A year after Equifax’s giant data breach, the company is prospering

Data breach? What data breach?

One year after Equifax Inc. disclosed a hack of its computers that shook the financial world, sparking an FBI review and slashing a third off the company’s share price in one week, investors and the public seem to have largely moved on.

The company, whose shares have recovered almost 90% of the losses suffered in the plunge, will probably post a record annual profit next year. Equifax said there was no mass defection of clients after the breach put half the U.S. population’s sensitive personal information at risk, and congressional hearings have yielded no major changes to federal laws protecting data. The credit-reporting company’s revenue last quarter reached a record $877 million despite the hack.

“It was certainly a bump in the road, but it doesn’t look like anything else is going to dramatically change the future,” said Brett Horn, an analyst at Morningstar Inc.

Between May and July of last year, criminals exploited a vulnerability in the software Equifax used to build its website and absconded with data on credit cards, Social Security numbers and driver’s licenses. The company faced withering criticism after disclosing the hack in September 2017, and more than 90% of consumers have taken some action to protect themselves from identity theft in the aftermath.

A Government Accountability Office report released Friday details steps that have been taken since the incident, noting that Equifax’s primary regulators are still investigating.

“One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information,” Sen. Elizabeth Warren (D-Mass.), who requested the report, said in a statement.

An Equifax spokeswoman declined to make company executives available for an interview, but the company said in an emailed statement that it has made a number of improvements since the breach, including a more than $200-million boost to this year’s budget for security and technology.

“We have enhanced our leadership team to include some of the most experienced cybersecurity and technology professionals in the industry, notably new Chief Information Security Officer Jamil Farshchi and Chief Technology Officer Bryson Koehler,” the spokeswoman said.

Regulatory landscape

After the breach, legislators held hearings and proposed policies to guard consumers’ data. The Consumer Financial Protection Bureau and the FBI looked into the hack, and the Federal Trade Commission started an investigation.

California enacted sweeping data-privacy rules, and Vermont passed a law regulating data brokers. Eight state banking commissioners, including New York’s, signed a consent order with Equifax requiring the company to bolster oversight.

“There’s now momentum building among state governments in the U.S., regulators, and regulators abroad to adopt stricter cybersecurity regimes to give consumers more control of their data,” said Joseph Facciponti, an attorney with expertise in cybersecurity. “It’s a tipping point in the public’s consciousnesses.”

Free credit freezes will now be required as part of legislation rolling back the Dodd-Frank financial regulations, but some argue more action is needed.

“One year later, Equifax still hasn’t paid a price for putting 150 million U.S. consumers in harm’s way,” said Mike Litt, consumer campaign director at U.S. Public Interest Research Group, which works for tougher consumer-protection laws. “There hasn’t really been consequences, at least not financial consequences, and that’s ultimately what’s needed.”

A class-action lawsuit pending in an Atlanta federal court might eventually bring some of that financial pain to Equifax. The suit, a consolidation of various cases representing a nationwide class, is in its early stages as it winds its way through the court system.

Where’s the data?

The data siphoned from Equifax probably won’t ever show up as one big package for sale on the dark web, said Munish Walther-Puri, chief research officer of Terbium Labs, which monitors data on the dark web. Instead, he said, hackers are likely to bundle the information with details from other breaches — such as medical data — and sell it in packages known as Fullz.

A Fullz bundle typically includes a person’s name, Social Security number, birth date and account data and sells for about $30 on the dark web, according to Experian.

“Prior to Equifax, there was a solid layer of information out there about people,” Walther-Puri said. “The Equifax data really fills out a lot of that packaging.”

Levingston and Surane write for Bloomberg.