Guest Editorial: Equifax data breach teaches lessons.
You can brand Equifax as the new Yahoo, the new Target or the new Sony — but that would be glaring understatement. The damage wrought by the hacking of Equifax is bigger and broader than in those previous data breaches. And so, expect Equifax to forever wear the hairshirt of corporate catastrophe.
Equifax likely will survive but will pay a stiff, lasting price for allowing a data breach that affects as many as 143 million Americans, more than half of the country’s adult population. …
The company is facing a cascade of lawsuits. Federal lawmakers want congressional hearings, and reportedly the FBI is investigating. It’s a sure bet that Equifax and the country’s other two major credit monitoring agencies, Experian and Chicago-based TransUnion, face a big step-up in regulation.
It all amounts to a humbling, painful lesson for Equifax and its executives. But if all the other companies that deal in troves of our private, sensitive data think it’s a lesson with no relevance for them, they’d better think twice. Banks, health-care systems, utility companies, telecom providers, colleges, employers, tax-revenue departments, insurers, money managers — all typically are custodians of Social Security numbers, and a wealth of other private data. Consider the Equifax debacle a loud wake-up call.
What distinguishes the Equifax fiasco is that Social Security numbers were exposed. Those are master keys that identity thieves can use in a variety of ways — to apply for credit as the faux you, steal your medical benefits or even commit crimes in your name . ... That puts you at peril of identity theft for as long as you’ve got a beating heart.
Atlanta-based Equifax, along with TransUnion and Experian, store Americans’ private data so that their customer companies can, for example, decide whether you’re a good credit risk for a mortgage. The information the agencies have isn’t voluntarily submitted by Americans — it’s collected by the agencies from banks, public records and other sources.
Equifax says the hacking took place between mid-May and July. It says it discovered the breach July 29, and that hackers had accessed the company’s network by exploiting a weak spot in website software.
Equifax’s response has made matters even worse. Company execs waited six weeks before letting the public know what happened. Six weeks is a gold mine of time for identity thieves to wreak havoc on credit card and bank accounts . ...
Equifax is offering free credit monitoring for a year so that people can react quickly to potential instances of identity theft. But given the magnitude of the breach and its long-term impact, a year isn’t enough. Especially disturbing is that this was the third time Equifax had been hacked this year. This was a breach of epic proportions, but two previous breaches within a year should have told Equifax executives they had vulnerabilities they needed to patch up.
Cost isn’t an excuse. Credit monitoring companies make big money; last year, Equifax had net income of nearly $500 million on revenues of more than $3.1 billion. For the good of Americans, Equifax and its competitors have to do a better job of guarding information . ...
Just as important, though, is the lesson this disaster provides for the myriad other companies and agencies responsible for keeping our private data safe. They can heed that lesson and tighten their security. Or they can risk facing the fallout Equifax is enduring now.