Months have passed since Equifax’s fateful fall. The consumer credit reporting agency, still reeling from a security failure last year that exposed 147 million Americans and 634,000 Granite Staters, is slowly on the mend.
But the scourge of mass data breaches, experts say, has far from faded.
New Hampshire was hit by 523 reported breaches last year – the highest in more than a decade, according to figures from the state’s Attorney General’s office. In 2016, the state saw the second highest number, 355, as part of a recent upward surge.
Week after week, the office’s Consumer Protection and Antitrust Bureau receives company reports, processing them and releasing official warnings to the public. The numbers vary. One week might see a breach affecting several dozen state residents. The next could be in the hundreds of thousands.
But the trend is unmistakable, and breaches of all sizes appear to be on the rise, data reveals. On Thursday afternoon, Under Armour announced a breach of its mobile app MyFitnessPal, affecting around 150 million worldwide, according to reports. It’s unclear how many New Hampshire residents were affected.
“It’s astronomically rising,” said James Boffetti, senior assistant attorney general and head of New Hampshire’s Bureau, of data breaches. “It’s a growing business. This stuff is packaged up.”
Now, New Hampshire lawmakers are looking toward a simple mechanism of relief: credit freezes. A new bill, Senate Bill 303 would allow anyone notified by a company of a data breach to freeze their credit scores – for free.
The change would make a small but meaningful impact on those targeted in a breach, supporters say. Freezes allow consumers whose financial information has been compromised to protect their credit scores from ruin from reckless purchases. But they don’t come free. In New Hampshire, consumers must presently pay $10 to each of three major credit agencies unless they can prove that they are a victim of identity theft, not just a breach.
SB 303 would extend that exception to breaches – anyone informed that their data may have been compromised would get the option to freeze for free.
“It’s almost a nuclear option,” said Todd Fahey, director of AARP New Hampshire, which advocates for older resident who often are subject to attack. “We talk about the best offense being a good defense. This is a great defense.”
The proposal has proven popular among lawmakers in both parties and chambers; last month, a House version of the idea, HB 1700, passed by voice vote. Even Equifax has jumped behind it; a lobbyist in Concord on Thursday said the company supports the bill and has already moved on its own to implement free freezing options to its customers.
To Fahey and other advocates, the proposal is a long-needed fix. The $10 fees can seem small, but they add up, Fahey said. Because credit data is processed by three national firms, consumers must freeze three accounts each time; it is often impossible to know which credit company a car dealer or realty agency will use, so all must be protected.
And each time a credit score is necessary for a loan, payment structure or lease, the credit scores must be unfrozen, which can be an additional fee. For those who move frequently, Fahey argued, that can add up.
Meanwhile, at the Attorney General’s office, the incident reports are only rising, Boffetti said.
Colossal breaches are relatively rare, but smaller attacks are ramping up. Of 2017’s 553 cases, only four – Equifax included – affected more than 5,000 New Hampshire residents. Meanwhile, 405 of the recorded breaches hit 50 people or fewer.
And week to week, the numbers fluctuate widely. In the past week ending March 23, three reported breaches affected 1,546 New Hampshire residents – the majority afflicted by an attack of American Express, Boffetti said. The prior week saw eight reported breaches but only 124 Granite Staters affected; the week before that, 11 recorded breaches impacted 64 residents.
Still, when large-scale breaches do happen, they can take their toll. In February 2015, a breach at the insurance giant Anthem affected over 667,000 Granite Staters, Boffetti said, and the state has also been shaken by data attacks at Target, K-Mart and Nieman Marcus in recent years.
With such national scope, the search for justice may be above New Hampshire’s pay grade. The state’s Attorney General office is not responsible for tracking down perpetrators, a task normally taken up by federal agencies, Boffetti said. Many culprits are likely based out of the country, complicating any prosecution, he added.
And that’s leaving out the crimes not reflected in the numbers: the sale of personal data to third parties for phone scams, to start.
But in lieu of easy answers, Boffetti added, credit freezes are a start.
“This is not an issue that is going away,” he said. “This information is being accessed in inappropriate ways. We need to have tools (for consumers).”
(Ethan DeWitt can be reached at edewitt@cmonitor.com, or on Twitter at @edewittNH.)