The disastrous hack of the Equifax credit reporting bureau has put 143 million American consumers at risk of having their financial lives turned upside down.
Other hacks have affected more people. What makes this one so much more serious is the depth of information stolen. Not just personal data, but such things as Social Security numbers, credit card accounts and driver’s license numbers.
It poses one of the largest risks to consumers in years. With this information crooks can obtain credit cards, get driver’s licenses and steal tax refunds.
Atlanta-based Equifax, as one of three major credit reporting agencies, is a personal data warehouse. Consumers might not even be aware that Equifax has been collecting information on them from third parties in order to develop a credit rating.
Criminals gained access to certain files and the company system from mid-May to July by exploiting a weak point in website software, according to an investigation by Equifax and security consultants. The company found the intrusion on July 29.
Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group, put it bluntly in a story in the New York Times: “This is about as bad as it gets.”
Equifax has done much wrong with this intrusion, starting with the fact that it is the third major cybersecurity breach for the agency since 2015.
How in the world could it not have learned from its earlier problems? And why did it take the company more than a month to notify the public that its information had been compromised?
That leads to the fact that three senior executives, including the company’s chief financial officer, sold shares worth almost $1.8 million days before the breach was announced and the company’s stock dropped 13 percent. The company said the executives did not know about the breach when they sold.
The company fumbled its attempt to help consumers learn whether their data had been stolen. Equifax created a website for consumers to plug in information, but asked for partial Social Security numbers, leading some to worry that the website was an illegal “phishing” enterprise. Worse, it appeared that by seeking information on the hack, consumers were giving up their right to sue the company.
Consumers were supposed to read the website’s terms of service and click “agree” to continue the process. But buried in the legalese was an agreement to forgo suing the company. The company, after prodding from State Attorney General Eric Schneiderman, said clicking that “agree” box will not affect the right to sue.
The company suggests consumers get a free credit report and, if necessary, contact a law enforcement agency if they believe any stolen information has been used.
Equifax has offered credit protection service free for one year for consumers who enroll by Nov. 21, but as one expert pointed out, it’s not enough when the information can be bought and sold for years.
The Equifax breach serves as another harsh reminder that information is at risk no matter how much care consumers exercise.