What is done cannot be undone: How Equifax failed America and what you should do about it
By Anna Landsverk
On Sept. 7 Equifax announced a data breach affecting 145 million people, or 44 percent of Americans, with damage that will stretch for decades.
Some of the facts may sound familiar: a giant business makes a mistake in updating its tech that hackers, in turn, take advantage of – causing data to be stolen. This happens so often that we’re almost numb to it. However, what happened to Equifax was not just any hack.
Equifax is one of only three credit reporting bureaus in the United States and held names, Social Security numbers, current and former addresses, birthdays and credit histories for most Americans. It was one of the most valuable sources of information in the country and a major target for hackers.
“I was very surprised that information was accessible and hacked,” MSUM paralegal professor Tracy Gompf said. “However, I think that it makes sense that people are going to go after the type of organization that has the most information on the most people. You get the most bang for your buck if you go after Equifax.”
Dr. Tonya Hansen of the MSUM economics department agreed, stating that she and others expected more from such a high-level company.
“Equifax and Experian were probably the two that people really had confidence in,” Hansen said. “For most individuals, this might have really shaken their confidence that their data is safe anywhere when the agencies that are protecting that information and monitoring their credit also failed in securing that information.”
In addition to the scope of the breach, the timeline of events continues to astound legislatures and consumers nationwide.
“Here’s an agency that has essential information about … lots and lots of people, and it doesn’t seem like they were following industry protocols for security,” economics professor Steven Bolduc said.
The first hints of a security breach were discovered by information technology staff on July 29, although the hackers entered Equifax’s system sometime in May. Former CEO Richard Smith was notified of a security threat on July 31, but Equifax did not notify the public of the breach until Sept. 7.
To get into the system, hackers exploited an Apache software flaw on Equifax’s network, although Apache released a software patch nearly two months prior of the breach. That has been a source of anger for congress members and the public.
“Another thing that’s really frustrating to people … is that the company had a patch for weeks (before the hack),” Gompf said. “Then they wait six weeks to inform the public.”
When Equifax did tell the public that almost one in two people in the U.S. would be affected, the company made even more mistakes. In the sign-up terms and conditions for Equifax’s free year of credit monitoring, offered as an apology for the breach, people unwittingly gave up their right to participate in a class-action lawsuit. According to Smith in his Senate hearing, this was an error on the part of Equifax staff and not a conscious decision, but it took public uproar for Equifax to remove the language.
“Some IT departments in some companies were recommending it,” Gompf said. “They didn’t tell you the second part of the story, which is that you’re waiving your right to sue them. I think it’s fair to call that deceptive. And that’s why they changed their position, because it was deceptive and the public didn’t like it.”
Even before the bungled public announcement, there was suspicious activity happening within the company. Three company executives sold $1.8 million of Equifax stock days after Smith and the IT department identified the potential breach. At the Senate hearing for Smith, many senators questioned the suspicious timing of the sales, which netted the employees in question around $655 million more than they would have earned after the announcement, according to Senator Tim Scott’s calculations.
But accusations of insider trading aside, the general public are still the ones burned.
“As a consumer who’s worried about your credit, it doesn’t really matter if Equifax sold their shares without telling the rest of the world,” Gompf said. “I think it’s irresponsible, but it doesn’t really change the fact that anyone’s information can be compromised.”
Moving forward, everyone should consider their data as vulnerable or compromised.
“If you think in today’s world that your information is safe, that might be rather naïve,” Hansen said. “I think the only strategy someone can take moving on is that, ‘My information is probably not safe, I just need to do my best to monitor and stay ahead of it.’ All you can do is be proactive and stay on top of it.”
The first method to stay ahead is to regularly request credit reports. This requires a bit of a mindset shift, but it can help individuals quickly flag illegal activity. Each of the three credit bureaus offer consumers one free credit history check per year, so by staggering requests, individuals can get their report three times a year at no cost.
“Regularly checking your credit reports is important—that’s what recommended by all the financial advisors and credit advisors, and it’s something that many people do not do,” Gompf said.
Checking banking activity frequently is also important. Once data has been sold off, the buyer may “test out” a small purchase to see if the person is monitoring their account. If it goes unnoticed, they will make larger purchases under that account or even start opening new credit cards.
“I think what we need to develop is a culture of monitoring your information … developing a culture of checking bank statements, credit card statements, anything out there that has credit information,” Gompf said.
Another method is to freeze an individual’s credit to prevent anyone from getting a loan or opening new credit cards in that person’s name.
