A year after one of America’s Big Three credit reporting agencies exposed their customer’s most sensitive personal information to hackers – thieves who made off with millions of consumer profiles – you might have expected news that legal judgments were holding the irresponsible company accountable.
But that didn’t happen. The company in question is Equifax. As I reported in late 2017, my data, along with that of 143 million other Americans, was put into the hands of some never-identified cyberpunks who bypassed the online security systems Equifax had on their system.
Equifax sat on the horrifying news of the hack for a full month after their employees found out about it and failed to share it with the general public, their customers, half of whom had just had their identity information stolen by individuals still unidentified and at large.
This gave executives time to sell almost $2 million in shares before news broke about their major transgression.
Anyone who has checked, updated, or disputed their credit score knows that all credit reporting companies keep our names, Social Security numbers, birth dates, addresses, and even driver’s license numbers.
That is exactly the information stolen from almost 150 million trusting Americans. I reacted to the Equifax cyber-theft by setting up free freezes (not holds) with all three of the credit reporting companies. Victims of cybertheft with documentation can get a waiver of the freeze/unfreeze fees imposed by – you guessed it – the major credit reporting agencies.
In the 2017 “incident,” (as Equifax spun it), “credit card numbers for approximately 209,000 U.S. consumers…were accessed,” I informed you all.
In the fall of 2017, Equifax was bad news. They had been careless and admitted guilt.
The FBI reviewed the Equifax cyber-hack (and took no action). Equifax stock plunged one-third of its value within a week.
After the dust had settled a bit, Equifax “first insisted that customers waive their right to a class-action lawsuit before accepting any credit protection; after an outcry, it backed down.”
Equifax then offered their impacted customers one year of free credit monitoring via a service they called TrustedID Premier.
Yet, one year after Equifax ate humble pie about failing to provide adequate security for their customer’s top-secret data, everyone seemed to have forgotten that the severity of this crime – which continues to allow the thieves to hijack the identities of any of those millions of people whose complete personal identification and banking information they stole.
Equifax had rallied. The credit reporting company reported record profits and a revival in their stock share price – almost a 90 percent recovery from the Dreadful Week’s losses. CEO Richard Smith stepped down and collected his full $90 million package. No U.S. federal agency had – or has – ever punished the errant company.
This remarkable recovery from such an embarrassing scandal that rocked the financial world was due in large part to the fact that Equifax executives would never face criminal prosecution because they didn’t see the “incident” coming:
“Even though their incompetence and foot-dragging compromised the security of over 140 million Americans, they’re beyond the reach of criminal law. Sure, Equifax may face class action suits and an FTC investigation, but the worst that can happen to individual executives is they will have to resign (two already have) — probably with a tidy payout on their way out.”
Equifax saved untold amounts of money by not having to pay out any criminal damages. This buoyed stakeholder confidence.
But much more alarming is that Equifax experienced no customer flight from the half of the U.S. population whose sensitive personal information was seized, after they found out about the massive data loss. Furthermore, Congressional hearings have made no significant changes to federal laws that protect our data online.
In December 2018, the U.S. House Oversight and Government Reform Committee released its final report on the Equifax data breach. It wasn’t kind. Equifax had failed “to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”
On January 31, 2019, the free year of credit monitoring service from Equifax expired. Now, consumers are on their own in setting up ongoing identity theft protection measures.
In late-breaking news, on February 25, 2019, the U.S. House Financial Services Committee, chaired by the outspoken career Democrat Maxine Waters, announced that the heads of Equifax, Experian, and TransUnion will testify before them, a year and a half after the Equifax hack.
The House Financial Services Committee has introduced two bills targeting reform among all credit bureaus to ensure that consumer rights are protected.
For once, GOP congressional leadership may transcend bi-partisanship over this vital issue. On January 28, Republican Senator and Chairman of the Senate Banking Committee Mark Crapo of Idaho wrote that he intends to “explore legislative solutions that would give consumers more control over and enhance the protection of consumer financial data, and ensure consumers are notified of breaches in a timely and consistent manner.”
Crapo then called for more transparency from credit reporting organizations:
“We should also examine what can be done to ensure financial regulators and private financial companies give adequate disclosure to citizens and consumers about what information is being collected about them and for what purposes, and what can be done to implement best practices to give citizens and consumers control over how financial regulators, private financial companies and non-affiliated third parties use consumer data.”
The bottom line here is that anyone whose data was stolen in the Equifax Data Hack of 2017 is still at risk for identity theft and well-advised to set up annoying-but-necessary security freezes.