Equifax’s rapid growth probably added to its hacking risk, experts say

Credit: Johnny Crawford

Credit: Johnny Crawford

Until a dozen years ago, Equifax Corp. quietly made most of its money helping banks and other lenders figure out which U.S. customers were a safe bet for a mortgage, auto loan or credit card.

Then Richard Smith was hired on as the Atlanta company’s new chief executive in 2005.

The former General Electric executive quickly embarked on a plan to rev up Equifax’s growth.

These days, thanks partly to a string of acquisitions in the U.S. and around the globe, Equifax is now a much bigger and more complicated company. It reaches into all kinds of places that people might not suspect, with a much deeper hold on the personal and financial data of hundreds of millions of folks.

Equifax not only knows when someone is missing payments on his or her auto loan or mortgage. The company most likely also knows that person’s immigration status, income, amount of wealth, assets, bank balances, current and past addresses, employer, rental history, utility bills and spending habits.

Equifax also aids various government agencies when people want to sign up for Social Security benefits, health insurance under so-called Obamacare, or to get a security clearance for a sensitive federal job.

The company even helps businesses to cash in on job tax credits tied to their hiring, such as under the federal welfare-to-work program or state economic incentive programs.

“It’s a disturbing amount of information Equifax has on you,” said Keith Snyder, an industry analyst at CFRA Research, an investment information firm. “They actually have a pretty good picture of your spending habits, where you spend, what you spend on. They’ve really branched out beyond providing credit scores.”

That massive collection of financial and personal data — plus a string of acquisitions around the globe — have propelled Equifax to become among the largest private credit-tracking firms in the world, with $3.1 billion in revenues last year — 2.5 times bigger than it was in 2004, the year before Smith was named CEO.

The company’s size has doubled by other measures as well, with operations in 24 countries and 9,500 employees, including 2,385 in metro Atlanta.

Growing risk

Recently, that growth also may have helped land Equifax in hot water.

Some industry experts say the company’s constant push to add on new acquisitions and more products based on an ever bigger and wider assortment of peoples’ private data may be partly to blame for a massive data breach.

The company recently disclosed that hackers stole the personal data of 143 million people in the United States, including Social Security numbers, names, addresses, dates of birth and driver's license numbers. In the breach, which Equifax discovered in late July and disclosed on Sept. 7, the thieves also got credit card numbers for a smaller number of people. Similar information was exposed for international consumers.

An earlier hacking incident in March involving U.S. consumers came to light Monday as well. Both incidents were investigated by security firm Mandiant, Equifax said in a statement. Equifax said the March data breach “is not related to the criminal hacking that was discovered on July 29. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related.”

Equifax said it informed the affected people at the time of the March attack, and some publications covering security issues reported it then.

Equifax said in its recent disclosure that hackers didn't get into its core credit databases. The company has offered free credit freezes and other protections.

Otherwise, Equifax officials did not respond to questions from The Atlanta Journal-Constitution for this story.

Equifax, Experian and TransUnion grew into the three biggest U.S. credit bureaus in the 1970s and ’80s by buying up smaller firms in what was then a highly fragmented industry.

But Equifax’s growth shifted into a higher gear more recently as it bought up new types of data companies and overseas firms. In 2016, it purchased Australian firm Veda Group for $1.7 billion. Before that, it bought TDX Group in the United Kingdom for $323 million.

Another big deal was its 2007 purchase of Talx Corp., which added a treasure chest of employment records. Its Worforce Solutions unit, which provides employee screening and other services, has been its fastest-growing business, with $703 million in revenue last year, up 84 percent in five years.

Equifax has done 14 acquisitions since 2009, according to Crunchbase.com.

Equifax has been seeking new market territories through such deals, said Snyder.

But the acquisitions also add to its trove of data on hundreds of millions of people around the globe. By connecting the dots between its growing number of data sources, that allows the company to come up with more and more products to sell to banks, insurance companies, retailers, government clients and others.

For instance, a bank might combine Equifax’s data on incomes and net worth with its own checking account information to figure out which of its customers might be good prospects for its wealth management services. Equifax also offers to do such analysis itself.

“The more information you hold on people, the more valuable you are,” said Snyder.

But the flip side of all this growth and expansive data reach, say experts, is higher risk that hackers will break through the company’s defenses and get away with a virtual supermarket of damaging information on hundreds of millions of people.

Protections may be lacking

Heading off such risks is daunting.

Companies need to get the technical details of security right, said Christopher Hart, a Boston lawyer with FoleyHoag, who works on cyber security cases for companies and other clients.

But equally important, management needs to be focused on “risk management from top to bottom,” he said. Employees need to be well-trained to build and maintain secure systems and to avoid rookie mistakes like opening “phishing” emails from hackers or using weak passwords that thieves can easily guess.

“I think when a company grows fast, any one of those components can get lost in the shuffle,” said Hart.

According to some news reports, after Equifax’s hacking disclosure, a security consultant tapped into personal employee information and consumer complaint records on the company’s website in Argentina by typing in a generic username and password, “admin,” short for “administrator.”

Equifax shut the site down.

Keeping a company secure from hackers also gets more complex as the firm gets bigger, with more units and products.

Even vetting and installing so-called “patches” to fix security holes or other glitches in software gets more difficult as the enterprise grows.

“The failure to install patches is one of the greatest reasons for security breaches,” said Hart, but not only with fast-growing companies. “A lot of times, breaches happen because people fail to install the patch,” he said. “It’s not uncommon.”

Earlier this month, Equifax and a software developer, Apache Software Foundation, blamed each other for a software fault that allowed the recent massive data theft.

Equifax said hackers breached a vulnerable spot in a website application called Apache Struts from mid-May to late July, when the invasion was discovered.

But Apache said it released a patch in March to fix the problem.

Credit bureaus have long been one of hackers’ favorite targets because they have so much key data on everyone. But Equifax’s ever bigger array of data and analytical products combining different bits of data makes it even more attractive, and harder to defend.

“Any time you have more data in more hands and you are using it in more ways, there’s more risk,” said Hart.

Equifax’s credit profile

Founded: 1899

Products: Financial data services such as credit profiles, identity verification, fraud alerts

Customers: Banks and other lenders, consumers, employers, government agencies, communications firms, retailers, healthcare, insurance

Headquarters: Midtown Atlanta

Employees: 9,500 (2,385 in metro Atlanta)

2016 revenue: $3.1 billion

2016 profit: $489 million

CEO: Richard Smith, since 2005

Footprint: Operations in 24 countries


AJC Business reporter Russell Grantham keeps you updated on the latest news about major companies, CEOs and public utilities in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.