Equifax, one of the big three credit monitoring firms, collects information, including addresses, driver’s license numbers, social security numbers, utility accounts, birth and death records, criminal records, medical debt, and rental history. The entirety of this confidential information has now been compromised due to a massive data breach on September 7, 2017. This breach not only poses imminent danger to consumers’ identities, but also a lifelong risk of identity theft. Within one week of the breach, the domino effect began: both the chief information officer and chief security officer’s retirement was made effective immediately. Since the large-scale breach that exposed personal data of over 143 million people, consumers and shareholders initiated dozens of lawsuits. As a result, Equifax’s stock price dropped 27% in response to the controversy. Moreover, it has come to light that Equifax dealt with a breach earlier this year in March; however, details of the exposed data were not released by the company.
Since the beginning of the breach, Equifax’s reaction has been less than impressive. On the first day of the hack, the company’s website directed potential victims to a URL, equifaxsecurity2017.com, which was quickly found to have bugs. For example, the web address asked users to submit the last six digits of their social security numbers in order to determine if their personal data had been compromised. Even in the weeks following the massive breach, the Equifax Twitter page mistakenly tweeted a phishing link on multiple occasions. Sources reported that the phishing link had approximately 200,000 page loads. To make matters worse, in early August, Equifax executives sold almost $2 million in company stock, creating the obvious question of whether the executives had knowledge of the breach at the time of the sale. However, a statement from Equifax contends that the company did not have any such knowledge when executives sold “a small percentage of their Equifax shares.” Finally, in addition to the bizarre failures in security measures, a security weakness was detected in the digital system for Equifax’s Argentina employees, where the credential requirements were simply the username and password of “admin, admin.”
The breach was open from mid-May until July 29, 2017, during which time Equifax attempted to halt the cyberattack. The following week, Equifax engaged Mandiant, an independent cyber security firm. Ironically, in late-July, Mandiant was the target of a hack attack. Additionally, a Mandiant’s senior cyber analyst’s systems was compromised, exposing sensitive information. After Equifax learned about the data breach, the company took six weeks to publicly disclose the news. Comprehensive procedures should have been in place for handling this type of event, but instead, Equifax’s approach to the situation has led many to extensively question the credibility of the company. Preventative measures, such as Data Loss Prevention, (“DLP”), help reduce the risk of breach for companies similar to Equifax. DLP services monitor the activity on a given network and alert the business when unusual usage occurs. Of course, companies tend to underinvest in DLP services, since it is a cost center. However, the market does not currently mandate any security measures for companies, such as Equifax, which possess sensitive information, since the company is not subject to regulation on how the data is collected, protected, and used.
The frequency of data breaches is occurring at an exponential pace while with each data breach the hackers are seemingly emboldened to disrupt bigger targets. In 2013, two of the largest data breaches took place – 1.5 billion Yahoo user accounts were compromised and the Target breach exposed credit and debit card information of over 110 million people. The following year, eBay had a data breach, exposing 145 million users’ account details and financial information, accompanied by the Home Depot hack with theft of credit and debit card details for 56 million customers. 2016 was a record year for personal data breaches. With over 1,000 reported incidents at government agencies and U.S. companies, data breaches increased 40% from the prior year. The cost of remedying breaches such as these can be very steep. For example, Target’s hack resulted in a $10 million settlement with shoppers and another $39.4 million spent to resolve claims by banks and credit unions.
In an attempt to rectify the security breach and exposure of personal data, Senator Elizabeth Warren, along with eleven other Democratic senators, introduced a bill that would allow customers to freeze their credit without charge for six months, as well as restrict access to an individual’s credit report. The bill would also stop companies, such as Equifax, from charging consumers for impeding access to their credit accounts. Senator Warren’s bill is the first step of many that are needed for increased regulation and overall industry change for companies that host sensitive information, similar to Equifax. Consumer financial firms, such as mortgage lenders, are subject to higher scrutiny than credit report agencies; due to recent security breaches, it is time for a change. Credit report agencies operate without public consent, which is a critical reason why Congress needs to create accountability and regulate companies. Perhaps the silver lining of this mega breach is that it brings attention to much needed reform among credit report agencies that currently operate unregulated.