This article has been updated.
Two years ago Saturday, about half of all adult Americans had personal and financial information compromised in a cybersecurity breach at Equifax.
Despite outrage at the time, there has been no major federal reform, except mandating free credit freezes. This summer, there was a $700 million class-action settlement with the Atlanta credit bureau. Yet for some, that settlement isn’t much relief.
Last May, Robin Kanegis was picking her son up from soccer practice when her phone rang.
“I got a call from my bank at about 5 o’clock at night that somebody had called using my details, and knew an awful lot of details, but they were male. And apparently didn’t know that I was female.”
Kanegis’ bank caught the attempt. But that was only the beginning of a big headache for the Washington, D.C., resident.
The thieves opened an account with a different lender in her name. They tried to change her address to divert mail, illegally accessed her credit report and tried to open credit cards in her name.
“And it really felt like whack-a-mole,” she said. “As soon as you resolve one thing, another thing pops up. Every call was hours of time. It was dozens and dozens of hours trying to untangle this mess.”
She has no way of knowing if the ordeal is over, or what else the thieves have tried.
Kanegis is one of the nearly 150 million people affected by the Equifax breach, but there’s no way to know if that’s where the thieves got her information.
“When we start looking at these massive online breaches, it is very hard to attribute that, a particular breach to a particular occurrence of identity theft,” said Eva Velasquez, director of the Identity Theft Resource Center. “We are getting better … we aren’t there yet.”
Velasquez said while experts have told her the Equifax data has not shown up on the dark web, she has no way to verify that. Plus, she said, “That doesn’t necessarily mean that the data is being used or isn’t being used for nefarious purposes. We just haven’t seen what that is yet.”
Equifax was warned by the federal government about a software vulnerability months before the hack, but the company didn’t fix it.
People were outraged, Velasquez said. Her organization got the most calls to its help line that month than any other in its history.
This year’s settlement agreement, she said, seemed like a victory at first.
The company agreed to pay up to $425 million for consumers’ credit monitoring and compensate consumers for out-of-pocket expenses related to the breach. It also agreed to pay $275 million in civil penalties, to provide free identity restoration services and six free credit reports to all consumers per year for seven years and to make big changes to its security program, with regular third-party verification of that.
“It was a very quick swing of the pendulum from, ‘Oh this is good news. I’m glad that there’s been some settlement and some sense of justice and they’ve had to pay a price for what they put us through.’ Which quickly turned to frustration because the process became very confusing,” Velasquez said.
It got confusing because at first people were urged to file claims to get reimbursed up to $125 or free credit monitoring.
Barely a week after the announcement, the Federal Trade Commission told people not to ask for the cash because of the “overwhelming” response. Just $31 million of the up to $700 million was actually allocated to that reimbursement fund.
Instead, it’s telling people to settle for the four years of free credit monitoring. Four years isn’t very much considering how long people can see effects, Velasquez said.
“When static data like Social Security numbers and those other types of identity credentials, which never change, when those are compromised, they don’t have a shelf life. This is for the rest of your life,” she said. “And so, public sentiment is always going to be anything is too short if you put a time cap on it because I have to deal with this forever now.”
And the money to pay for that credit monitoring is actually going to Equifax’s competitor, Experian, which had its own, smaller breach in 2015, points out Chi Chi Wu, staff attorney at the National Consumer Law Center.
There may not be much money for consumers in the settlement, and it would be better for all of the penalty to go to consumers, but she said, at least people now know more about the credit-monitoring industry.
“When the Equifax data breach happened, people started realizing, hey we’re not the customers,” she said. “We’re the commodity.”
Credit bureaus gather personal and financial information and sell it to companies like lenders deciding whether to loan people money.
Equifax’s stock price plummeted at the time of the breach, but now it’s back up. Because consumers are still not their customers, and they’ve still got the information.
“That’s the markets saying, well we care but we don’t care,” said Morgan Wright, a cybersecurity and cyberterrorism expert with SentinelOne and the Center for Digital Governance.
“You know what we care about is the company making money. Whereas on the other hand, if I’m the consumer, I’m going, ‘What are you doing to protect my privacy?’ You know if there were a consumer stock market and the price was driven by the confidence of consumers in the company as opposed to what analysts think, you’d have two totally different valuations of a company,” Wright said.
Wu said the credit-monitoring companies are entrenched.
“With all the problems in Equifax and the other two credit bureaus, there’s no one to replace them. Creditors still need to go to them in order to make loans. Employers are still using them when they hire people.”
Equifax has spent about $1.5 billion on cleanup from the breach, excluding legal fees. Its chief security officer said in a statement that the company has “learned a lot in the past two years.” Equifax has restructured its management and is spending another $1.25 billion on cybersecurity investments between 2018 and 2020.
But there haven’t been any new laws governing how the credit bureaus work and how the industry guards people’s data.
And that’s what needs to change, Kanegis said.
“Who decided that was OK? That these private companies have all our information, have so much power in our lives, and we really have no recourse other than lots and lots of hours of phone calls,” she said.
Kanegis did file a claim for the Equifax settlement and still asked for cash. She’s had credit monitoring in place for years. It just didn’t work.
Editor’s note: This article has been updated to correct and clarify details about the funding dispersal. Other additions have been made throughout the story.