Credit reports - do we have enough control to prevent fraud?

The recent high profile/high impact data breaches have highlighted the need for strong mechanisms to ensure consumer protection.

CHOICE has a 5-step plan that you can action to avoid and respond to a data breach, including the suggestion to place a freeze or ban on accessing your credit report. This will prevent new loans under your name - useful in the event a hacker wants to use your identity to commit fraud and theft.

There are three credit reporting agencies in Australia, Equifax, illion and Experian and they all allow you to place a 21-day freeze on your credit report for free. The freeze can be extended up to a 12 month period (also free).

You can also sign up for credit monitoring, which will typically alert you in instances of access to your report or changes to your credit score. Credit monitoring comes at a cost for Australians, currently Equifax charges $9.95 a month for its credit protect monitoring service. However, in the USA a number of fraud alerts are available from credit reporting agencies for free.

The Barefoot Investor calls this out in his recently published open letter to the Federal Minister for Financial Services, Stephen Jones. He suggests:

" … to put a ‘lock and alert’ system on our credit reports. That is, lock every credit file so no one can see it (without the customer’s consent) and send an immediate alert to the customer if someone tries to access it.

He goes on to highlight:

[Credit bureaus in Australia] are owned by large investors, and last year they collectively made $521 million in revenue selling our private data to financial institutions, according to IBISWorld. The problem is, putting a lock on our credit files would put a lock on their profits.


What do you think about this idea - Do we have enough protections to our financial systems or are improvements needed?

Are there any other financial mechanisms we should be considering to stop fallout from data breaches, or models from other countries we could adapt?**


Please include links to examples where possible.
10 Likes

The short reply is no we do not.
The evidence. The promotion to consumers of paid monthly protection schemes and insurance. Who are consumers being asked to pay? The credit reporting agencies who are supposedly in control of our credit information.

I’m in full agreement with the Barefoot Investor and his suggested solution.

A longer response.
It may be of benefit to ask a few questions about what the typical consumer knows of these 3 credit reporting agencies. Excuse any naivety in the following. It’s more than 10 years since I last needed to support a credit related application. I expect that was a bank only assessment.

  1. What level of identification must an inquirer initially provide to the agencies to reliably identify whose records they are seeking.
  2. What identification does the agency require of the person or business requesting the agencies services? IE Are they genuine.
  3. How does an agency determine the requesting business or person has a legally established need to request a report? IE Has the consumer explicitly agreed to the business requesting a report.

I’m hopeful there are answers to these and other likely questions.

I would like to think the only time my personal record or standing is accessed is when I have expressly and knowingly given approval. It’s imaginable that at times records are incorrectly attributed to the wrong identity. It’s also imaginable that at time requests can be made to these agencies at the request of a business or person with whom I have no immediate need for credit or making payments to.

Equifax as an example offers a free copy of your credit report up to every 3 months. There are also higher level paid report and protection options.

What is not evident is whether any of these levels provide details of when and by whom your credit history is accessed/provided to another party.

I’m sceptical paying just one Agency is sufficient protection. Would one not need to pay all three for similar services? Assuming a fourth enters the market, must one pay all 4? Having given rights to our financial dealings to be shared with 3rd parties, it’s somewhat amusing that consumers need to pay to protect against misuse of that data.

I’m also sceptical that in approaching any of the agencies for a free report it adds one more data point to the information they hold. This includes providing key government verifiable identity documentation. “A double edged sword”?

I don’t know what I don’t know - about how any of this is set up, is legally intended to function, or operates.

7 Likes

“lock and alert” is better than nothing - but it raises questions over how the alert will reach the customer over long periods of time (i.e. keeping it up to date and authorising any changes).

I would say “no”. The system operates for the benefit of parties other than the people whose data is in the system. I would question fundamentally who gave these companies the right to record data about me? I see very little political will to make a major shift in data ownership though.

I would say that the first step would be to break the nexus between “data breach” and “credit”. It is a fundamental weakness that a data breach at Optus even matters to applying for credit. Neither of them has any business whatsoever with my drivers licence.

For the record, as an Optus customer, I have a credit report ban in place with all three companies. I think a ban could go further i.e. ban not the credit report but the credit itself. I would like to ban absolutely everyone taking out new credit in my name permanently until such time as I explicitly revoke it - and without having to give a reason.

I guess the onus of proof should be reversed regarding the authorisation of credit i.e. if someone applies for credit in my name and then (obviously) defaults on the loan, the company issuing the credit has to prove absolutely, positively that I authorised the credit in the first place, rather than that some scammer just filled in a web form with my details from a data breach.

