On Thursday, Equifax Inc. (NYSE: EFX), one of the three major credit reporting agencies, disclosed that they experienced a massive data breach between mid-May through July 2017 that could affect as many as 143 million U.S. consumers. In a statement, the company said it had no evidence of unauthorized activity on its core consumer or commercial credit reporting databases.
The information accessed illegally includes names, Social Security numbers, dates of birth, addresses and, in some cases, driver’s license numbers. The FTC reports that 209,000 people had their credit card numbers stolen and dispute documents with personally identifying information from 182,000 people. Some consumers in Canada and the U.K. also had their personal information stolen.
Register for our free webinar on July 15th.
In a press release, Equifax said it discovered the breach on July 29 and acted immediately, engaging a cybersecurity firm to conduct a forensic review to determine how large the problem was and identify what information may have been accessed. Equifax also contacted law enforcement, and is contacting state and federal regulators and state attorneys general. The company did not disclose the breach to the public until September 7.
‘This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,’ said Chairman and CEO Richard F. Smith, in a statement. ‘We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.’
Equifax set up a website, www.EquifaxSecurity2017.com, for consumers to determine if they are among the 143 million Americans impacted by this data breach and to sign up for ‘credit file monitoring and identity theft protection.’ The product called TrustedID Premier also includes copies of Equifax credit reports, identity theft insurance and Internet scanning of Social Security numbers, free for one year. Equifax also set up a call center at 866-447-7559 (7 AM to 1 AM, Eastern, 7 days a week) to address consumer concerns. Equifax also said it would send direct mail notices to consumers whose credit card numbers or disputes with personally identifying information had been accessed.
‘I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will,’ said Smith.
The FTC published a blog post on Friday with information about the Equifax data breach along with steps for consumers to follow to find out if they had their information stolen. The FTC suggestions finding out if their information was stolen first, and then checking their credit reports, putting a credit freeze on their files, monitoring their credit card and bank accounts, and filing taxes early.
Investors are clearly not happy about the data breach. On Wednesday, September 6, Equifax stock was valued at $141.68. By Friday, September 8 at 7:56 PM Eastern, stock had dropped to $123.23.
In January, we reported on Equifax and TransUnion who were ordered to pay $23.1 million by the U.S. Consumer Financial Protection Bureau (CFPB) for deceiving consumers and overselling the value of their products, duping them into subscribing to their credit products. For Equifax, the violations occurred between July 2011 and March 2014. According to CFPB, the two credit reporting companies auto-enrolled consumers in subscription programs that cost about $192 a year. This ‘negative option’ billing structure was not clearly or conspicuously disclosed to consumers, said CFPB.
‘TransUnion and Equifax deceived consumers about the usefulness of the credit scores they marketed, and lured consumers into expensive recurring payments with false promises,’ said CFPB Director Richard Cordray. ‘Credit scores are central to a consumer’s financial life and people deserve honest and accurate information about them.’
While researching the story, I entered my information (last name and last six digits of my social security number), clicked on ‘Check Potential Impact’ and received this message, indicating that my data might have been among the information breached:
I clicked on Enroll and was given this message. According to Equifax, I have to go back to the site on September 11 to complete my enrollment. The enrollment period for the free one-year monitoring ends on November 21, 2017.
I found the special website difficult to navigate, having to click on multiple links and boxes to determine if I had been affected. The website contained a lot of text, a lot of tabs, subpages and pop-up boxes that might be challenging to someone who isn’t tech savvy or patient.
The site did have a good FAQ section though, and I appreciate that they explained why there was a delay between the time the incident was discovered and the time it was disclosed the public. As a consumer, I think five weeks is too long of a lag time for notification. Equifax was not transparent soon enough in my book.
I also have concerns about the ‘free one-year’ monitoring, free credit report, etc. based on Equifax’s past history of violations. This may, indeed, be a generous and legitimate offer, but I am not inclined to enroll. First, I have to be proactive in going back to Equifax to sign up (why couldn’t I sign up immediately?), and second, I won’t do it if I have to provide credit card or banking information based on the company’s history. If the service is, indeed, free, they shouldn’t need that information until next fall.