The recent Equifax data breach exposed the personal financial information of millions of Americans, yet many consumers know relatively little about what credit reporting agencies do and how they operate.

The industry is somewhat shrouded in mystery because credit agencies collect vast amounts of information about you without your having ever signed up for their service.

Yet as the Equifax breach shows, these agencies know a great deal about you, including your bank accounts, credit cards, mortgages, and other financial transactions as well as your name, address, Social Security number and even your driver's license.

How can these agencies collect all this information without your even knowing about it? And what is being done to protect you? Below are some answers to these key questions. 

Why Do the Credit-Reporting Agencies Exist?
When you apply for a loan or credit card, banks want to know if you are likely to pay them back. So they pay credit agencies to provide information about you and your financial history. The agencies also provide a credit score, which determines your overall creditworthiness. The higher the score, the better a risk you're considered to be.  


In the precomputer era, determining credit risk was usually the job of a local banker. As demand for credit increased, and especially as credit cards entered mainstream usage a few decades ago, lenders needed shortcuts to evaluate risk. That created a big business for credit bureaus, which collect and analyze information on consumers’ financial behaviors, and sell the analysis to lenders.

Today, there are dozens of small credit-reporting agencies in operation. But three firms dominate the mainstream credit industry: Equifax, Experian, and TransUnion (a fourth, Innovis, tracks similar information but is primarily in the business of selling mailing lists).

The “big three,” as they are often known, have enormous databases that contain information on nearly every adult American who’s ever used credit. Anytime you apply for a loan or credit card, your lender is almost certainly using information from at least one of these bureaus to determine your qualifications and/or interest rate for the loan, says credit expert John Ulzheimer, who used to work for Equifax.

What Kind of Information Do Credit Agencies Collect?
Just about every piece of information about you that relates to your credit history makes its way to at least one of the credit bureaus.

That might include: how much you owe on your credit cards and other debts, whether you’ve paid your bills on time, the credit limit on your cards, and how often you’ve applied for credit. That information, which is reported to the bureaus by lenders, is usually updated every month. 

In addition, the credit agencies collect financial information that appears in public records, such as bankruptcies and tax liens. Some property rental firms also report on tenants’ payments.

Besides financial data, credit bureaus collect information to verify your identity, such as your birthday, Social Security number, and even addresses and phone numbers.

How Secure Is This Information and Who Oversees It? 
The Equifax hack has made clear that data security is lacking in the industry. Credit bureaus aren’t subject to the same regulatory oversight that governs banks and subjects them to regular security audits.

Moreover, no single federal entity oversees data breaches, says Eva Velasquez, the president of the Identity Theft Resource Center, a national nonprofit victim-assistance group.

Depending on the circumstances, regulation could be handled by the FBI, the Federal Trade Commission, or the Securities and Exchange Commission. In the case of Equifax, the FTC has publicly said that it is investigating the breach.

Most states have laws stating that companies must notify customers about data breaches. But requirements about the time frame for notification and what kind of information they need to disclose vary widely.

Still, several state attorneys general have launched investigations into Equifax’s practices, and the company also faces a host of class-action lawsuits.

How Long Do You Need to Worry About the Equifax Breach?
Unfortunately, there’s no point at which you can assume you’re safe. That’s because the database that was hacked contained permanent identification information, such as Social Security numbers, which can’t be changed.

That means someone could apply for credit cards, take out loans, and potentially file for federal tax refunds or apply for government benefits under your name—five or 10 years or even decades from now. “You’re exposed in perpetuity,” says Velasquez.

What Is Being Done to Prevent This From Happening Again?
Given the publicity surrounding this incident, some legislators and representatives, such as Senator Elizabeth Warren of Massachusetts and Senator Brian Schatz of Hawaii, have called for investigation and increased regulation of the credit reporting industry.

Consumers Union, the policy and mobilization arm of Consumer Reports, has also outlined the steps it believes Equifax must take to remediate the situation.

This week, there will be a number of Congressional hearings to learn more about what happened, including one by the Subcommittee on Digital Commerce and Consumer Protection on Tuesday, two others by the Senate Banking Committee, and also the Senate Judiciary Subcommittee on Privacy, Technology and Law on Wednesday and another by the Financial Services Committee on Thursday.

For now, however, the onus is on you to protect yourself.

Start by freezing your credit with each of the four bureaus, though if you need access to credit it may cost you a few bucks to temporarily halt the freeze (for now, Equifax has agreed to waive all charges; there’s no cost to place a freeze at Innovis).

Then take other reasonable steps to protect your assets and credit. Finally, don’t forget to order your report once a year from each of the bureaus, which they must provide at no cost. Check those reports carefully for errors and signs of fraud.

Says Ulzheimer: “You’ll need to become engaged with your own protection—permanently.”

You’ve Been Hacked

Have you experienced suspicious activity on your online accounts? On the "Consumer 101" TV show, Consumer Reports expert Thomas Germain explains how to take back control of your digital privacy.