For an initial action this seems too short. Given that I have bothered to contact them because I have a problem (Optus data breach), why only 21 days? Why can’t I choose a longer period? Why do I even have to justify the ban?

6 Likes

I have no recollection of approving the collection of my personal information by a company with which I have absolutely no business for the on-sale to whomever could be bothered to pay for that personal information.

In fact, these credit agencies sound like the people who took off with Medibank’s data: if you pay us enough money we promise not to share it. (With fingers crossed behind their backs in both cases.)

7 Likes

My only concern is if you freeze ability to get credit/loan, how easy is it to unfreeze if one needs credit/loan. I expect that if it is frozen as a flag as a potential for identity theft, then it may be challenging to get a freeze thawed as doing so would remove the benefits of the initial freeze.

Maybe a better solution is to have flag in credit reports as high risk of identity theft. Any applications made for credit or new account setups would require higher number of verification documents, physical verification of a sample of the identification documents (such as sharing with the document issuing party to validate its authenticity against their own records) and all applications are to be made in person. This would make it substantially harder for identity theft to occur when used for credit/loan/account setup applications.

6 Likes

I really think many are confused about what credit reporting agencies actually do.

They collect information about creditors activities in a centralised place so potential lenders can assess whether to lend to a borrower and assess the risk of doing so.

This can be anything from a home loan down to a mobile post-paid phone, or power connection.

The first step in checking an application would be to verify the identity. The second step would be to check history with a credit agency. Bad history, probable rejection. Blocked history, probable rejection.

@phb idea is good. Flag that whilst data is available to assess credit worthiness, potential credit providers are advised that the person whose data is accessed is concerned about possible identity fraud and proper physical identity checks are to done.

And this would be legislated.

6 Likes

Only if the person requesting the credit check has failed to obtain your permission.

The proposition ones credit history is only blocked by exception implies credit agencies have an unrestricted right to obtain and use personal financial and related personal information (IE identity, address, contact details?). It’s at the discretion of each credit reporting business to whom content is released, and what is released.

It’s not unreasonable to ask for further control of each release. A requirement for acceptance by the consumer affected of the content to be released. After all, it can only be what we would have filled out on a paper form if asked.

That level of personal control is not in place. Our regulated financial institutions have demonstrated failures to always act in the best interests of their customers/consumers. Why would consumers expect a largely unregulated credit data collection agency to be reliable or trustworthy?

3 Likes

My own experience with credit reporting agencies: following an ID theft experience in early '18 when I requested all 3 agencies to put a Ban on my credit file.

  • Experian: request to be made on their own form only,
    provide a reason,
    provide police or acorn report number,
    full details,
    scanned copies of three forms of ID ( E.g. DL, Medicare, Utility bill)
    Ban could be extended 1-5 years or indefinitely.

  • Equifax: provide a reason,
    provide DL number and acorn report number,
    full details,
    Ban could be extended 3 months at a time by providing reason.

  • Dun and Bradstreet (Illion)
    provide reason,
    provide full details,
    provide DL and council rates scans,
    Ban can be extended after one year giving reason.

All three provided a free credit report. All extended my Ban for a little over a year. I stopped asking for extensions after I changed all of my ID numbers.
I did feel more secure knowing that the Ban on my file would stop anyone using my details to commit fraud. It did make it harder for me in case I applied for a loan because I would have to ‘unfreeze’ my file.
Forget which one showed an Ad for credit monitoring but my response plan advisor had alerted me that I had no need for it.

It would have made it a lot easier for me if there had been a lock in place and I would have been alerted of any access. As it was, the onus was all on me to apply (giving them even more details that they already had, I especially didn’t like emailing photo of my DL) and to follow up the Bans and the credit reports and to give good reasons for doing so because it could have been refused. In my case I had a police report, but sometimes the need for a Ban could be difficult to prove.

7 Likes

Which is exactly what I have done in response to the Optus hack.

There are weaknesses though. Credit agency X has no obligation to accept and no obligation to respect my demand for a credit report ban, no obligation even to offer that functionality. And a company who uses the services of credit agency X has no obligation to reject credit even when there is a credit report ban in place (hence why you have written probable rejection, I suppose).

And, as has already been mentioned I think, there is nothing magic about the number of credit agencies being 3. There could be 10 or 20 or … of them and it would then get quite unwieldy trying to get a credit report ban implemented across all agencies. (At the current time, when you contact one agency you can check a box on the form to get the request propagated to the other two agencies. However I can tell you with absolute certainty that that sometimes does not propagate correctly.)

