Consumer credit reporting agency Equifax announced late Thursday hackers had breached some of its website application software, potentially affecting the sensitive personal information of approximately 143 million consumers. The data that was accessed included consumers' names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers. The incident may have also compromised credit card numbers for 209,000 U.S. consumers, as well as other "dispute documents" that contained identifying information for 182,000 consumers.
According to Equifax, the unauthorized access began in mid-May and continued through July of this year. The company discovered the intrusion July 29. A forensic investigation from a hired third-party cybersecurity company also found some residents of the U.K. and Canada may have been affected as well.
In a brief video, Equifax Chairman and CEO Rick Smith announced the news and the steps the company is taking in its breach response, saying the company "acted immediately to stop the intrusion" and that it is currently working with authorities.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," he said. Smith said Equifax's first priority is to support consumers. "To that end," he announced, "we're taking an unprecedented step of offering every U.S. consumer in the country a comprehensive package of identity theft protection and credit monitoring at no cost."
Equifax is calling the new offering TrustedID Premier.
While it's unknown how many consumers will take Equifax up on their offer, the company's current "Premier" credit monitoring and identity-protection package costs $19.95 a month. Considering the U.S. Census 2016 report that there are 249,454,440 U.S. residents over the age of 18, the company is potentially offering up just under $60 billion worth of services.
The company has also opened up a call center and launched a website to help consumers determine whether their data was affected and to sign up for credit monitoring and identity theft protection. Additionally, Equifax plans to notify consumers whose data was compromised.
The U.S. Federal Trade Commission and the National Cyber Security Alliance are also pointing consumers to Equifax's website, along with suggesting remedial steps consumers can take for their protection. James Dipple-Johnstone, the deputy commissioner for the U.K.'s Information Commissioner's Office, responded to news that some U.K. citizens were affected, saying, "We are already in direct contact with Equifax to establish the facts including how many people in the U.K. have been affected and what kind of personal data may have been compromised. We will be advising Equifax to alert affected U.K. customers at the earliest opportunity."
Though data breaches — even ones affecting millions of consumers — have become common in recent years, the nature of the Equifax incident, along with its place in the data and consumer credit monitoring ecosystem, has created a firestorm of media coverage, prompting some to ask if this will be a catalyst for a federal breach notification law.
"Yes, this does seem different, although it's not clear how much that will matter," said Wiley Rein Partner Kirk Nahra, CIPP/US, in an emailed response to The Privacy Advisor. "You can certainly debate the purpose of a national breach law, with the volume of state laws, but this one 'should' be a tipping point (although we seem to say that every year or so)."
He also suggested notice and credit monitoring are becoming less effective. "Just about everyone has been impacted by some breach. Tracing any impact to a specific breach will get harder and harder, and really hasn't been tested in litigation yet," he wrote, adding, "We spend most of the time in cases so far looking at whether there is any realistic allegation of actual injury, just to get a case started. The real proof issues are all after that threshold, and almost no case has gone into any of that yet."
"This reinforces the need for privacy and security by design," Alexandra Ross, CIPP/E, CIPP/US, CIPM, CIPT, senior global privacy and data security counsel at Autodesk, said in comments to The Privacy Advisor. Further, "Companies may be focusing primarily on preventing and investigating a security incident. How are companies planning for and staffing for this crucial [response] stage of a data breach? How do you determine what stakeholders should be involved — legal, PR, security, executives — as well as the timing and content of notices, and what the consumer impact and reaction might be?"
Though Equifax says it has taken steps to guide consumers, Fast Company reported Thursday that the company's customer service employees were allegedly not informed of the breach after the announcement had been publicly made. And there are criticisms the tool consumers can use to determine whether they were affected does not clearly indicate to consumers whether they were part of the incident. Motherboard details yesterday's responses and the lack of clarity around who was affected and when to enroll in TrustedID Premier.
According to Ars Technica, the www.equifaxsecurity2017.com website used to notify consumers of the breach runs on a "stock installation of WordPress ... a system that doesn't provide the enterprise-grade security required for a site that asks people to provide" sensitive data, such as name and last six digits of their Social Security number. To pile on, the site's domain name is not registered to Equifax, prompting Cisco-owned Open DNS to block access to the site, warning of a suspected phishing threat.
Jessica Rich, vice president of consumer policy at Consumer Reports and former director of the FTC's Bureau of Consumer Protection, said, "While it's fine that Equifax is offering consumers free credit card monitoring, that's just a Band-Aid. Companies need to take data security much more seriously so these breaches don't happen in the first place. That's why we need stronger data security laws with tougher penalties."
And some have called into question the nature of the help Equifax is offering, pointing out that consumers may be giving up some rights to sue the company if they sign up for its credit monitoring service. As of Friday, the company did offer an opt-out provision, but consumers must do so in writing within 30 days of accepting the service, a practice the U.S. Consumer Financial Protection Bureau has pushed back against.
In more bad public relations news for the company, Bloomberg reported that at least three top executives at Equifax — including its chief financial officer — sold nearly $1.8 million in company shares just three days after the company discovered the intrusion on July 29. According to Equifax, however, the three executives in question had not been told of the breach at that point.
Sen. Mark Warner, D-Virg., said the incident raises national security concerns and whether Congress needs to reconsider data protection policy. "It's no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans."
As of the time this article went to press, Equifax's stock price is down 13 percent.
If you want to comment on this post, you need to login.