After the Equifax data breach in early September, readers asked one question repeatedly that had no good answer: Was there any way to punish the company?
Federal regulators and state attorneys general probably won’t provide much satisfaction. And as I reported in October, you just can’t quit Equifax, no matter how angry you are that they may have exposed your personal data and then made you jump through hoops trying to freeze your credit files. Equifax won’t erase your credit report, and lenders won’t stop reporting your payment history to the company.
But Equifax does business with many large employers, and therein lies an opening. This week, as something of a case study, I asked my employer, the New York Times, to cancel its contract with Equifax for a service called Work Number, which provides employment verification and other details like work history and salary. After a few days of consideration, it said it would do so.
Why did readers want to go to these lengths? Let’s start with the basics. The giant breach, which exposed the personal data of 145 million people, provided ample evidence that Equifax is not careful enough with information like Social Security numbers and home addresses.
In its work for employers, Equifax sucks up other data of all sorts and puts it to use in various ways. Brian Krebs, who runs the Krebs on Security website, reported in May 2017 that an Equifax payroll services unit had allowed thieves to wallow around in the individual salary data of many people for nearly a year.
Even after Equifax disclosed the big breach in the fall, sloppy practices continued. I tip my cap to the reader who somehow ended up on a long list of recipients of an urgent email and spreadsheet from inside Equifax, which I now have too. It warned of “inappropriate access” across several company systems and a “lack of an adequate review of operating system and database credentials.” This reader is not an Equifax employee but ended up on the distribution list anyway, where recipients were asked to mark terminated employees in red, presumably so they wouldn’t have access to internal systems anymore. Equifax said that it was inadvertent.
Now, a bit about this Work Number service that The Times will no longer be using. At its most basic level, it helps employers avoid all of the phone calls they get asking to verify someone’s current or past employment and salary. Generally, if you give, say, a landlord or a lender permission to check your salary, they are free to contact your employer. Work Number helps automate the process.
Lots of employers use it. Equifax claims that more than 5,500 have signed up, including over 75 percent of Fortune 500 companies and many federal agencies. The service works by setting up a sort of central line to your employer’s payroll operation, uploading your paycheck information each period. It also records your job title and tenure.
As you might guess, this information has a lot of value to outsiders. As long as those entities comply with the Fair Credit Reporting Act, they can generally access it if you’ve given them permission. (You might have done this years ago, without even realizing it, when you signed up for a credit card or other financial service.)
If lenders want an early warning that you’ve been fired or demoted, Equifax’s Work Number service can hand one over.
“This critical and timely information will maximize your efficiency on credit risk and collections decisions,” the company promises lenders. Armed with information about what you’re making or if you’re no longer working, they can turn up the heat on efforts to get you to pay or reduce credit lines accordingly.
Equifax can also use the payroll data to help colleges track the financial progress of its alumni with its “Graduate Outcome Metrics” offering, allowing schools to avoid expensive surveys and what Equifax refers to in its marketing materials as “self-reporting falsehoods.”
And if your mind wandered to where mine did in imagining other Work Number uses, yes — employers can and do ask for job applicants’ permission to check their current and previous salary where it is legal to do that. So fibbing about your past compensation in hopes of securing a raise may not work out so well.
Speaking of falsehoods, I found something that looked like one on my own Work Number report. (You can get yours free on Equifax’s website the same way you would a normal credit report.) It said that in June 2017, Discover Financial Services was able to dive into my Work Number data.
But unless I’m forgetting some long-ago dalliance, I’ve never had a relationship with that company. So why — and how — has it been able to pry? I figured this was a mistake; credit reports tend to have lots of errors, after all. Equifax suggested disputing the item online through its normal process. Discover was unable to offer up an explanation by my deadline.
In the wake of the payroll unit breach that Krebs reported on, which resulted from thieves using personal information from affected employees to reset their passwords, the University of Louisville stopped doing business with the Equifax service. Another company, the building-material manufacturer Saint-Gobain Corp., made a different call in the moment and kept Equifax while also starting an examination of competing services.
Erickson Living, a retirement community operator, also continued doing business with Equifax, while adding additional security measures and shutting down online access to W-2s. The aerospace and defense company Northrop Grumman declined to say what it did, and Mark Root, a spokesman, declined to say why.
(Equifax said that the number of Work Number employee records it handles had increased over the past four months.)
At The Times, we gave Equifax 90 days’ notice of termination of our Work Number contract on Thursday. According to a Times spokeswoman, Eileen Murphy, an evaluation of alternatives is underway.
For those who may consider airing concerns with their own employer, I sought out the advice of my friend Bob Sullivan, who shined some of the brightest, earliest light on Equifax’s Work Number service through reporting of his own.
He suggested making two points in particular. The primary one is the basic security argument about Equifax.
“They can’t be trusted with data, and they’ve proven that over and over again,” said Sullivan, who is also the author of “Gotcha Capitalism.”
There is also the matter of internal communications, given that most employees (including me, until recently) have no idea who their employers are working with.
“If all employees understood that every single pay stub was going to Equifax every week, there would be a mini-revolt,” he said.