Paypal may submit personal information to Equifax.

2 minute read

My personal Paypal account has encountered an unexpected problem. I received a warning that I need to confirm my identity with them.

So I logged in and completed some details. Then when I reached the bottom of the page,I was confronted with this message:

“YOUR NAME agrees that PayPal may submit the information shared (name, residential address, and date of birth) to Equifax to confirm YOUR identity…”

Say What?!

It went on to say this:

“…Equifax will provide PayPal with an assessment of whether this information matches existing credit information on file. You can opt out by proceeding without checking the box.”

What’s the problem then?

In 2017, Equifax servers were breached and exposed 148,000,000 (148 million) people’s personal information to theft. Various enquiries and court cases followed, but the US Federal Trade Commission pursued the point and theoretically managed to wrangle $425 million out of Equifax to “help people affected by the data breach “, which sounds a lot, but $425,000,000 divided by 148,000,000 is 2.87.

Put another way, Equifax was fined $2.87 for each person’s data. That’s a slap on the wrist from another room.

Equifax Data Breach Settlement
20 January 2020
In September of 2017, Equifax announced a data breach that exposed the personal information of 147 million people. The company has agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. The settlement includes up to $425 million to help people affected by the data breach.
ftc.gov

But that was then, they’ve obviously learned their lesson

Not quite.

What happens if your Equifax credit report falls into the wrong hands?
3rd January 2020
One tech-savvy CHOICE member says the credit reporting bureau’s approach to security is inadequate.
choice.com.au

So what to do about Paypal?

There are plenty of other Australian credit checking organizations, but I can only assume Paypal has some kind of deal with Equifax in the United States, ergo, they’ll force everyone to use that system.

The dark pattern

The form just displays again and again unless I authorize Equifax to share my details with every darknet site on the internet assess if my information matches information on file.

Except, the text says it’s optional.

And in fact it is.

If you click the Submit button, then logout and login again, the incomplete ID warning disappears entirely, and suddenly I’m able to use Paypal.

Design that confuses

At best this is very poor behaviour on the part of Paypal Australia. It’s design that confuses and traps the unwary at best, and at worst, an egregious attempt to pump private citizens personal details into a credit checking firm that’s had major security breaches and been found wanting.