One year after discovering your data was hacked, Equifax still hasn’t paid a price

Media Contacts
Mike Litt

Director, Consumer Campaign, U.S. PIRG Education Fund

Consumers should protect themselves with credit freezes


WASHINGTON — A year after Equifax discovered signs of a data breach that exposed 147 million Americans to potential identity theft, the company has yet to be held accountable.

On July 29th, 2017, Equifax’s security department identified and started investigating suspicious activity associated with the part of its website where consumers could dispute information on their credit reports. But Equifax didn’t publicly disclose the breach until September 7th, six weeks later.

“This is no happy anniversary. We’re still waiting for Congress to hold Equifax accountable and take action to prevent future breaches,” said Mike Litt, consumer campaign director for U.S. PIRG.  

If Equifax had not been so negligent, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known security vulnerability. The company also botched its response by:

  • Delaying public notification for six weeks

  • Setting up an online search tool that provided faulty results about which individuals were affected

  • Directing consumers to a fake website

  • Initially including arbitration language that forced consumers to sign away their rights to a day in court

  • Failing to offer consumers full protection from new account identity theft — which Equifax still hasn’t done.

The best way consumers can protect themselves, whether they were affected by the breach or not, is to get credit freezes at all three major credit bureaus:  Equifax, Experian and TransUnion. Credit freezes prevent identity thieves from opening new credit accounts in the names of people whose information they have stolen.

In many states, credit freezes now cost between $3 to $10 per bureau. However, a new federal law will eliminate fees for credit freezes across the country on September 21st. But waiting could be more costly to consumers in the long run. Each day that goes by is another day an identity thief could open accounts in the names of people who don’t have freezes on their credit reports. And while the new law may save consumers money on credit freezes, overall it has negative implications; its primary provisions increase the likelihood of bad mortgages, racial discrimination in the marketplace, and risky banking practices,

Earlier this year, Sens. Elizabeth Warren (MA) and Mark Warner (VA) introduced the Data Breach Prevention and Compensation Act, legislation that would implement annual cybersecurity inspections at Equifax and the other national credit bureaus and levy fines against them if they have future breaches. If this policy had been in place during the Equifax incident last year, Equifax would have paid at least a $1.5 billion penalty, half of which would be returned to consumers affected by the breach. Instead, the company actually reported earnings of $876.9 million in the second quarter of 2018, a 2 percent increase compared to last year. The legislation does not appear to have traction to move out of the Senate Banking Committee.

“There needs to be looming financial consequences if we want the credit bureaus to take our data security seriously. Unfortunately, Congress has failed to establish any penalties,” Litt said.


U.S. PIRG is a non-partisan, non-profit consumer organization that stands up to powerful interests whenever they threaten our health and safety, our financial security, or our right to fully participate in our democratic society. On the web at