MASSPIRG Education Fund
One year after publicly announcing the worst data breach in history, Equifax still hasn’t paid a price or provided the information and tools consumers need to adequately protect themselves.
On September 7th, 2017, Equifax publicly announced a breach of its data belonging to approximately 143 million U.S. consumers. It later updated that number to 145.5 million and then to nearly 148 million affected consumers. By exposing sensitive personal information, including social security numbers and birthdates, and for some people, credit card numbers and driver’s license numbers, Equifax put consumers at risk of several types of identity theft and fraud.
The purpose of this report is to make sure consumers have the information they need to protect themselves as much as possible, review what has happened in the last year, and point out the need for Congressional action to prevent breaches as bad as this one from ever happening again.
Equifax’s Many Failures
Had Equifax not been so careless, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known security vulnerability. The company also botched its response by:
- Delaying public notification for at least six weeks
- Setting up an online search tool that provided faulty results to those who used it about whether they were affected by the breach
- Initially understaffing its call center
- Initially including arbitration language that forced consumers to sign away their rights to a day in court
- Directing consumers to a fake website
- Failing to provide consumers full protection from new account identity theft — which it still hasn’t done. (See Appendix A for a summary of Equifax’s offerings to consumers in response to the breach and how they fall short of protecting consumers.)
An investigative report released by Senator Elizabeth Warren further explains the numerous ways Equifax failed consumers.
- The full report includes major sections on Governmental Responses to the Equifax breach.
- The full report includes major sections on how to prevent identity theft and protect your privacy, including on the differences between free credit reports and security (credit) freezes required by law and other products offered by Equifax and other credit bureaus.
Conclusion and Recommendations
Ultimately, we are not the customers of Equifax or the other credit bureaus; we are their product. We did not ask or give them permission to collect or sell our personal information. Congressional action, state and federal agency enforcement and private rights of action are needed to provide both the necessary financial consequences and oversight that will help prevent anything like last year’s Equifax breach from happening again. Additionally, breached companies should be required to provide consumers with clear, complete, and concise information about what can be done to prevent, detect, and resolve most kinds of identity theft and fraud.
 Equifax, Equifax Announces Cybersecurity Incident Involving Consumer Information (press release), 7 September 2017.
 Equifax, Equifax Announces Cybersecurity Firm Has Concluded Forensic Investigation of Cybersecurity Incident (press release), 2 October 2017.
Equifax, Equifax Releases Updated Information on 2017 Cybersecurity Incident (press release), 1 March 2018.
 The Apache Software Foundation, The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache(R) Struts(TM) Exploit (media alert), 14 September 2017.
 See note 1.
 Maggie Astor, “Someone Made a Fake Equifax Site. Then Equifax Linked to It,“ The New York Times, 20 September 2017.
The Office of Senator Elizabeth Warren, Warren Unveils New Investigative Report Uncovering Equifax’s Failure to Protect Americans’ Personal Data (press release), 7 February 2018.