Data breach is huge worry
Criminals obtained trove of info
Another day, another digital burglary. But this time, criminals obtained the sensitive personal data of an astonishing number of Americans — 143 million people, or roughly half the country’s population.
The hackers purloined Social Security numbers and birthdates — the stuff required for identity theft — along with home addresses and some driver’s-license and credit-card numbers.
The breach is disastrous for Equifax, which is one of the nation’s three major credit reporting agencies. Unlike other companies struck by hackers, such as Target, the only product Equifax sells is trust and credibility — not trendy clothes or nifty housewares that keep people coming back. It had one job: Keep accurate personal information on American consumers and keep that information secure.
The hacking, discovered July 29, wasn’t disclosed until Thursday. It’s unclear whether that delay broke any of the notification laws that, unfortunately, exist in only some states, Ohio being among them. In Ohio, notification is required within 45 days, unless law enforcement needs a delay. (See data breech regulation charts by the law firm Baker & Hostetler at http://bit. ly/2aRQk6f .)
Predictably, Equifax stock prices plunged and class-action suits loom. Astonishingly, three Equifax executives sold shares within a few days after the breach was discovered, but before disclosure caused stocks to tumble by as much as 18 percent. This exquisite timing allowed them to collect $1.8 million from the sales, but the execs — including the firm’s chief financial officer — maintain that they didn’t know about the data breach. The claim by Equifax that its CFO remained in the dark isn’t reassuring.
While hacks are no longer uncommon, the lack of quick disclosure and the timing of the executive stock sales only deepen consumer ire and distrust.
This isn’t the biggest data breach in history — Yahoo deserves that ignoble distinction — but it provided a trove of highly valuable information that thieves could use for years to come. (Yahoo’s cyber break-in didn’t supply any Social Security numbers.)
And it’s not as if consumers had a choice in trusting Equifax with their sensitive information. It is one of three major credit-rating companies — the other two being Experian and TransUnion — that compile and sell credit histories and rankings about individuals to credit-card companies, banks, lenders, employers, retailers and others. The agency gets data often without the consumer even knowing it.
But wait! There’s, ahem, help. The Los Angeles Times reports that those who sign up for Equifax’s “TrustedID Premier” credit-monitoring service (free to theft victims for a woefully inadequate year) will be signing up for Equifax’s own lucrative identity-protection service. The service, which currently costs $19.95 a month, presumably will glean a list of sales marks after the free “trial” has expired.
The Equifax data breach should prompt states’ attorneys general, legislatures, federal regulatory agencies and Congress to review existing or absent laws to require prompt notification and stronger consumer protections.
Intensive credit monitoring and identity-theft protection or insurance can help once the horse is out of the barn. But all this requires consumers knowing to begin with that they’ve been burgled.