6 Likes

First issue is our right to own our data. The credit reporting agencies should be included in any “consumer data right” legislation, as well as banks, etc. If this were done, we would be able to access any data about us at any time, ask to correct any errors, limit who the data is passed on to; for how long, and ask for data to be deleted when we wish, all at no cost because the data held is ours!

The problem with data theft is that the person(s) who have acquired someone’s identity can prove that they are the person they are impersonating, so they could arguably also authorise the unfreezing of any credit blocks etc.

Clearly our data is valuable; on average approximately $175M profit per credit reporting agency, so it should be treated with appropriate security. If our data was gold, they would not leave it accessible so someone walking in off the street could steal it without anyone being aware? So shouldn’t our data be treated with the same security they would provide $175M worth of gold?

All organisations, including Government bodies and instrumentalities, should be required to protect our personal data at least as well as they protect their most sensitive business information, or gold. If they have a data breach, they should be penalised and be required to pay for all costs and losses encountered by the person(s) who has had their information stolen from them. With these sorts of penalties in place, the reparations could be so enormous that it would be much cheaper to invest in and maintain significant up to date security on data being held.

Our data security should not be an after-thought; it should be of paramount concern and treated like gold.

9 Likes

A further consequence may be a rethink by many business as to what content they choose to hold and for how long.

5 Likes

The advice was that info wouldn’t have been released without my written consent. By asking for a scan of my DL the credit reporting agencies would have had my signature to compare with any written request :crossed_fingers:
Granted that each case is distinct.

4 Likes

The problem with this approach is that no amount of up to date security can guarantee to prevent a data breach.

Let’s make it hard. You run a business. You use Microsoft Windows on the system that holds the data. There is a new Zero Day being exploited in the wild. So Microsoft may not even have managed to release a patch yet, much less that you can do the right thing and download it and install it. By bad luck, your business is successfully targeted.

For a second example, look at what actually (reportedly) happened at Medibank. The password of a system administrator with relatively full access to all data was compromised. Granted that there are things that Medibank could and should have been doing to mitigate that (e.g. two factor authentication) but at the end of the day, human beings will always also be a direct weak point.

Also, as commented previously, the higher you make the financial penalties (whether by reparations or by fines, or both), the greater incentive

a) to pay a (higher) ransom, and/or
b) to suppress disclosure of the data breach.

In the extreme, if the reparations are “so enormous” as to wipe out the company then it makes no sense to disclose the breach. It may even be a breach of the law to disclose the breach (but also of course a breach of the law not to disclose the breach, where that applies, which is not all companies).

It isn’t clear what would be within the scope of “all costs and losses”. If it means paying for the cost of replacement drivers licences and/or passports then so far both Optus and Medibank are doing this “voluntarily” - and it is not likely to be an enormous cost for companies of that size. However if “losses” included being financially liable for the fraudulently obtained credit then there would be almost no limit to the liability.

And of course there is the difficulty that you are punishing the victim.

4 Likes

There is a saying doing the rounds of the net (origin unknown to me): Data is not gold. Data is uranium.

That is more in line with @mark_m’s comment that businesses should re-evaluate what data they choose to hold and for how long - subject of course to the limitations caused by the government, in which case that choice is taken away from them.

So if you wanted to take a hard-line approach, you could say that where a business collects or keeps data under legal compulsion by government then (some of) the liability should be transferred to the government!

4 Likes

A useful comparison of sorts. One that illustrates a double standard to my way of thinking. Although a legally sharpened mind might say it is all as it should be.

Many of our possessions and valuables are within our direct control and grasp. The front door keys, the family jewels, the ride on lawn mower. As the owner we can put in place various levels of security and deterrent appropriate to the risks, values and our personal needs. We can even insure those risks.

For our digitally accessible possessions, our ability to assert direct control over the content, or directly secure that property is outside our control. If I was to loan my lawn mower to a neighbour and into their care it becomes their responsibility to secure it. I’m entitled to replacement or compensation at their cost if they damage it, misplace it or worse happens.

For digital content there appears to be minimal established right to any indemnity. It does not matter in the instance of my loaned mower how a loss came about. Whether by error, or deliberate act I’ve a well established precedent. The same level of protection and indemnity should be in place by default for loss of digital content. Just an opinion on where legislation and law appears to be lacking.

It is a hard-line alternative to go down that path. However Government and Business have gone down the digitised path to such an extent it is nearly impossible not to be part of their digital world.

5 Likes

A legally sharpened mind or two have released an opinion piece that makes the arguments that Governments and Businesses are too lightly treated when it comes to our privacy.

