Equifax Breach: One Year Later

How to Protect Yourself Against ID Theft and Hold Equifax Accountable

One year after publicly announcing the worst data breach in history, Equifax still hasn’t paid a price or provided the information and tools consumers need to adequately protect themselves. The purpose of this report is to make sure consumers have the information they need to protect themselves as much as possible, review what has happened in the last year, and point out the need for state and federal action to prevent breaches as bad as this one from ever happening again.

Introduction

One year after publicly announcing the worst data breach in history, Equifax still hasn’t paid a price or provided the information and tools consumers need to adequately protect themselves.

On September 7th, 2017, Equifax publicly announced a breach of its data belonging to approximately 143 million U.S. consumers. It later updated that number to 145.5 million and then to nearly 148 million affected consumers. By exposing sensitive personal information, including social security numbers and birthdates, and for some people, credit card numbers and driver’s license numbers, Equifax put consumers at risk of several types of identity theft and fraud.

The purpose of this report is to make sure consumers have the information they need to protect themselves as much as possible, review what has happened in the last year, and point out the need for Congressional action to prevent breaches as bad as this one from ever happening again.

Equifax’s Many Failures

Had Equifax not been so careless, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known security vulnerability. The company also botched its response by: 

  • Delaying public notification for at least six weeks

  • Setting up an online search tool that provided faulty results to those who used it about whether they were affected by the breach

  • Initially understaffing its call center  

  • Initially including arbitration language that forced consumers to sign away their rights to a day in court

  • Directing consumers to a fake website

  • Failing to provide consumers full protection from new account identity theft — which it still hasn’t done. (See Appendix A for a summary of Equifax’s offerings to consumers in response to the breach and how they fall short of protecting consumers.)

Recommended Steps to Prevent and/or Detect Identity Theft and Fraud

Conclusion and Recommendations

Ultimately, we are not the customers of Equifax or the other credit bureaus; we are their product. We did not ask or give them permission to collect or sell our personal information. Congressional action, state and federal agency enforcement and private rights of action are needed to provide both the necessary financial consequences and oversight that will help prevent anything like last year’s Equifax breach from happening again. Additionally, breached companies should be required to provide consumers with clear, complete, and concise information about what can be done to prevent, detect, and resolve most kinds of identity theft and fraud.

Topics
staff | TPIN

You can be part of the solution

Grassroots support powers the consumer advocacy and action that win solutions to plastic waste, toxic contamination of our food and water, and so much more. That’s what supporting PIRG is all about. We work for you. You make the difference.

Donate