the three major CRAs themselves! In 2017, Equifax exposed the information of 147 million consumers, settling with the FTC for $575 million. Iin 2022, TransUnion disclosed a data breach that exposed personal data for over 200 million consumers. This included names, addresses, full Social Security numbers, financial account numbers, and driver’s license information. In 2022, security researchers notified Experian of a bug in its system that allowed criminals to “bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number.” Ironically, the bug was in the system that allowed consumers to check their own credit reports!
[4] Protection against financial loss and identify theft should go beyond a credit freeze. Any website where you maintain sensitive personal information or conduct financial transactions should have strong passwords as well as two-factor authentication. Examples include websites for your bank accounts, credit cards, brokerage accounts, retirement accounts, payment sites (e.g., PayPal, Venmo), E-commerce sites such as Amazon, eBay and the like, and any site where you stand to lose money if your login credentials are stolen. (I would also add social media accounts.) Sure, it’s inconvenient to always have your phone with you for an SMS text message or authentication app, but dealing with a fraudulent transaction is more inconvenient.
Like this post? Browse my past posts.
Image credit: Freepik
Patti, thank you. This is another confirmation that the process of freezing and thawing really is not painful.
Paco, totally agree with your idea of freezing ones credit report. My wife and I made that decision many many years ago. Very easy and painless. I always like to hear a company I am doing business with say that I need to unlock my credit report(s). It gives me peace of mind.
Just recently when the large Social Security breach hit I was talking to a financial expert who mentioned since I lock my credit reports it was unlikely that they could breach our financials.