A year after hackers broke into Equifax’s network and stole the personal information of 148 million Americans, a report by a consumer watchdog group is lambasting the credit reporting agency for not addressing its vulnerabilities earlier and for botching its response to the unprecedented breach.
Moreover, the report — issued Thursday by the U.S. Public Interest Research Group and the National Consumer Law Center — criticized lawmakers and regulators for not holding the Atlanta-based company accountable for its failures.
“Equifax has yet to pay a price or provide consumers with the information and tools they need to adequately protect themselves,” said Mike Litt, consumer campaign director for the U.S. Public Interest Research Group.
Equifax officials, however, are touting their efforts to shore up data defense and say the agency is offering more ways for consumers to protect themselves, with free credit freezes and locks that seal credit reports and prevent thieves from opening lines of credit in a consumer’s name and notifications when credit lines are establish.
“In the past year, we have undertaken a host of security, operational and technological improvements,” a written statement from the company said. “In fact, in 2018 alone, we will increase our investment in security and technology by more than $200 million.”
Critics say those efforts are overdue.
It was a year ago today that Equifax announced a massive breach of the data it held. The cause was “Equifax’s carelessness,” Litt said. “This may not have been the biggest breach ever, but it’s the worst.”
That exposure – unprecedented in scope and magnitude – gave thieves the chance to steal millions of identities and possibly lure consumers into costly scams.
Still, the report says, the sins of Equifax started long before the breach was announced. “Had Equifax not been so careless, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known security vulnerability,” it asserts.
Even after realizing the data had been accessed, the company was slow to let the public know of the hacking, the report says.
Then, to make matters worse, the company botched its response, the report says, by setting up flawed assistance online, understaffing its call center and – at first – compelling aggrieved consumers to sign away their right to sue.
Equifax this week declined a request from The Atlanta Journal-Constitution for an interview, issuing a written statement instead. The company did not respond specifically to the report, but said protecting data is its “top priority.”
“We recognize that cybersecurity impacts not just us, but the entire industry. We are committed to collaborating with our peers, customers and partners to find solutions for emerging security challenges, create collective perspectives, document best practices and work together to deliver solutions that benefit the security community and ultimately consumers,” the statement said.
Meanwhile, the company has been hit with a class action suit. And in the wake of the hack, the company named new executives to manage security and technology, as well as a new chief executive to replace Richard Smith.
Smith, who decided to retire several weeks after announcement of the breach, was grilled before Congress in a set of contentious hearings. But he walked away with a package estimated to be worth more than $48 million.
George Avetisov, CEO of HYPR, a data security company, said the company has played into the desire of hackers.
“When you look at all the big breaches - from LinkedIn to Yahoo, Home Depot and Equifax - they all have one thing in common,” he said. “It's not how the hackers get in, but what they're going after.”
Centralized data is too tempting a target, Avetisov said. "Centralized credential stores, like the one at Equifax, are an example of storing all your eggs in one basket.”
Despite the public vitriol and the money spent on better processes, the data world is not that different a year later, said Humayun Zafar, a professor at Kennesaw State’s Center for Information Security Education.
“What I’ve not seen from Equifax is a marked change in their cybersecurity culture, post breach,” he said. “Without a shift in culture, a lot more breaches will continue to occur.”
It’s not all the fault of Equifax – consumers need more education, he said. “I think, from a consumer perspective, not much has changed. A majority of the general public may not understand what information of theirs is in the public domain and needs to be protected to begin with.”
And, however aggressive the Equifax defense might become, sooner or later, there will be other stories about data theft and manipulation, he said.
“Companies and individuals need to understand that cybersecurity is not a static issue,” Zafar said. “The threats will evolve.”
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.