Notably at the current Privacy Senate enquiry Telstra, Woolworths, Medibank and Optus declined the invitation to attend. Is this a sign they are too afraid to be questioned, is it a way to ease some of the bad publicity or what reason might they legitimately have in view of the current and for past problems they have faced. From the Guardian comes this snip of the quote:

I don’t expect that my stored data is absolutely safe, that would be a foolish notion. I do expect ‘reasonable’ efforts to be made, I expect the right to know when and where my data has been shared and stored (not exact locale but say Country that it is in and why it is stored outside of Australia if it has been offshored), I do expect the right to be forgotten once there is no legitimate reason to continue storing it. None of this currently exists here.

8 Likes

I’m not sure I follow how your post relates to the text from my post that you quoted.

To give some actual legislation …

Compelled actions by a company under Section 317 et seq of the Telecommunications Act are so offensive to human decency that the legislation explicitly excludes the company from civil liability (317ZJ and 317G).

(I suspect that means that noone is liable, not the telco and not the government.)

There does not appear to be any equivalent indemnity for compliance with Section 187 et seq of the Telecommunications (Interception and Access) Act, which is what is causing some of the government-related problems for Optus as far as this data breach is concerned.

(I suspect that means that the telco is liable.)

And finally Section 313 et seq of the Telecommunications Act is another part of the legislative regime that is causing some of the government-related problems for Optus as far as this data breach is concerned, and it does indicate that the telco is “not liable […] for damages”.

(I suspect that means that noone is liable, not the telco and not the government.)

The quoted comment from me is suggesting that liability should not simply be extinguished (where that applies) and some of the liability should be transferred to the government (where it currently rests with the telco). The government and the company should be jointly and severally liable, with a court to apportion the liability, based on the degree of culpability that the company has.

This would have no effect whatsoever on any data that the company collects and keeps voluntarily. When it all goes pear-shaped, the company would be on its own for that data.

2 Likes

I completely agree with this, BUT, organisations should be able to show that their security was at world’s best practice relative to the size the $ turnover of the organisation. In other words organisations which make a lot of money should have spent a lot more resources on their system security than say a SME.

I find it objectionable that the head of Medibank just received a $2M bonus when they just had such a massive data breach. That money should have been spent on the effected clients and on upgrading their security. Upgrading security can and should cover h/w, s/w, and relevant training of staff.

It is not just the $ cost of replacing documents. Some people who’s personal data has been compromised through no fault of their own have spent years trying to clear debts incurred by hackers; some have had to move home for personal safety reasons; prior to the most recent hacks most people suffered significant inconvenience battling beauracracies and loss of earnings as they tried to reclaim their identities. They should be compensated for this.

I do not believe that is a valid arguement. We have speed limits mandated by Governments, so if we exceed the speed limit should the Government pay the fines? We are required to keep our tax information for 5-7 years. If someone steals your documents and you can’t show them to the ATO, you may still be fined for not paying the correct tax amount.

Yes organisations may be required to keep certain data for a set period. That does not abrogate their responsibility to keep the data safe.

How many people would work with uranium without taking precautions such as at least monitoring their exposure to ensure it remains within safe limits? If data was treated like uranium, then they should take all the necessary safety precautions with the data. These businesses did the equivalent of putting the ‘uranium’ into a carboard box into an open filing cabinet and were surprised when they couldn’t account for missing uranium (but the terrorists were happy).

4 Likes

I think that’s the point of the saying. Businesses and governments have been treating data like gold (get as much of it as possible, make as much money with it as possible) but should have been treating it like uranium (dangerous, causing problems, having some value, but requiring special handling and ultimately maybe not even worth the trouble).

4 Likes

That’s fine until the scan is stolen and your physical signature forged.

While there have been some cases in which companies have been successfully sued, the main winners were the lawyers. Damages awarded generally have not reflected the real-life impact of losing control of one’s identify.

Of course, online entities also want the same kind of protection that airlines have from what they might consider ‘excessive’ damages. This was originally introduced when plane travel was new and dangerous, but was apparently updated in 1999 (readable summary here).

Hence websites take no responsibility for their content, or for what may happen to visitors, and have ridiculously and tediously lengthy legal agreements that one is assumed to have read when one visits the website.

You have just driven business away from large entities to (likely offshore) Mom and Pop businesses, because they do not have to spend so much on security.


I like the idea of treating data like uranium. Apart from anything else, the entity that is breached should be required to explain not just what data was taken but also why it had that data in the first place.

3 Likes