Another day, another massive data breach. Except this one involves Equifax, one of the credit-monitoring companies you might expect to be ultrasensitive to the importance of safeguarding your personal information from hackers.
Instead, the company revealed on Thursday, the personal data of 143 million U.S. consumers in its care — nearly half the country — was potentially compromised. The data now at large includes names, Social Security numbers, birthdates, addresses and driver’s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person’s name.
In some cases, Equifax says, the security questions and answers used on some websites to verify users’ identity may also have been exposed. Having that information in hand would allow hackers to change their targets’ passwords and other account settings.
This isn’t the largest data breach ever — that crown belongs to Yahoo, which allowed account information for 500 million people to be hacked. But it has several elements that make it much worse than the usual. The breadth of the hacked information is one. Another is the signal it sends that firms like Equifax are much more concerned about collecting personal information than protecting it.
Here are three others:
— Equifax waited six weeks to disclose the breach. The firm says it discovered the breach, which it reports began in mid-May, on July 29. That’s six weeks that consumers could have been victimized without their knowledge and therefore left without the ability to take countermeasures. Equifax hasn’t explained the delay.
— Three Equifax executives sold shares after the discovery of the breach and before its public disclosure, according to Bloomberg. They collected $1.8 million from the sales, which weren’t part of any prearranged option-execise programs. The sales were made on Aug. 1 and 2, the third and fourth days after the breach was discovered. An Equifax spokeswoman says the executives were unaware of the breach at the time of their sales, but that’s hardly comforting: One was John Gamble, the firm’s chief financial officer. If the firm’s No. 2 executive wasn’t immediately informed about a catastrophic security breach, why not?
In any case, the executives’ timing was exquisite. Gamble sold 6,500 shares for $145.60, or about $946,400. As of midday Friday, following the firm’s disclosure, the shares are trading at a bit over $123, down about 13% on the day.
— Equifax already is trying to take advantage of the victims of its own breach. The firm set up a website allowing individuals to check if their information was potentially compromised, but it requires users to plug in their last name and last six digits of their Social Security numbers. That raises the question of why anyone would trust Equifax with even a partial Social Security number at this stage.
The site also invites users to sign up for Equifax’s “TrustedID Premier” credit monitoring service. As a recompense to the victims, the firm is offering this service free for a year. But be warned: Not only is that woefully inadequate, since hackers can exploit stolen personal data for many years, but it gives Equifax a lucrative database of possible customers to be sold continuing subscriptions for the service after the year is expired — at a price currently set at $19.95 a month. In fact, enrollment in the service typically requires customers to provide Equifax with a credit card number, which the firm uses to automatically bill them after the free trial is over.
“The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich,” security expert Brian Krebs observed on his website.
Even worse, the TrustedID terms of service state that enrollees give up their right to sue Equifax and prevents them from filing or joining a class action in the case of any dispute — they’ll have to go to arbitration as individuals, which almost always places consumers at a disadvantage. It isn’t clear how those restrictions apply to preexisting data breaches, but judges have held in other cases that arbitration clauses may have retroactive effect. People should be very, very cautious about signing up with Equifax’s service.
The most important lesson in the Equifax breach is an old one: Consumers whose information is held by Equifax are not its customers or clients — they’re the product, and their personal information merely raw material to be exploited by the firm for its own profit. Equifax and its two major competitors in the credit-monitoring game, Experian and TransUnion, make their money by compiling detailed files on individuals and selling them to credit card firms, banks and marketers. In short, they don’t care about you, except so far as you’re an entry in their databases.
Equifax Chief Executive Rick Smith tried hard to demonstrate that he does care, with little success. In a video on the firm’s website, he called the breach “a disappointing event for our company,” sounding a bit like Mr. Spock after he’s told that a catastrophic attack on the Enterprise is underway.
Smith further stated, “We pride ourselves on being a leader in managing and protecting data.” But the evidence contradicts that claim. Just last May, Krebs reported that thieves were able to access W-2 tax data of employees at client companies of Equifax’s payroll service subsidiary TALX, thanks to lax security. That breach lasted almost a year, starting in April 2016. The firm has suffered a string of other breaches, too.
The credit bureaus have “shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers,” Krebs wrote.
But lawmakers at the state and federal level have been inexcusably lax about regulating these data firms and any others holding sensitive consumer information. Only eight states — Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee and Vermont — impose a firm deadline on how quickly companies must inform consumers of a breach, usually 30 to 90 days after its discovery. (California requires “timely” notification, whatever that means, except for medical information, which carries a 15-day notification deadline.)
In Europe, starting next May, the deadline will be 72 hours after a breach is discovered. That seems adequate.
In the meantime, what can consumers do? Krebs and other security experts recommend going beyond signing up for account monitoring services, and placing a security freeze on your credit lines. This can be done through Equifax and the other agencies, though there may be a fee. The freeze prevents anyone from opening a new credit or loan account in your name. That includes you, however, which means you have to lift the freeze when you wish to open a new account yourself, and reimpose it (possibly incurring another fee) afterward. That’s an inconvenience, but a worthwhile one to protect your credit, the experts say.
The real action needs to take place in Congress. If there were harsh federal penalties for the kind of sloppiness that seems to be demonstrated by Equifax — life-threatening penalties for the companies — it would be a good bet that they’d get their act together. After every major breach, lawmakers talk about taking action, but seldom go further than holding a hearing or two. If that happens this time, it won’t be long until the next monster breach.