Criticism continues to grow louder
NEW YORK — There’s no way around it: The news from credit reporting company Equifax that 143 million Americans had their information exposed is extremely serious.
Crucial pieces of personal data that criminals could use to commit identity theft — Social Security numbers, birthdates, address histories, legal names — were all obtained. That’s information that cannot change. And once that data is out there, it’s basically out there forever.
“The crown jewels of personal information were exposed and potentially stolen,” said John Ulzheimer, an independent credit consultant who previously worked at Equifax.
Equifax’s key role in the financial industry makes this breach more alarming than previous ones at Yahoo or retailers.
It’s a storehouse of personal information, like how much people owe on their houses and whether they have court judgments against them.
Lenders rely on the information collected by three big credit bureaus — Equifax, TransUnion and Experian — to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are sometimes done by employers when deciding whom to hire for a job.
Atlanta-based Equifax said Thursday that “criminals” exploited a U.S. website application to access the files between mid-May and July of this year. It discovered the hack July 29, but waited until Thursday to warn consumers.
Size and scope
This isn’t the biggest data breach in history. That indignity still belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than 1 billion of its users’ accounts throughout the world. But no Social Security numbers or drivers’ license information were disclosed in the Yahoo break-in.
Equifax’s security lapse could be the largest theft involving Social Security numbers, one of the most common methods used to confirm a person’s identity in the U.S. It eclipses a 2015 hack at health insurer Anthem Inc. that involved the Social Security numbers of about 80 million people.
Any data breach threatens to tarnish a company’s reputation, but it is especially mortifying for Equifax, whose entire business revolves around being a secure storehouse and providing a clear financial profile of consumers that lenders and other businesses can trust.
And a security expert said the website created Equifax to help customers find out if their information was stolen raises its own security questions. The site looks like the kind set up by attackers to trick people into disclosing information, says Georgia Weidman, founder and chief technology officer for security firm Shevirah.
“It’s teaching people entirely the wrong things about using the internet securely,” Weidman said. She said says she’s also troubled by Equifax’s approach to security generally, including reports that it didn’t respond to basic scripting bugs it was warned about last year.
In addition to the personal information, Equifax said the credit card numbers for about 209,000 U.S. consumers were also taken, as were “certain dispute documents” containing personal information for approximately 182,000 people in the U.S.
The company said hackers may have some “limited personal information” about British and Canadian residents, but doesn’t believe that consumers from other countries were affected.
Fallout
The enormity of the breach has put immense financial and political pressure on Equifax.
Washington regulators and politicians swiftly criticized Equifax, and Jeb Hensarling, chairman of the House Financial Services Committee, said he will call for Congressional hearings.
Equifax’s requirement that affected customers sign up for arbitration also drew a backlash. Democrats in the House and Senate called on the company to pull back
Find out if you’re affected. Visit www.equifaxsecurity2017. com. You will be asked to enter your last name and part of your Social Security number. (Consumers can also call 866447-7559 for information.)
Enroll (free for one year) in “TrustedID Premier,” a creditmonitoring service that covers all three of the major credit bureaus — Equifax, TransUnion, and Experian — and give you copies of your Equifax credit report. You can sign up for this feature by visiting www. equifaxsecurity2017.com. The deadline is Nov. 21. (Government officials are alerting people who sign up for the TrustedID Premier service that Equifax has included clauses in the agreement that require arbitration of disputes about the credit-monitoring service. The Ohio attorney general’s office says agreeing to that service’s terms and conditions does not prevent people from suing Equifax over the breach itself. Other officials, including the Consumer Financial Protection Bureau, are outraged at the
its requirement that anyone who signs up for credit monitoring give up their right to sue Equifax in a class-action lawsuit.
The Consumer Financial Protection Bureau, the nation’s chief watchdog for financial services, called the breach “troubling” and said Equifax should drop the arbitration requirement. The CFPB recently passed a rule requiring financial companies to let customers sue together when a large group has been wronged.
Several state attorneys general also stepped in. New York’s attorney general, Eric Schneiderman,
mandatory arbitration requirement for the service.)
Keep an eye on your credit reports. Individuals are allowed one free report each year from each of the three credit bureaus. Visit www.AnnualCreditReport.com to access them.
Place an initial fraud alert on your credit report. Contact one of the credit bureaurs and request this free service. It’s in effect for 90 days and makes it more difficult for someone to open a credit account in your name.
Place a security freeze on your credit report so most third parties can’t access it. It helps prevent unauthorized accounts from being opened in your name. In Ohio, such freezes are permanent until you lift them. Initiating or canceling a freeze costs $5 per credit bureau. Identity-theft victims may contact the Ohio attorney general’s office at 800-282-0515 or www. OhioProtects.org. said he was starting his own investigation.
Company executives are also under scrutiny, after it was found that three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach, according to documents filed with securities regulators. Equifax said the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Equifax shares fell about 13 percent to $123.75 in heavy trading. The decline equates to about $2.28 billion in lost market value.