One year after publicly announcing the worst data breach in history, Equifax still hasn’t paid a price or provided the information and tools consumers need to adequately protect themselves.
On September 7th, 2017, Equifax publicly announced a breach of its data belonging to approximately 143 million U.S. consumers. It later updated that number to 145.5 million and then to nearly 148 million affected consumers. By exposing sensitive personal information, including social security numbers and birthdates, and for some people, credit card numbers and driver’s license numbers, Equifax put consumers at risk of several types of identity theft and fraud.
The purpose of this report is to make sure consumers have the information they need to protect themselves as much as possible, review what has happened in the last year, and point out the need for Congressional action to prevent breaches as bad as this one from ever happening again.
Equifax’s Many Failures
Had Equifax not been so careless, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known security vulnerability. The company also botched its response by:
Delaying public notification for at least six weeks
Setting up an online search tool that provided faulty results to those who used it about whether they were affected by the breach
Initially understaffing its call center
Initially including arbitration language that forced consumers to sign away their rights to a day in court
Directing consumers to a fake website
Failing to provide consumers full protection from new account identity theft — which it still hasn’t done. (See Appendix A for a summary of Equifax’s offerings to consumers in response to the breach and how they fall short of protecting consumers.)
Recommended Steps to Prevent and/or Detect Identity Theft and Fraud
Conclusion and Recommendations
Ultimately, we are not the customers of Equifax or the other credit bureaus; we are their product. We did not ask or give them permission to collect or sell our personal information. Congressional action, state and federal agency enforcement and private rights of action are needed to provide both the necessary financial consequences and oversight that will help prevent anything like last year’s Equifax breach from happening again. Additionally, breached companies should be required to provide consumers with clear, complete, and concise information about what can be done to prevent, detect, and resolve most kinds of identity theft and fraud.