A year after the worst data breach in U.S. history to date, Atlanta-based Equifax has been chastened, but its business model is unchanged and the company churns on, virtually undamaged by legislative, regulatory or prosecutorial penalties.
It was a year ago that the company noticed the first signs of historic trouble – hackers had slipped through the Atlanta company’s cyber defenses into the heart of the company’s data.
Worse, the intrusion had apparently been going on for some time.
Worse than that, the information accessed was more personal information about more Americans than in virtually any previous major data breach: Information on more than 147 million Americans was accessed – although the scope of the theft was not clear at first.
In fact, it took until early September for the company to reveal there had been any hacking at all.
Once the word was out, there was a firestorm of anger and investigations which have thus far led to Congressional hearings, lawsuits against the company, charges of insider trading against two former executives and the departure of some higher ranking executives.
Equifax did agree to a consent order with regulators from eight states, including Georgia, that required the company to report on how it is improving security and to submit to reviews of its practices.
But thus far, no financial punishment has been imposed on Equifax itself.
Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company.
And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax.
This past week, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars.
But the company is certainly not unchanged.
CEO Rick Smith retired prematurely, as did several other top officials. A new CEO was named, as was a new chief information security officer, Jamil Farshchi, who told Wired magazine that the company has invested $200 million on data security infrastructure.
Meanwhile, most consumers whose data might have been stolen do not know if that information is being used against them, and many have done little to protect themselves. There is also a sizeable group of consumers who don’t even know that the data breach happened.
According to LendEDU, a New Jersey-based personal finance web site, a survey showed that about 27 percent of Americans did not know about the Equifax breach. Of the majority that do know, more than one-third of them have not checked to see if they were affected.
The number of complaints against Equifax more than doubled in the year since the breach, compared to the year before, according to an analysis of the Consumer Financer Protection Bureau’s data by LendEDU.
But overall, the public urge for punishment seems to have abated a little. After the breach was announced, the LendEDU survey found that 54 percent of respondents thought the company should be banned from the credit bureau business. That attitude is now held by 46 percent of respondents, said LendEDU.
After the stock market closed Wednesday, the company reported earnings.
Net income was $144.8 million, 12 percent lower than a year ago.
“We delivered solid results while continuing to make strong progress on our data security, IT, and consumer transformation,” said Mark Begor, CEO, in a written statement.
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.