The ID theft protection firm LifeLock is certainly one of the big winners from the big data breach suffered by Equifax, which exposed the personal information of 143 million Americans to hackers.
LifeLock has been going to town on the Equifax breach, with ads and press releases trumpeting how the breach proves how valuable its own services (cost: up to $29.99 a month) can be to protect you from identity theft.
"A major credit bureau just experienced a breach potentially impacting 143 million people," the firm says on its Web page. "Don't wait to get identity theft protection." An executive of Symantec, LifeLock's parent company, told Bloomberg that since the Equifax breach was reported, LifeLock's Web traffic has increased sixfold and enrollments per hour are running 10 times ahead of the pre-Equifax era. "Most are paying the full price, rather than discounts," the executive said. "It's a really incredible response from the market."
Here's what LifeLock isn't advertising so widely: When you buy its protection, you're signing up for credit reporting and monitoring services provided by, yes, Equifax.
LifeLock signed a four-year contract with Equifax in December 2015, with the services to start the following April. At the time, LifeLock said it would "purchase certain credit products and services from Equifax" that would then "comprise a part of LifeLock's identity theft protection services for consumers."
The relationship is still active, according to a statement LifeLock issued to me by email late Monday. LifeLock's terms of service, a small-print 6,000-word document on its website, lists Equifax Consumer Services as one of its "service providers." It specifies that as a LifeLock customer you're authorizing Equifax "to obtain your consumer report information, including your credit information, from the personal credit report" maintained by itself and its fellow credit reporting firms, Experian and TransUnion. This enables Equifax to generate a FICO-like credit score for you and to "locate" your credit reports in the three firms' records.
In its statement, LifeLock said it is "following this situation closely" and "at the conclusion of Equifax's investigation, we will take whatever steps are appropriate to ensure that they are protecting their data to our satisfaction." That still leaves LifeLock dealing with the fact that the credit firm it's purchasing services from is the same firm whose dereliction it's exploiting in its marketing.
But this may also require you to hand over to Equifax personal data it might not have acquired through its relationships with banks and credit card issuers, the usual sources of the data in your credit report. That's according to Jeff Bell, the CEO of LegalShield, a LifeLock competitor. LegalShield buys the same services that LifeLock gets from Equifax, but buys them from Experian instead. As it happens, LifeLock used to buy these services from TransUnion, until switching over to Equifax. Bell says customers of firms like his — and presumably LifeLock — are asked to provide driver's license and passport numbers as well as email addresses, so that potential credit hacks using those data can be tracked and unearthed by the ID theft companies.
In other words, LifeLock is trying to profit from scaring people about the consequences of the Equifax data breach, without being too forthcoming about its own reliance on Equifax to provide protective services.
The relationships between LifeLock and LegalShield on the one side and Equifax, Experian, and TransUnion on the other underscore how deeply ingrained those three credit reporting agencies have burrowed into our entire credit information system. They're the repositories of some of our most sensitive personal information, yet also the vendors of services aimed at protecting consumers from the misuse of that very data.
Bell of LegalShield acknowledges that there's reason for consumers to be cautious about sending even more data to these firms, though he suggested that Equifax's issues may be unusual. "I'm not saying this could never happen to Experian," he told me, "but you don't want to have a partner that violates its fiduciary responsibility by not having the appropriate security in place." Still, he argues, "not sharing your data so it can be monitored is equally dangerous."
LifeLock has continued its relationship with Equifax despite previous signs that Equifax wasn't subjecting consumer data to rigorous security. As we've already reported, Equifax suffered a breach at its TALX business subsidiary from April 2016 through March of this year, but apparently didn't reveal it to any victims until April this year. And on Monday, the company confirmed it had discovered a separate breach of consumer data in March. Equifax said that breach was unrelated to the latest hack, but didn't provide details about the data that was stolen or how many people it belonged to.
As we've reported before, the consumers whose information is on file at Equifax, Experian, and TransUnion aren't those firms' customers—they're the product. Their data is sliced and diced and sold to marketers using the information to target their pitches ever so much more precisely, and offered to banks and credit issuers deciding whether to extend credit, and at what price. Some car dealers won't even let you take a vehicle out for a test drive before running your credit history first.
This all means that the credit reporting firms have zero incentive to protect your personal information to the last mile. And the early evidence of what caused the Equifax breach points to an alarming indifference at that firm to the consequences of a breach. The evidence is that Equifax had a timely warning that some of the software it was using had a gaping security hole and had been provided with a patch—but didn't install it. LifeLock doesn't have an especially sterling record for delivering what it promises to customers. In 2015, the company paid $100 million to settle Federal Trade Commission charges stemming from an earlier complaint that it vastly overstated how well it secured customer data and the level of protection it offered from ID theft.
"LifeLock falsely advertised that it protected consumers' sensitive data with the same high-level safeguards used by financial institutions," the FTC alleged. The company also "falsely advertised that it would send alerts 'as soon as' it received any indication that a consumer may be a victim of identity theft." The company had agreed to settle the charges in 2010 for $12 million, but failed to comply with the settlement terms. The $100-million penalty that followed was "the largest monetary award obtained by the commission in an order enforcement action," the FTC said at the time.
This is the same company, by the way, that staged an audacious advertising campaign in 2006 by emblazoning its CEO's Social Security number on the side of a truck and broadcasting it over the air. The idea was that it could do so with confidence that its services would protect the CEO from identity theft. In reality, his identity was stolen at least 13 times after the campaign began.
The CEO, Todd Davis, tried to spin the fiasco as proof that the service worked, since many more ID theft attempts were tried and thwarted. Davis left his CEO job after the $100-million settlement. Symantec bought the company last year.