In case you missed it yesterday, Equifax revealed that a failure in the credit reporting agency’s security exposed the personal information of 143 million U.S. consumers to “criminals” in a massive data breach.
According to the company, the names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers, of approximately 143 million consumers were potentially stolen by the hackers.
The company also said that the credit card numbers of approximately 209,000 U.S. consumers, and “certain dispute documents with personal identifying information” for approximately 182,000 U.S. consumers, were also accessed in the breach.
By sheer numbers, this isn’t the biggest data breach in history. Yahoo takes the catastrophic crown in that category. As CNN notes, last year, Yahoo said that data from at least 500 million accounts had been stolen. Then, just a few months later, Yahoo revealed a second breach that hit more than a billion accounts.
While this may not be the biggest data breach ever, it is the worst. Worse than Yahoo, worse than Target, worse than Home Depot, worse than Experian, or anything else – and Equifax’s punishment should fit the crime.
That’s right. I said Equifax’s punishment.
I know that technically Equifax was the victim of the data breach. It was the company’s systems that were compromised by hackers. And I hope that the perpetrators of this crime are found and punished appropriately.
But the real victims are the 143 million people whose information was exposed. And because Equifax failed to keep their information safe, the company should be punished appropriately, too.
As far as I’m concerned, Equifax failed spectacularly at its only job: protecting the personal information of hundreds of millions of Americans.
The company failed at the one thing it absolutely must be good at.
It failed in appalling and disastrous fashion.
This is far different than Target or Home Depot, when it was the company’s customers’ credit card data that was stolen.
Consumers have almost no control over what personal data Equifax, and the other credit reporting agencies, collects and stores about them.
The credit reporting agencies have everything on you: Your name, your address, your phone number, your Social Security number, your driver’s license number, a list of every place you’ve ever lived, a list of every debt you’ve ever had, and the details on every one of those debts, including your entire payment history on damn near every account you’ve ever had with any company you’ve ever had an account with.
But here’s why Equifax’s data breach is worse than any of those other companies: The people’s whose data that was stolen were not Equifax’s customers. They were its product.
Credit card companies, lenders, and other financial services companies use that data to determine whether you’ll get a mortgage, a credit card, a car loan, and a million other things.
We are Equifax’s product, not its customers, as many others noted. We don’t pay them to house all our personal data. We do get the privilege of paying them to give that data to us though.
Equifax houses the highly sensitive personal data of hundreds of millions of Americans, and we have very little control over where they get that data from or what they do with it. They make money off it and there’s nothing we can do about it.
Sure, you can get your credit report once a year for free. But if you want it more than that, you have to pay them for it. And if that credit report happens to show an incorrect item (as they so often do), it’s on you to fight with Equifax, Transunion, or Experian to get that item deleted. The burden is on you to prove that the credit item is wrong.
THEY HAVE EVERYTHING. And Equifax failed to keep it safe.
The company can try all the damage control it wants. The cat is out of the bag. Pandora’s Box is very much open and the damage is already done.
The personal information of nearly half of the people in this country is already out there in some form or fashion. Somewhere on the dark web, the names, Social Security numbers, birth dates, and addresses of 143 million people are probably available for sale right now.
How many of those people are going to have to deal with credit issues for the next five years? How many fake credit cards are those people going to have taken out in their name? How many times will they have to fight with Equifax, Transunion, or Experian about some random account that showed up on their credit file? Will it impact their ability to buy a home? Or buy a car? Or get an apartment?
And for that, I’m not so sure Equifax doesn’t deserve to lose its place as one of the big three credit reporting agencies.
Should the Consumer Financial Protection Bureau, the Federal Trade Commission, and any other governmental agency wipe Equifax from the earth? Maybe.
At this point, I think it depends on how Equifax handles this, and early returns are that the company is screwing up its response to the data breach just as much as it screwed up by exposing people’s data in the first place.
First off, the company found out about the breach in late July, but didn’t tell people about it until September 7 – more than a month after the breach was discovered.
But as Bloomberg reported Thursday evening, three of the company’s executives dumped their stock in the mean time.
The credit-reporting service said earlier in a statement that it discovered the intrusion on July 29. Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.
The company claims that the executives didn’t know about the breach at the time, but the timing is…shall we say…coincidental.
And then there’s the company’s response to the affected consumers.
The company set up a separate website with details of the breach and a section where people can see if their data was part of the breach or not.
But to find out if you were affected, YOU HAVE TO PROVIDE THEM WITH MORE PERSONAL INFORMATION.
Ah yes, company that just exposed all my personal information to the entire world, please let me hand over more personal information because I certainly trust you to keep it safe now.
To check to see if you were part of the breach, you only have to provide them with your last name and the last SIX digits of your Social Security number.
Then, you get a message that you either were or were not affected by the breach.
And if you’re on the unfortunate side of that equation, Equifax is offering you some credit protection and monitoring, specifically:
The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year.
But, to sign up for the service, you have to give Equifax even more personal information, including your full name, address, phone number, full Social Security number, and more.
After that, you may eventually get an email asking for EVEN MORE personal information to verify your identity. It would be funny if it wasn’t so freaking sad.
And as CNN points out, Equifax’s offer to the affected consumers isn’t nearly as magnanimous as it appears.
First, the credit reporting services don’t start immediately. They don’t kick in until Monday, at the earliest.
And it gets worse.
You are giving up some of your rights to sue. If you get the credit monitoring, you must agree to submit any complaints against Equifax's monitoring service, TrustedID, to arbitration. You can't sue on your own behalf, and you can't join a class-action case or benefit from any class-action settlement.
The article notes that consumers may still be able to sue Equifax for the breach itself, and that’s just what some people are already doing.
Bloomberg reported Friday that a proposed class action lawsuit over the breach is already in motion. According to the article, the proposed class is seeking as much as $70 billion in damages.
The FTC also posted a bulletin Friday with some things that the affected consumers can do in the wake of the breach, but it’s all just basically window dressing. Check your credit. Sure. Monitor your credit cards. Great. Take Equifax up on their credit monitoring offer. Awesome.
I can’t wait to fork over more sensitive information to them. What a joke.
Equifax failed. And it should be punished swiftly and severely for it. Anything less than that would be a massive injustice to those 143 million people and every other American.