Column: Here are all the ways the Equifax data breach is worse than you can imagine
Another day, another massive data breach. Except this one involves Equifax, one of the credit-monitoring companies you might expect to be ultrasensitive to the importance of safeguarding your personal information from hackers.
Instead, the company revealed on Thursday, the personal data of 143 million U.S. consumers in its care — nearly half the country — was potentially compromised. The data now at large includes names, Social Security numbers, birthdates, addresses and driver’s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person’s name.
In some cases, Equifax says, the security questions and answers used on some websites to verify users’ identity may also have been exposed. Having that information in hand would allow hackers to change their targets’ passwords and other account settings.
The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich.
— Security expert Brian Krebs
This isn’t the largest data breach ever — that crown belongs to Yahoo, which allowed account information for 500 million people to be hacked. But it has several elements that make it much worse than the usual. The breadth of the hacked information is one. Another is the signal it sends that firms like Equifax are much more concerned about collecting personal information than protecting it.
Here are three others:
— Equifax waited six weeks to disclose the breach. The firm says it discovered the breach, which it reports began in mid-May, on July 29. That’s six weeks that consumers could have been victimized without their knowledge and therefore left without the ability to take countermeasures. Equifax hasn’t explained the delay.
— Three Equifax executives sold shares after the discovery of the breach and before its public disclosure, according to Bloomberg. They collected $1.8 million from the sales, which weren’t part of any prearranged option-execise programs. The sales were made on Aug. 1 and 2, the third and fourth days after the breach was discovered. An Equifax spokeswoman says the executives were unaware of the breach at the time of their sales, but that’s hardly comforting: One was John Gamble, the firm’s chief financial officer. If the firm’s No. 2 executive wasn’t immediately informed about a catastrophic security breach, why not?
— Equifax already is trying to take advantage of the victims of its own breach. The firm set up a website allowing individuals to check if their information was potentially compromised, but it requires users to plug in their last name and last six digits of their Social Security numbers. That raises the question of why anyone would trust Equifax with even a partial Social Security number at this stage.
The site also invites users to sign up for Equifax’s “TrustedID Premier” credit monitoring service. As a recompense to the victims, the firm is offering this service free for a year. But be warned: Not only is that woefully inadequate, since hackers can exploit stolen personal data for many years, but it gives Equifax a lucrative database of possible customers to be sold continuing subscriptions for the service after the year is expired — at a price currently set at $19.95 a month. In fact, enrollment in the service typically requires customers to provide Equifax with a credit card number, which the firm uses to automatically bill them after the free trial is over.
Even worse, the TrustedID terms of service state that enrollees give up their right to sue Equifax and prevents them from filing or joining a class action in the case of any dispute — they’ll have to go to arbitration as individuals, which almost always places consumers at a disadvantage. It isn’t clear how those restrictions apply to preexisting data breaches, but judges have held in other cases that arbitration clauses may have retroactive effect. People should be very, very cautious about signing up with Equifax’s service.
The most important lesson in the Equifax breach is an old one: Consumers whose information is held by Equifax are not its customers or clients — they’re the product, and their personal information merely raw material to be exploited by the firm for its own profit. Equifax and its two major competitors in the credit-monitoring game, Experian and TransUnion, make their money by compiling detailed files on individuals and selling them to credit card firms, banks and marketers. In short, they don’t care about you, except so far as you’re an entry in their databases.
Equifax Chief Executive Rick Smith tried hard to demonstrate that he does care, with little success. In a video on the firm’s website, he called the breach “a disappointing event for our company,” sounding a bit like Mr. Spock after he’s told that a catastrophic attack on the Enterprise is underway.
Smith further stated, “We pride ourselves on being a leader in managing and protecting data.” But the evidence contradicts that claim. Just last May, Krebs reported that thieves were able to access W-2 tax data of employees at client companies of Equifax’s payroll service subsidiary TALX, thanks to lax security. That breach lasted almost a year, starting in April 2016. The firm has suffered a string of other breaches, too.
The credit bureaus have “shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers,” Krebs wrote.
But lawmakers at the state and federal level have been inexcusably lax about regulating these data firms and any others holding sensitive consumer information. Only eight states — Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee and Vermont — impose a firm deadline on how quickly companies must inform consumers of a breach, usually 30 to 90 days after its discovery. (California requires “timely” notification, whatever that means, except for medical information, which carries a 15-day notification deadline.)
In Europe, starting next May, the deadline will be 72 hours after a breach is discovered. That seems adequate.
The real action needs to take place in Congress. If there were harsh federal penalties for the kind of sloppiness that seems to be demonstrated by Equifax — life-threatening penalties for the companies — it would be a good bet that they’d get their act together. After every major breach, lawmakers talk about taking action, but seldom go further than holding a hearing or two. If that happens this time, it won’t be long until the next monster breach.