Equifax, one of the three major consumer credit reporting agencies, recently announced an information breach of private company data which might have affected over 143 million Americans. The data includes sensitive information such as birth dates, Social Security numbers, names, addresses, credit card numbers and driver’s license numbers. This recent cyberattack is one of the largest, most damaging data breaches in history. Equifax is responsible for the private data of over 820 million consumers and more than 91 million businesses worldwide. According to The New York Times, it also manages a database with employee information from more than 7,100 employers. The agency also houses much of the data that is supposed to be a safety net against security breaches, such as security questions and answers necessary for account recovery. With that data now breached, the safety net is completely gone. Equifax says it discovered the breach on July 29. According to CNBC, the company stated that the hack occurred when “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
Securities and Exchange Commission filings show that three Equifax executives, including Chief Financial Officer John Gamble Jr., workforce solutions President Rodolfo Ploder and U.S. information solutions President Joseph Loughran, sold nearly $2 million in company shares mere days after the cyberattack was discovered. It is unknown if they were aware of the breach before selling their shares, although the company claims that they “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group, stated, “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.” Although other recent breaches are much larger, such as the two breaches Yahoo announced in 2016, the Equifax information breach is more severe. By targeting a consumer credit reporting agency, hackers were able to obtain much more private information.
Using the stolen data, identity thieves can impersonate people, fooling lenders, creditors and service providers who use the identity information Equifax provides to make financial decisions regarding customers. “On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.
Equifax has been previously breached both last year and earlier this year, as hackers stole W-2 and salary data from Equifax’s website and a subsidiary of Equifax. Cybersecurity professionals criticized the company for not improving its security practices after these thefts. “Equifax should have multiple layers of controls,” Litan said.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Richard F. Smith, chairman and chief executive of Equifax, said in a statement, according to The New York Times. “Confronting cybersecurity risks is a daily fight.”
Equifax is alerting customers who have had their information compromised in the breach by mail, and is cooperating with state and federal authorities, according to CNBC. Users can go to the Equifax website to see if their information has been compromised. The site asks for a customer’s last name and the last six digits of their Social Security number. However, customers do not get confirmation about whether they were affected, but rather an enrollment date for Equifax’s protection service. The credit protection service is free for one year for consumers who enroll by Nov. 21, and is available to everyone. John Ulzheimer, a consumer credit expert, claimed in a The New York Times article that “Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come.”
The company also suggests getting a free copy of one’s credit report from one of the three major credit bureaus, which are Equifax, Experian and TransUnion. According to The New York Times, it also suggests contacting a law enforcement agency if one believes any stolen information has already been used in some way.
The information breach has negatively affected the company’s publicity. For example, Equifax’s top information and security executives announced their retirement as a result of the breach. The company’s share price dropped 35 percent since the breach was first announced. Additionally, Equifax has been hit with more than 100 consumer lawsuits over the security breach, suits and investigations from state attorneys general and the Federal Trade Commission and claims by financial institutions, according to Bloomberg.
The Justice Department opened a criminal probe in an attempt to surmise whether top executives at the company violated insider trading laws when they sold stock before disclosing that Equifax was hacked.