Equifax apologized again Friday for its massive data breach and touted plans to build a new credit monitoring tool to give people more control over their data.
During an earnings call, Chief Executive Paulino do Rego Barros Jr. outlined plans to rebuild trust after saying that the credit reporting company’s senior leadership team will forgo "incentive compensation" — essentially, bonuses — for 2017.
He added that Equifax will release a free tool to allow anyone to lock their account to prevent others from viewing credit data or opening accounts in their name. (A credit lock, however, affords users fewer legal rights than a credit freeze, even in the event of a hack.) That tool is set to launch at the end of January.
Equifax is working with other companies to create something similar for the whole industry, he said. "We believe the time is right for an industrywide solution that provides consumers a way to substantially improve visibility and control to personal credit data for free, for life."
The company is facing more than 240 class-action lawsuits from consumers — in addition to suits from shareholders and financial institutions — over the way it handled the massive data breach.
The lawsuits were detailed in the company's third-quarter earnings report Thursday, its first since revealing the breach in September. The incident prompted three top officials to leave the company, including then-Chief Executive Richard Smith.
Equifax also said in its filings that it had received subpoenas from the Securities and Exchange Commission, as well as the U.S. attorney's office for the Northern District of Georgia "regarding trading activities by certain of our employees in relation to the cybersecurity incident." Shortly after news of the breach broke, reports circulated that top officials had sold Equifax stock after the company found out about the breach, but before disclosing it to the public. Equifax said this week that it had cleared its executives of wrongdoing after an internal investigation found that the executives did not personally know about the breach before their stock sales.
SEC Chairman Jay Clayton has not confirmed or denied that the SEC is investigating those executives for insider trading, according to the Associated Press.
The company is also facing more than 60 government investigations from states, U.S. federal agencies and the British and Canadian governments, the earnings report revealed.
Equifax estimated that its breach-related costs will total $87.5 million. It said it did not know how much it would have to pay to address any judgments, settlements or penalties as a result of the breach.
Equifax currently has a credit monitoring service that it's offering for free to all 145.5 million people affected by the breach; registration remains open through Jan. 31. The service allows users to monitor and freeze their accounts. The firm's chief financial officer, John W. Gamble Jr., said during the Friday earnings call that approximately 1.5% to 2% of all Equifax files now have a lock or freeze placed on them.
Overall, Equifax has said that roughly 30 million people have visited the website it set up to inform consumers about the breach. But it has not reached out to individuals affected by the breach personally — leaving questions about how many people could still be unaware that their sensitive information was stolen, as Equifax tries to move on.
A recent survey from financial site CreditCards.com found that 71 million American adults hadn't heard anything about the breach more than a month after it was first announced, despite heavy news coverage.
Barros has declined to say whether Equifax will reach out to individuals by mail or email. Sen. Tammy Baldwin (D-Wis.), who helped introduce a consumer protection bill called the Freedom from Equifax Exploitation Act after the breach, sent a letter Thursday requesting that Equifax do so.
"It is deeply concerning that only slightly more than 20% of affected individuals have successfully used this tool, which you said you have been promoting heavily through social and other media," she said in the letter, which is posted publicly. "[It] remains quite possible that millions of individuals do not know for certain if their information was exposed."
Tsukayama writes for the Washington Post.