A year later, Equifax slammed while boasting of change

Learn more about the Equifax data breach with the AJC's online "5 things to know" video series.

A year after hackers broke into Equifax’s network and stole the personal information of 148 million Americans, a report by a consumer watchdog group is lambasting the credit reporting agency for not addressing its vulnerabilities earlier and for botching its response to the unprecedented breach.

Moreover, the report  — issued Thursday by the U.S. Public Interest Research Group and the National Consumer Law Center — criticized lawmakers and regulators for not holding the Atlanta-based company accountable for its failures.

“Equifax has yet to pay a price or provide consumers with the information and tools they need to adequately protect themselves,” said Mike Litt, consumer campaign director for the U.S. Public Interest Research Group.

Equifax officials, however, are touting their efforts to shore up data defense and say the agency is offering more ways for consumers to protect themselves, with free credit freezes and locks that seal credit reports and prevent thieves from opening lines of credit in a consumer’s name and notifications when credit lines are establish.

“In the past year, we have undertaken a host of security, operational and technological improvements,” a written statement from the company said. “In fact, in 2018 alone, we will increase our investment in security and technology by more than $200 million.”

Equifax on Thursday agreed to a deal with eight states’ regulators on improving its data security. (Dreamstime)

icon to expand image

Critics say those efforts are overdue.

It was a year ago today that Equifax announced a massive breach of the data it held. The cause was "Equifax's carelessness," Litt said. "This may not have been the biggest breach ever, but it's the worst."

That exposure – unprecedented in scope and magnitude – gave thieves the chance to steal millions of identities and possibly lure consumers into costly scams.

Still, the report says, the sins of Equifax started long before the breach was announced. "Had Equifax not been so careless, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known security vulnerability," it asserts.

Even after realizing the data had been accessed, the company was slow to let the public know of the hacking, the report says.

Then, to make matters worse, the company botched its response, the report says, by setting up flawed assistance online, understaffing its call center and – at first – compelling aggrieved consumers to sign away their right to sue.

Equifax this week declined a request from The Atlanta Journal-Constitution for an interview, issuing a written statement instead. The company did not respond specifically to the report, but said protecting data is its “top priority.”

“We recognize that cybersecurity impacts not just us, but the entire industry. We are committed to collaborating with our peers, customers and partners to find solutions for emerging security challenges, create collective perspectives, document best practices and work together to deliver solutions that benefit the security community and ultimately consumers,” the statement said.

Rick Smith, Equifax’s former chief executive, retired from the company shortly after the data breach was announced, albeit with a large package.

icon to expand image

Meanwhile, the company has been hit with a class action suit. And in the wake of the hack, the company named new executives to manage security and technology, as well as a new chief executive to replace Richard Smith.

Smith, who decided to retire several weeks after announcement of the breach, was grilled before Congress in a set of contentious hearings. But he walked away with a package estimated to be worth more than $48 million.

George Avetisov, CEO of HYPR, a data security company, said the company has played into the desire of hackers.

“When you look at all the big breaches - from LinkedIn to Yahoo, Home Depot and Equifax - they all have one thing in common,” he said. “It's not how the hackers get in, but what they're going after.”

Centralized data is too tempting a target, Avetisov said. "Centralized credential stores, like the one at Equifax, are an example of storing all your eggs in one basket.”

Despite the public vitriol and the money spent on better processes, the data world is not that different a year later, said Humayun Zafar, a professor at Kennesaw State’s Center for Information Security Education.

“What I’ve not seen from Equifax is a marked change in their cybersecurity culture, post breach,” he said. “Without a shift in culture, a lot more breaches will continue to occur.”

It's not all the fault of Equifax – consumers need more education, he said. "I think, from a consumer perspective, not much has changed. A majority of the general public may not understand what information of theirs is in the public domain and needs to be protected to begin with."

And, however aggressive the Equifax defense might become, sooner or later, there will be other stories about data theft and manipulation, he said.

“Companies and individuals need to understand that cybersecurity is not a static issue,” Zafar said. “The threats will evolve.”

Equifax has been sued by 46 banks and credit unions who argue that the massive breach of Equifax data caused them to spend money protecting their own customers. (AP Photo/Elise Amendola)

icon to expand image


More details

In the year since Equifax announced a massive security breach:

  • the company's chief executive and several other executives have resigned.
  • a class-action lawsuit was filed.
  • two former Equifax executives were indicted for alleged insider trading of stock before the breach was made public.
  • Eight states reached an agreement with Equifax requiring the company to improve data security.
  • Congress passed a law requiring companies to provide credit freezes for free, starting Sept. 21, 2018.
  • Equifax stock has rebounded after plummeting and now stands about 6 percent below its level of a year ago.

Sources: U.S. Public Interest Research Group Education Fund, National Consumer Law Center, Equifax.

Personal information accessed in Equifax breach

Names and birthdates: 146.6 million

Social Security numbers: 145.5 million

Addresses: 99 million

Phone numbers: 20.3 million

Driver’s license numbers: 16.6 million

Credit card numbers and expiration dates: 209,000

Sources: U.S. Public Interest Research Group Education Fund, National Consumer Law Center