by John Mayleben
Equifax’s announcement that approximately 140-plus million data records were stolen from its master database of U.S. individuals will likely impact you, and as a business owner, you need to know how.
This is one of the three primary databases that people who grant credit use to make business decisions. It has all of your personal information in it: name, address, social security number, mother’s maiden name, etc.
Equifax has announced a remediation process for impacted consumers. This data breach is more significant than others, because the information stolen is information that can’t be changed. No one will get a new social security number, our mother isn’t going to change her maiden name, etc. The stolen information goes to the core of the system that has been created to track credit worthiness.
Equifax is one of three primary organizations who maintain most, or all, of the data points used by businesses to grant credit to individuals – whether it is a credit card, car loan, home loan or any other personal line of credit. While you are a business person, you are also an individual, whose data may have been exposed. You should go to the Equifax security site (www.equifaxsecurity2017.com), to validate whether your data has been exposed. If you haven’t already signed up for credit monitoring services, you might want to use Equifax’s offer to enroll in credit monitoring services.
In addition, if your information has been exposed, you might want to freeze your credit record. If you decide to pursue freezing your credit record, it is best to do it at all three credit reporting agencies: Equifax, TransUnion, and Experian. There may be a small cost to freeze your credit. A credit freeze prevents anyone from using the credit databases to grant credit in your name. There is a mechanism to temporarily unfreeze your credit records, if need be.
If you are one of the individuals impacted by the data breach, your personal data being exposed is not insignificant. But there is potentially a bigger issue to you as a business owner. Some businesses, in certain industries, continue to grant personal lines of credit to certain individuals and they may be using these databases to determine credit worthiness. If you grant credit to individuals, you will need to review, update and strengthen your policies and procedures around granting credit.
If you don’t already have procedures in place to identify attempted identity theft situations, you need to develop and implement them immediately. With this information being exposed on the dark web, people will be able to impersonate legitimate purchasers and exploit opportunities when businesses do not have strong policies and procedures in place.
While we can’t attribute the following to the Equifax breach, we are anecdotally seeing an increase in corporate identity theft, where someone pretends to be the owner or buyer for a legitimate business and convinces a supplier to issue credit to them based on the legitimate business’s track record. In today’s world of interconnected data points it is very easy to discover the principle owner’s name of a company and if you have joined the personal data from the Equifax data breach with ownership records collected from public data, it is very easy to impersonate the owner and establish corporate lines of credit.
If you operate in the business-to-business sales space, make sure that you have mechanisms to validate corporate requests for lines of credit. One trend is where someone contacts your organization to purchase goods or services remotely in a company’s name and that person is actually a bad guy, who is not connected with the company at all. At minimum, you should have a policy of contacting the company requesting goods or services on credit using publicly available contact information – not information provided by the “customer.” A quick internet search should turn up primary contact information, and a phone call to the organization may prevent a costly mistake.
The other thing to consider in any non face-to-face transaction is what you are selling and why this customer is purchasing it from you. If you sell “purple widgets” and you are the only one selling this item, then it may be reasonable for someone from a distant location to contact you for the purchase. If on the other hand, you sell “blue widgets”, and there are hundreds or even thousands of others who sell “blue widgets,” you should stop and ask yourself “Why is this customer contacting me instead of the many vendors of the same product that are closer to their location?”
If you have questions, please feel to contact MRA at 800-366-3699.
John Mayleben, one of the nation’s first Certified Payments Professionals designated by the Electronic Transaction Association, is an MRA consultant and naitonal expert on payment processing.