Blog
← Back to Blog
May 15, 2016 financial

Equifax Loses 431,000 Tax Records: Why Credit Monitoring Isn't Enough

Financial security and credit protection concept

Equifax, one of the three major credit bureaus, disclosed this month that approximately 431,000 consumers had their tax-related information compromised through a vulnerability in one of their web applications. The exposed data included W-2 information, tax return details, and Social Security numbers.

Let that sink in: a company whose entire business is managing sensitive financial data failed to secure a web application.

What Happened

The breach occurred through Equifax's income verification service, a tool employers use to verify employee income for loan applications, rental agreements, and similar purposes. A flaw in the web application allowed unauthorized access to consumer records. The vulnerability wasn't sophisticated. It was the kind of application-level security issue that regular security testing would have caught.

Equifax is offering free credit monitoring to affected consumers. That's become the standard corporate response to a data breach: apologize, offer credit monitoring, move on. But credit monitoring has significant limitations.

Why Credit Monitoring Falls Short

It's Reactive, Not Preventive

Credit monitoring tells you after someone has opened an account in your name. It doesn't prevent it. By the time you get the alert, the damage is done. You're then stuck cleaning up fraudulent accounts, disputing charges, and spending hours on the phone with creditors.

It Doesn't Cover Everything

Credit monitoring watches your credit reports at the three major bureaus. It doesn't cover tax fraud (someone filing a return in your name), medical identity theft (someone using your insurance), or employment fraud (someone working under your Social Security number). All of these are possible with the data exposed in this breach.

It Usually Lasts 12-24 Months

Companies offer credit monitoring for a year or two after a breach. But your Social Security number doesn't expire. The stolen data can be used for fraud five or ten years from now. When the monitoring expires, you're on your own.

What To Do Instead

Freeze Your Credit

A credit freeze prevents new accounts from being opened in your name. It's more effective than monitoring because it's preventive, not reactive. You can temporarily lift the freeze when you need to apply for credit. In Arizona, a credit freeze is free for identity theft victims and costs $5 per bureau for everyone else.

File Your Taxes Early

Tax identity theft, where someone files a fraudulent return using your Social Security number, is one of the fastest-growing forms of identity fraud. Filing your return early, before a criminal can, is a simple defense. If you've been affected by a breach that exposed your SSN, consider filing as early as possible next tax season.

Monitor Your Own Accounts

Review your bank statements, credit card statements, and insurance Explanation of Benefits (EOB) statements regularly. You know your accounts better than any monitoring service. Unusual activity stands out when you're paying attention.

Use an IRS Identity Protection PIN

The IRS offers an Identity Protection PIN (IP PIN) for taxpayers in certain states. This six-digit number is required when filing your return, making it harder for someone else to file in your name. Check irs.gov to see if you're eligible.

For Practice Owners

If your practice uses Equifax's income verification service for employee onboarding, review your processes. Understand what data you're sharing with third-party verification services and ensure those services meet your security requirements. This breach is a reminder that your data is only as secure as the weakest vendor in the chain.

Free credit monitoring is better than nothing. But it's not a solution. It's a gesture.