You can brand Equifax as the new Yahoo, the new Target or the new Sony — but that would be glaring understatement. The damage wrought by the hacking of Equifax is bigger and broader than in those previous data breaches. And so, expect Equifax to forever wear the hairshirt of corporate catastrophe.
Equifax likely will survive but will pay a stiff, lasting price for allowing a data breach that affects as many as 143 million Americans, more than half of the country’s adult population.
The company is facing a cascade of lawsuits. Federal lawmakers want congressional hearings, and reportedly the FBI is investigating. It’s a sure bet that Equifax and the country’s other two major credit monitoring agencies, Experian and TransUnion, face a big step-up in regulation.
It all amounts to a humbling, painful lesson for Equifax and its executives. But if all the other companies that deal in troves of our private, sensitive data think it’s a lesson with no relevance for them, they’d better think twice. Banks, health care systems, utility companies, telecom providers, colleges, employers, tax revenue departments, insurers, money managers — all typically are custodians of Social Security numbers, and a wealth of other private data. Consider the Equifax debacle a loud wake-up call.
What distinguishes the Equifax fiasco is that Social Security numbers were exposed. Those are master keys that identity thieves can use in a variety of ways — to apply for credit as the faux you, steal your medical benefits or even commit crimes in your name.
Someone gets their hands on your credit card? Vexing, yes, but the remedy is simple. Call up the bank that issued the card, cancel the old number and get a new number. Or if someone has pilfered one of your passwords? Change the password and move on. But if hackers swipe your Social Security number? That puts you at peril of identity theft for as long as you’ve got a beating heart.
Atlanta-based Equifax, along with TransUnion and Experian, store Americans’ private data so that their customer companies can, for example, decide whether you’re a good credit risk for a mortgage. The information the agencies have isn’t voluntarily submitted by Americans — it’s collected by the agencies from banks, public records and other sources.
Equifax says the hacking took place between mid-May and July. It says it discovered the breach July 29, and that hackers had accessed the company’s network by exploiting a weak spot in website software.
Equifax’s response has made matters even worse. Company execs waited six weeks before letting the public know what happened. Six weeks is a gold mine of time for identity thieves to wreak havoc on credit card and bank accounts. Three Equifax executives sold off a combined $1.8 million in company stock days after learning of the breach, though Equifax claims the executives did not know of the breach at the time of the stock sale.
Equifax is offering free credit monitoring for a year so that people can react quickly to potential instances of identity theft. But given the magnitude of the breach and its long-term impact, a year isn’t enough. Especially disturbing is that this was the third time Equifax had been hacked this year. This was a breach of epic proportions, but two previous breaches within a year should have told Equifax executives they had vulnerabilities they needed to patch up.
Cost isn’t an excuse. Credit monitoring companies make big money; last year, Equifax had net income of nearly $500 million on revenues of more than $3.1 billion. For the good of Americans, Equifax and its competitors have to do a better job of guarding information. Rohit Chopra, once an assistant director at the Consumer Financial Protection Bureau and now a senior fellow at the Consumer Federation of America, recently told The New York Times, “You cannot fire the three credit bureaus.” They are, he said, “the plumbing of our financial system.”
We hope, however, that they learn and reform, and that government agencies better scrutinize their protection of the data they collect.
Just as important, though, is the lesson this disaster provides for the myriad other companies and agencies responsible for keeping our private data safe. They can heed that lesson and tighten their security. Or they can risk facing the fallout Equifax is enduring now.