The Atlanta Journal-Constitution
A year after hacking, Equifax still criticized
Watchdog group cites failures to prepare for, respond to breach.
A year after hackers broke into Equifax’s network and stole the personal information of 148 million Americans, a report by a consumer watchdog group is lambasting the credit reporting agency for not addressing its vulnerabilities earlier and for botching its response to the unprecedented breach.
Moreover, the report — issued Thursday by the U.S. Public Interest Research Group and the National Consumer Law Center — criticized lawmakers and regulators for not holding the Atlanta-based company accountable for its failures.
“Equifax has yet to pay a price or provide consumers with the information and tools they need to adequately protect themselves,” said Mike Litt, consumer campaign director for the U.S. Public Interest Research Group.
Equifax officials, however, are touting their efforts to shore up data defense and say the agency is offering more ways for consumers to protect themselves, with free credit freezes and locks that seal credit reports and prevent thieves from opening lines of credit in a consumer’s name and notifications when credit lines are establish.
“In the past year, we have undertaken a host of security, operational and technological improvements,” a written statement from the company said. “In fact, in 2018 alone, we will increase our investment in security and technology by more than $200 million.”
Critics say those efforts are overdue.
It was a year ago today that Equifax announced a massive breach of the data it held. The cause was “Equi- fax’s carelessness,” Litt said. “This may not have been the biggest breach ever, but it’s the worst.”
That exposure — unprecedented in scope and mag- nitude — gave thieves the chance to steal millions of identities and possibly lure consumers into costly scams.
St i ll, t he report says, the sins of Equifax started long before the breach was announced. “Had Equifax not been so careless, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known secu- rity vulnerability,” it asserts.
Even after realizing the data had been accessed, the company was slow to let the public know of the hacking, the report says.
Then, to make matters worse, the company botched its response, the report says, by setting up flawed assistance online, understaffing its call center and — at first — compelling aggrieved consumers to sign away their right to sue.
Equifax this week declined a request from The Atlanta Journal-Constitution for an interview, issuing a written statement instead. The company did not respond specifically to the report, but said protecting data is its “top priority.”
“We recognize that cyber- security impacts not just us, but the entire industry. We are committed to collaborat- ing with our peers, custom- ers and partners to find solutions for emerging security challenges, create collective perspectives, document best practices and work together to deliver solutions that benefit the security community and ultimately consumers,” the statement said.
Meanwhile, the com- pany has been hit with a class action suit. And in the wake of the hack, the com- pany named new executives to manage security and tech- nology, as well as a new chief executive to replace Rich- ard Smith.
Smith, who decided to retire several weeks after announcement of the breach, was grilled before Congress in a set of contentious hear- ings. But he walked away with a package estimated to be worth more than $48 million.
Despite the public vitriol and the money spent on bet- ter processes, the data world is not that different a year later, said Humayun Zafar, a professor at Kennesaw State’s Center for Information Security Education.
“What I’ve not seen from Equifax is a marked change in their cybersecurity culture, post breach,” he said. “Without a shift in culture, a lot more breaches will continue to occur.”
It’s not all the fault of Equifax — consumers need more education, he said. “I think, from a consumer perspective, not much has changed. A majority of the general public may not understand what information of theirs is in the public domain and needs to be protected to begin with.”
And, however aggressive the Equifax defense might become, sooner or later, there will be other stories about data theft and manipulation, he said.
“Companies and individuals need to understand that cybersecurity is not a static issue,” Zafar said. “The threats will evolve.”