What the Equifax breach tells us
The United States Department of Homeland Security sent a memo to Equifax and other credit bureaus regarding a security flaw in the software they use to deal with customer disputes. Following this memo, sent about seven months ago, the company leadership at Equifax sent out a request to their security team to fix the vulnerability. However that request was not communicated to the rest of the team according to former CEO Richard Smith. He claims that a single unnamed person in a team of 225 is responsible for not communicating the request appropriately, which led to the vulnerability not being addressed.
This simple miscommunication led to data and information hacks on approximately 145 million of Equifax’s customers. Sensitive information such as Social Security numbers, driver’s license information, birthdays and many others forms of personal information that could be used to steal someone’s identity were taken in the hack. Increased scrutiny has been placed on credit bureaus in the fallout of the hack.
The main credit bureaus in the United States: Experian, TransUnion, and Equifax, as well as a lesser known bureau called Innovis. The role of these credit bureaus is to collect information on citizens and aggregate the information to measure financial risk—think of it as a financial background check. When you apply for a credit card, a mortgage or any other type of loan, the lender will request a credit report from one or all of the agencies to determine the risk in lending to you.
These credit bureaus have a large amount of power in the financial system, and some of the largest databases on consumers—most of which contain sensitive data. Their legality has been questioned by many consumer advocacy groups, as you can not opt out of the bureaus’ information collection. But in light of the recent breach, these companies have been placed front and center for the American public, who are widely displeased with their operation.
Following the announcement of the breach, lawmakers from both parties began to call for more regulation and oversight of these bureaus. These regulations are definitely needed as the response to the hack has been incredibly poor.
Equifax didn’t announce the hack to the public until six weeks after they discovered it. They also delayed in waiving the fee for freezing credit. The worst mistake they made after the announcement, however, was tweeting a link to a fake website that collected information on consumers. Thankfully, the website was owned by somebody with non-malicious intents, and he reported it to Equifax. The website creator says he made the website to make the point that these agencies need to take security more seriously, a point noticed by Congress.
Despite contemplations of future action, millions of Americans are vulnerable right now and need help if they’ve been compromised. Following the Fair Credit Reporting Act, any American is able to obtain their credit report from the big three credit agencies once a year for free. It is important to always monitor your credit; however, in light of the recent breach, it is imperative to check all three reports. If there is activity that you don’t recognize, you can now freeze your credit so that no more fraudulent activity can occur.
Before this breach, there was a push to further deregulate the credit agencies. While deregulation is more unlikely now, there is worry that further regulation will be hard to accomplish. Between the big agencies, about $3 million was spent lobbying Congress last year.
One thing is for certain, however. If we don’t reform the oversight and security practices of these companies, we are just waiting until the next breach happens.