At Equifax, a Category 5 data breach endangers consumers
As if it weren’t bad enough that Equifax exposed sensitive financial data of nearly half of all Americans to cyber thieves, the credit bureau has bungled just about every attempt to remedy the mess.
In an epic breach discovered July 29, hackers got away with the Social Security numbers, birth dates and addresses of as many as 143 million Americans, putting them at serious risk of identity theft.
The company then waited almost six weeks to reveal the hack. Its inundated website has provided confusing and conflicting information. Its call centers have been too short of agents to answer the deluge of calls. Its major remedies — a credit freeze and free one-year credit monitoring — won’t fully protect vulnerable consumers.
And, initially, it looked as if anyone who signed up for credit monitoring was, under a clause in the fine print, giving up the right to sue over the breach. (More than 20 class action lawsuits have been filed.) Only after a social media outcry did Equifax fix that problem.
Oh, and there’s this: Three senior executives sold shares worth nearly $1.8 million days after the breach was discovered and weeks before it was made public, when the stock tanked. A spokesman said the three did not know about the breach. If that’s true, you have to wonder about a company whose chief financial officer and president of information services aren’t told immediately about one of the gravest commercial data breaches in U.S. history.
It’s hard to give Equifax the benefit of the doubt, considering that the credit reporting agencies don’t give you the benefit of the doubt if you paid your mortgage late one month five years ago because your kid was in the hospital. Nope, that’s just a black mark on your credit scores, which affect your ability to secure a loan, get a job, or rent an apartment.
Though news of Equifax’s breach was overshadowed by Hurricane Irma, the impact is hard to overstate. A breach at one of the nation’s three major credit bureaus is far more dangerous than the typical retail credit card breach.
It’s easy enough to get a new credit card, but you can’t change your birth date or easily get a new Social Security number. Armed with these data, thieves could open credit cards or bank accounts in your name that you know nothing about. Or try to file a false tax return and make off with the refund.
Because this information has no expiration date, a thief could hold onto it and strike many years down the road. Yet with so much at stake, Equifax was inept at protecting the data it compiles about you and just as clumsy at trying to help customers.
Credit bureaus are supposed to safeguard information, but no government agency has authority to go in and review their security practices. Tighter federal oversight of the bureaus is needed. States could help by ensuring that credit freezes are free; seven states already do.
Equifax’s business is based on harvesting sensitive financial data about you. The company has proved it can’t fully protect that data. Now it needs to prove that it can at least do a better job of protecting millions of people from the damage that its ineptitude unleashed.