Credit card reporting agency Equifax was hacked this summer, and we’re just now finding out about it.
The attack, which is the third major cybersecurity threat for the agency since 2015, reportedly exposed personal information – including Social Security numbers – of an estimated 143 million people.
Lenders rely on data collected by credit bureaus like Equifax to make decisions about financing and loans, and employers sometimes conduct credit checks before they hire.
Along with TransUnion and Experian, Equifax is one of the largest credit agencies in America.
“Credit bureaus keep so much data about us that affects almost everything we do,” explains Gartner security analyst Avivah Litan. “On a scale of 1 to 10, this is a 10 in terms of potential identity theft.”
The hackers reportedly exploited a website application to gain access to files between May and July. Equifax learned of the breach in late July but didn’t warn consumers until last week. The company has not explained why it waited six weeks to announce the breach.
Exposed data includes names, addresses, birthdays, and driver’s license numbers. This is more than “enough for crooks to hijack the identities of people whose credentials were stolen through no fault of their own, potentially wreaking havoc on their lives,” reports Newsmax.
Equifax has also confirmed that credit card numbers for 209,000 Americans were stolen, as were personal documents used in disputes for 182,000 people.
According to the Equifax website, the company handles data on over 820 million people, over 90 million businesses, and manages a database containing employee information from over 7,000 employers. Equifax operates in 24 countries.
“This is about as bad as it gets,” says Pamela Dixon of the World Privacy Forum. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50%.”
The Equifax hack follows the now-infamous WannaCrypt ransomware attack in May and the cyberattack on HBO in August. It will not affect as many people as the Yahoo breaches of 2013 and 2014, but it may be the largest theft involving Social Security numbers and driver’s license information.
Any data breach threatens to undermine a company’s reputation and credibility, but it is especially bad for Equifax, whose entire business model focuses on providing a clear financial profile of customers to clients.
“It also could undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does,” says Litan.
On top of this is news that three top execs sold a combined $1.8 million in shares shortly after the company was hacked, but before Equifax announced the incident. The executives reportedly “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Equifax stock has dropped 13% since the announcement. The company has offered one free year of protection for consumers, but this falls short of what people really need, because their information is still out there to be bought and sold by hackers.
The scope of this attack and its impact on the privacy of American citizens raises serious questions about whether lawmakers need to rethink data protection policies.
“It is no exaggeration to suggest that a breach such as this – exposing highly sensitive personal and financial information central for identity management and access to credit – represents a real threat to the economic security of Americans,” says Senator Mark Warner (D-VA), founder of the Senate Cybersecurity Caucus.
We should call on Congress to allow citizens to demand that companies like Equifax remove our information from their databases and to delete old data that has expired.
Editor’s note: The blow to privacy in America is unfathomable, yet Equifax will not only not be punished here. Equifax is pushing their own credit protection services (offering them for free at first), and may indeed be selling the solution for a problem they caused themselves.
It would not hurt my feelings if someone would file a class action suit, and take this company down (along with TransUnion and Experian). But it won’t happen…