Don't Bet the Business

On Sept. 7, Equifax Inc. announced a breach by hackers affecting as many as 143 million consumers. 

The information impacted by the breach is as sensitive as personally identifiable information gets – names, Social Security numbers, birth dates, addresses, and driver’s license numbers (among other information, including credit card data in some instances). 

While data breaches are nothing new, the Equifax breach is particularly alarming given its size, scope of data impacted, as well as the credit reporting role Equifax plays in the United States, and even globally. While industry experts, regulators, and effected consumers pick up the pieces, it remains to be seen how the world of privacy will change in its aftermath. 

As one of the “big three” consumer credit reporting agencies, Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. The vast amount of data held by Equifax made it an obvious target for hackers. 

Reports vary, but some believe that the breach may impact as many as 55 percent of adult Americans. While the breach was announced last month, the intrusion was discovered internally on July 29, 2017 – raising question of whether the disclosure should have been swifter – one of the many questions that federal and state regulators are investigating and an issue that has been widely criticized in the media.    

Given the volume and sensitivity of the consumer data it holds, lawmakers and regulators, including the Consumer Financial Protection Bureau and the Federal Trade Commission, are also scrutinizing whether Equifax’s cyber-security systems were adequate. Many, including Massachusetts Attorney General Maura Healy, believe they were not, prompting the filing of the nation’s first enforcement action against Equifax for violating state consumer protection laws. 

While Healy may be leading the charge, more than 40 other state attorneys general are investigating the cyber-attack and some have hinted similar courses of action. Lawmakers aren’t alone as numerous class action lawsuits were promptly filed, the first of which was in Portland, Oregon where plaintiffs are seeking damages up to $70 billion. 

As details for the breach trickle out, there’s reason to be concerned about the overall robustness of cybersecurity, or lack thereof. Equifax CEO Richard Smith, who resigned on Sept. 26 (joining other senior managers departing in the wake of the breach), testified before the U.S. House Committee on Energy and Commerce on Oct. 3. His testimony revealed that Equifax was notified by the Department of Homeland Security in March 2017 of the need to patch a vulnerability in software related to an online dispute portal. The responsible security team was notified but the patch was never applied. Shortly thereafter, a security scan was run but failed to detect the continuing vulnerability. It appears that hackers first accessed the data, which was not encrypted at rest, on May 13 yet Equifax did not detect “suspicious activity” until July 29. 

In an unrelated incident, a week after Equifax’s disclosure of the breach, it was learned that an online employee tool used in Equifax’s Argentina operations could be accessed by typing “admin” as both a login and password (although no breach has been tied to this insecurity). Collectively, red flags are being raised as to why one of the largest credit reporting agencies was so exposed.

The congressional inquiries certainly suggest that stricter regulation may be in store for Equifax and other consumer credit reporting agencies, which are largely for-profit entities. Stricter regulation, if it comes, will likely address protection of consumers – who no control of their information in a breach like this. 

To this end, Equifax has already proposed a consumer’s ability to freeze and unfreeze their credit at will for free. The privacy industry is also speculating that this breach could be the impetus for broad-form federal privacy legislation, which is currently a patchwork of industry based regulation at the federal and state levels. 

Regardless of the outcome, this is a stark reminder that cybersecurity should be top of mind for businesses and consumers alike.