The Equifax security breach has profound implications not only for the 143 million affected people but also for the company, the financial industry, and privacy law.
The disastrous breach may not be the largest in history (Yahoo! breaches in 2013 and 2014 affected 1 billion and 500 million, respectively) but is significant given the details that were leaked. While account names and passwords are indeed risky when leaked, consider the scope of information in the Equifax incident: Full names, Social Security numbers, addresses, birth dates, bank information and driver’s license information all were taken.
Along with the harmful potential problems for consumers, when it comes to the Equifax breach what are the implications.
1. Scale and Scope of Loss
The 143 million accounts are roughly 44 percent of the total U.S. population, though the scope of the attack is greater when factoring out children and others without credit histories. The number of Americans over the age of 18 (likely to have a credit score) is 175 million. Given that fact, the 143 million accounts hacked is actually closer to 82 percent of the probable population with credit scores. As a result, credit cards and bank loans have a higher likelihood of being fraudulent for years to come. Hostile governments could use the data to compromise those with security clearances, too.
2. Increased Investor Scrutiny
Equifax was slammed not just for the breach, but for the five weeks it took between the time the breach was discovered and the public was notified. In addition, a website established to provide information about the breach was written on a relatively insecure WordPress platform with weak security protocols.
And Equifax executives, including its chief financial officer, sold more than $1.8 million in stock in late July, once the breach was discovered and prior to the public announcement. While Equifax claims the executives had no knowledge, the credibility gap is wide.
For skittish investors, cybervulnerability is likely to become a more regular assessment in determining stock positions and buy recommendations.
The Equifax breach could have long-lasting implications on credit reporting agencies.
3. Change Coming to Credit Reporting Agencies
Equifax made matters worse when it was revealed that consumers who signed up for a free year of credit monitoring and insurance were precluded joining class-action lawsuits against the company (although Equifax later revised these terms).
Some are asking whether Equifax and the other major credit reporting agencies, Experian and TransUnion, should use Social Security numbers for identification and reporting. Concerns are likely to continue to mount about whether the agencies can keep this data secure going forward.
Lawmakers and regulators at the federal and state levels are already calling for hearings, stiff penalties, and reform. Three House subcommittees are planning hearings, the Senate Finance Committee and the Federal Trade Commission are holding hearings, and dozens of class-action lawsuits have already been filed.
4. More Corporate Planning Needed
Equifax’ poor response reinforces the need for a sound, well-thought-out, and well-executed incident response plan to address data breaches. While it’s reasonable to expect companies to take some time in assessing the scope of a breach once it’s discovered, the company needs to be consistent, clear and thorough in its responses. Transparency helps ensure that consumers retain some confidence and that corporate reputations and stock prices do not take a massive hit.
Data breaches are, unfortunately, a common reality in modern living. The Equifax incident reminds us that there is still work to be done in addressing these issues.