A year after data breach: Atlanta-based Equifax unbowed
A year after the worst data breach in U.S. history to date, Atlanta-based Equifax has been chastened, but its business model is unchanged and the company churns on, virtually undamaged by legislative, regulatory or prosecutorial penalties.
It was a year ago that the company noticed the first signs of historic trouble — hackers had slipped through the Atlanta company’s cyber defenses into the heart of the company’s data.
Worse, the intrusion had apparently been going on for some time.
Worse than that, the information accessed was more personal information about more Americans than in virtually any previous major data breach: Information on more than 147 million Americans was accessed — although the scope of the theft was not clear at first.
In fact, it took until early September for the company to reveal there had been any hacking at all.
Once the word was out, there was a firestorm of anger and investigations which have thus far led to Congressional hearings, lawsuits against the company, charges of insider trading against two former executives and the departure of some higher ranking executives.
Equifax did agree to a consent order with regulators from eight states, including Georgia, that required the company to report on how it is improving security and to submit to reviews of its practices.
But thus far, no financial punishment has been imposed on Equifax itself.
Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company.
And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax.
Earlier this month, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars.
But the company is certainly not unchanged.
CEO Rick Smith retired prematurely, as did several other top officials. A new CEO was named, as was a new chief information security officer, Jamil Farshchi, who told Wired magazine that the company has invested $200 million on data security infrastructure.
Meanwhile, most consumers whose data might have been stolen do not know if that information is being used against them, and many have done little to protect themselves.