“I think the best strategy moving forward, and this is one that many experts have recommended, is to contact all three agencies—Equifax, Experian, and TransUnion—and lock down your credit report,” Hansen said.
If someone does choose to freeze their credit though, they should be aware that it is not quick and easy to undo. It can also make it more difficult to apply for a loan later on.
“That used to be considered an extreme measure because it means you have to call the credit bureau to unlock your information so that you can obtain credit yourself,” Gompf said. “So you are locking yourself out when you are freezing your credit, and it costs money at each credit bureau (to unlock), so it can get expensive.”
However, new credit cards and a plummeting credit score are not the only potential dangers. Another major source of profit from identity theft is filing fake tax returns and cashing in the taxpayer’s refund. Therefore, it will also help to contact the IRS around tax season and verify that a return has not yet been filed. It’s important to realize that even the government is not immune to identity theft schemes.
“I think people might feel more violated with the breach on their connection to the U.S. government than on their connection to a company,” Hansen said. “I could be wrong on that, but I think largely people put a trust in government that’s different from the trust they put in corporations.”
For more hands-off protection, everyone is eligible for a year of free credit monitoring services from Equifax, since it was the one who put the public at risk. People can also join one of many class-action lawsuits filed against Equifax for the cost of one year’s worth of credit “protection” services. Other companies such as LifeLock, IdentityGuard, and TransUnion also provide the monitoring for a monthly fee. These services can be useful in flagging suspicious activity as soon as it is discovered, but there are limits to what they can achieve.
“I’m not actually sure what they’re selling,” Bolduc said. “I worry that some of them are selling perceptions of safety that may actually divert people from doing more substantial things that would indeed increase their safety. I worry that some of those companies might be a little predatory.”
Above all, it is dangerous to depend solely on credit monitoring services or a single method of protection to defend against identity theft.
“I think that (complacency) is always the danger,” Hansen said. “Because we know there’s a tendency for us to be complacent on this as time passes, maybe that’s another opportunity for the public sector to meet the consumer and (tell) them that, ‘We know this is not only important to you as an individual, but this is important to us as a nation.’”
We as consumers need to stay vigilant and develop new habits to secure our digital financial identities. Considering the risks and the difficulty of recovering after an attack, it seems like a small price to pay.
“It takes a little effort to protect a lot of important information,” Hansen said.
PUBLIC AND PRIVATE ROLES
While consumers worry over protecting their data, the government and private companies struggle with how to protect consumers in the future.
One regulatory problem is working reactively instead of proactively.
“I think our regulatory approach has been command and control. You identify some problem, and you require firms to impose a particular solution; you command them to control something,” Bolduc said. “That just doesn’t work in high-tech sectors because the situations change so rapidly.”
After the breach, there was some talk of eliminating Social Security numbers as a security feature and replacing them with a new method of identification. Bolduc and Gompf were both wary about how much that would benefit American consumers.
“The problem with command and control is, ‘Social Security numbers have been compromised, so let’s come up with another ID system,’ which will also be compromised,” Bolduc said.
Hansen is more optimistic about the possibilities for creativity. New high-tech identification methods like biometric scans have privacy concerns, but they may provide private companies an opportunity to innovate new security measures.
“We’ve already heard of a few companies using biometric scans and things of that nature before people could access certain pieces of information,” Hansen said, citing the Minneapolis-St. Paul Airport’s use of the technology. “And there’s always a tradeoff between peoples’ privacy and how many measures you want to put in between them in protecting their privacy. But we could really see some changes that might fit the world we live in today a bit better.”
Nationwide, the hack may lower consumer confidence in the short-run and make getting new access to credit more difficult than it already is.
“I think it is going to have economic impacts,” Hansen said. “What hacking really does is that it has an opportunity to slow down economic activity, because it puts an extra step in the process—or a step that people aren’t used to taking before they access credit or loans.”
For the long term, people will inevitably forget about the breach and resume their previous economic activities. After all, for those who need access to credit or plan on buying a house or a car, waiting out the risk may not be an option.
“I think the system—getting loans, processing applications for credit—I think it’ll just continue on as it has,” Bolduc said. “I don’t know the alternatives; I don’t know if there are other alternatives.”
Legally, Congress and other institutions are interviewing and investigating Equifax, and they will be for some time. But no matter how long they investigate, the effects of the data breach will far outlast it.
“What people are waking up to is (that) this is a lifetime issue,” Gompf said.