As this blogger and Brian Krebs have both pointed out on a number of occasions, Experian’s ProtectMyID may only monitor Experian’s own credit reports and not those of Equifax, TransUnion, or Innovis. Now one consumer seems to have learned that lesson the hard way.
Consider the offer Target made to its customers following their massive breach (emphasis added by me):
This ProtectMyID package includes the necessary tools guests need for credit monitoring and identity theft protection. It does not include Experian credit score or reports from Equifax and TransUnion. When visiting the enrollment site, guests will have the option to purchase these additional products at their own expense if they choose, but are not required to purchase a credit score to receive the benefits of credit monitoring and identity theft protection.
Although Target stated that consumers wouldn’t get Equifax and TransUnion “reports,” did the consumers really read and understand what “reports” meant in that sentence? Did they think those reports were just credit scores or did they realize it meant those credit reports wouldn’t be monitored?
If consumers didn’t read carefully, and then only read Experian’s bulleted list of features in the sign-up for the activation code, they might not realize what they weren’t getting (screen cap credit: Brian Krebs):
To be clear: if consumers purchase ProtectMyID directly from Experian, they get “Daily monitoring of your Experian, Equifax®, and TransUnion® Credit Reports with email alert notifications when key changes occur,” but that’s not the same “ProtectMyID” service a company may arrange for following a breach, even though the name is the same.
A spokesperson from Experian confirmed to DataBreaches.net that they offer a 1-Bureau Experian monitoring product and a 3-Bureau monitoring product to data breach clients. And they confirmed that Target had purchased the 1-Bureau Experian monitoring product.
Yesterday, Pam Zekman of CBS reported on how one consumer who signed up for ProtectMyID after the Target breach was stunned to become an ID theft victim:
Identity thieves charged $1,400 at one department store and $6,000 more on two credit cards they opened in Walters name.
Walters says he got no alerts from ProtectMyID.
“They said we don’t see anything. And I was just flabbergasted. I was like, ‘What do you mean you don’t see anything. How could you not see anything? There’s two accounts open. There’s charges on them, and you see nothing?’”
The service didn’t see anything, apparently, because the free protection package Target paid for only monitored credit bureau reports from one company: Experian, the company that operates ProtectMyID.
“That is the biggest hole in this net,” says William Kresse of Governors State University, an anti-fraud authority. “Some of these credit protection services only use one of the three credit reporting services.”
[…]
Experian says it takes consumer concerns very seriously and there was no sign of an error in the Walters case.
Yes, we’re supposed to read terms and conditions and understand what we’re getting – or not getting – when we sign up for a service. But should breached entities be offering a 1-bureau credit monitoring service instead of a service that monitors the “Big Three?” I don’t think so. I don’t know what, if anything, the FTC can do about this, but if consumers wind up with a false sense of security following a breach because the breached entity has offered a 1-bureau product while claiming it’s giving consumers the necessary tools to protect themselves, then is that an unfair or deceptive practice?
The bottom line is this: consumers need to become more savvy and not accept offers of products that do not give them good protection – but companies should not be offering products that do not serve breach victims well. When a consumer files a fraud alert with one credit reporting company, that company is required to notify the other two. And that serves the consumer well. But should credit monitoring products be able to claim they offer good protection against ID theft if they only monitor one of big credit reporting firms? And should companies be allowed to offer such incomplete services to breach victims? There’s no law requiring companies to offer credit monitoring services, but maybe we need some provision that if they do offer it, it needs to meet a certain standard.
Paging the FTC to Aisle 4….