Just as Hurricane Irma was making its way toward South Florida, Equifax decided to reveal that it was the victim of a data breach that impacted about half of all adults in the U.S. – 147.9 million people. Personal information, such as birth dates and Social Security numbers, was exposed.
It was Sept. 7, 2017, and it was the worst known data breach in history. Some predicted the Atlanta-based credit-reporting agency would soon be out of business.
But a year later, the company has mostly bounced back, and analysts say not enough has changed.
Days after announcing the breach, the company’s stock took a deep dive, losing more than a third of its value.
By the end of the month, CEO Richard Smith stepped down. A week later, he testified on Capitol Hill.
“I’m in no way skirting the issue of the horrific breach that we had,” Smith said. “It was horrific, and I once again apologize to this committee and to all Americans.”
Smith blamed the data breach on a technology failure and “human error.” Someone on its IT team failed to apply a software update, which then made Equifax vulnerable to a cyberattack.
It also made many stumbles in its response to the breach, such as understaffing call centers and accidentally directing users to a fake website.
Lawmakers grilled the former CEO about why the company waited six weeks to reveal the data breach. There were also allegations of insider trading by executives.
One Year Later
Equifax was almost immediately threatened with lawsuits. More than 370 class-action complaints were filed by banks, small businesses and consumers.
A year later, the credit reporting agency is making money again. Four executives were cleared in an internal investigation and only one employee has pleaded guilty to insider trading. Any final legal ruling is years away. A federal judge in Atlanta and 26 attorneys are still sorting through all the class-action complaints.
It’s not likely much else will happen, said Emory University economist Tom Smith.
“It was awful. I mean they lost a third of their value in a minute, but people have very short attention spans, and businesses have very short attention spans,” he said. “Firms have realized that they can make a mistake. The mistake will hurt us in the short run, we will apologize-ish and then you’ll mostly forget, and we’ll move on, and everything will be great.”
The U.S. Public Interest Research Group, a national consumer watchdog group, recently published its analysis of the year since the data breach.
“What you need is a combination of oversight and penalties in order to make sure that this kind of data breach doesn’t happen again,” said Mike Litt, one of the report’s authors. “They haven’t paid any kind of fine for having lax security in the first place and ultimately losing that information.”
Litt said all customers should assume their Social Security numbers and personal information have been breached, if not by the Equifax data breach, then by others. He suggested people freeze their credit files and regularly monitor monthly bank statements.
Eight state regulators, including the Georgia Department of Banking and Finance, signed an agreement with Equifax on June 27 to do monthly progress updates and a third-party audit at the end of the year, in lieu of fines.
“In an era of weakened federal government oversight, strong state regulation is essential in order to safeguard our markets, ensure strong consumer protections and hold regulated entities accountable for their actions,” New York State Financial Services Superintendent Maria Vullo said in a statement.
On Capitol Hill, many bills were introduced after the data breach, said Chi Chi Wu. Wu is a staff attorney with the National Consumer Law Center.
“So far, we’ve gotten free security freezes and not much else,” Wu said. “We haven’t seen the end result of an enforcement action with some sort of fine against Equifax. Bills that were stronger than a free security freeze, bills that, for example, would give consumers a lot more control over their credit report or give the Federal Trade Commission supervision authority over data security for the credit bureau, those haven’t been passed yet.”
Wu said part of the problem is it’s hard to say how many people actually got hurt by the Equifax data breach. Especially since large data breaches have become common.
“You know, it could be years down the line, somebody tries to steal your identity and you don’t know where the information they got came from, whether it was the Equifax data breach or the Anthem data breach or the Office of Personnel Management data breach.”
Data Breach Overload
Most people have become “numb” to news of data breaches, said Roy Hadley. Hadley is an attorney with Adams and Reese and chair of the information security society at the Technology Association of Georgia.
“When these data breaches happen, and they happen frequently, and you get a letter every month that says your information is breached, but we don’t give you free credit monitoring after the fourth or fifth one, you know, you just kind of tend to ignore ‘em,” Hadley said.
Hadley said many people have lower expectations of privacy and willingly share personal information on social media, for example. He said it may have to get a lot worse before consumers demand more accountability.
He said some businesses though are paying more attention to cybersecurity.
“The amount of data that companies are collecting and storing and holding and manipulating and using is just many, many fold over last year and the year before,” Hadley said. “And I think most companies are seeing that you really do need to make this a priority.”
After the breach, Equifax offered five products including a free lifetime service to lock credit files, but critics pointed out it wasn’t very strong since the other two credit bureaus, TransUnion and Experian, do not offer the service as well. They also offered insurance, credit monitoring and scans of the “dark web” to see if personal information was listed there.
In a statement, Equifax said it’s spending an additional $225 million on data security and infrastructure and hired a new chief information security officer, Jamil Farshchi, and a new chief technology officer, Bryson Koehler, who report directly to the new CEO, Mark Begor.
“We recognize that cybersecurity impacts not just us, but the entire industry. Since the end of 2017, we have been conducting regular cybersecurity briefings and customer calls to update hundreds of business customers on our progress and lessons learned,” an Equifax spokesperson said in a statement.
Princeton University computer science researcher Marshini Chetty said Equifax has improved security, but her research shows many other companies are still not investing enough to protect data.
“It may not be that companies don’t want to address it. It’s just that maybe they don’t have enough resources and that, I think, is what’s coming out of our research.”
Chetty surveyed more than 100 system administrators over the past year and said for companies with small budgets, applying software updates is not always easy.
“If you’re handling, you know, thousands or more machines, it’s not always straightforward to know which patches apply to the machines that are under your jurisdiction,” Chetty said. “We need better systems to help administrators actually make sure that they keep systems up to date. Our research is showing that it’s hard to know which machines are affected by any particular vulnerability. And then it’s also hard to know whether you know all the machines that need that vulnerability patched have been patched.”
Chetty said it’s a daily struggle for most IT departments.
“Security is super complicated. It definitely is an arms race between attackers and defenses against attackers,” Chetty said.
And it’s a race that doesn’t have a clear finish line for Equifax or anyone else.
Correction: Mike Litt’s name has been corrected from earlier version of story.