The big data breach suffered by Equifax has alarming implications
The financial industry worries about who is next
UNTIL something goes wrong, few people give much thought to the surveillance they undergo by credit-reporting agencies (CRAs). Yet these agencies’ business is deeply intrusive: quantifying character. They assign individuals credit scores based on how they previously managed debt. The scores are then sold to lenders. In America, Equifax, Experian and TransUnion, the “Big Three” CRAs, have gathered credit histories and identifying information for nearly every adult.
On September 7th Equifax admitted that something had indeed gone very wrong: hackers had gained access to personal information on about 143m people, mostly Americans. It reported that, from mid-May to July, hackers exploited a vulnerability in its website. The data compromised included Social Security numbers (SSNs), dates of birth and drivinglicence numbers, and for 209,000 people, possibly their credit-card numbers as well. Equifax also noted that data about some Britons and Canadians may have been stolen.
The theft of SSNs lays people open to several types of fraud. The government assigns them to Americans to monitor contributions to its pension and disability-benefits schemes. Nearly everyone has one and each is unique, so they are a convenient way to confirm identities. Lenders collect them and pass them on to the CRAs. Naturally, identity thieves have uses for them. They could apply for loans in other people’s names, for example, or defraud the taxman, inducing him to send them refunds that belong to others.
Given the dire potential consequences, Equifax’s response did little to reassure those affected by the hack. After it became aware of the hacking on July 29th, it took six weeks before letting the public know about it. That three Equifax employees had sold shares in the company after the discovery but before its announcement further dented the company’s reputation. (A spokeswoman for the company reports that the employees, who included Equifax’s chief financial officer, were unaware of the breach when they sold their shares.)
After coming clean about the breach, the company put up a website that allows people to check if their information might have been compromised. Customers who enter their names and a portion of their SSNs can learn whether their information may have been accessed by the hackers. Few were reassured when it emerged that, at first, a person entering even a random name and number would receive a response suggesting that his data might have been compromised.
Equifax customers have also been offered one year’s free access to Equifax’s own TrustedID service. TrustedID monitors the use of customers’ personal information and insures them for losses of up to $1m caused by identity theft. But some accused Equifax of enrolling customers in the hope of charging them once the year is up. Others noted that the offer’s terms seemed to preclude users from joining class-action lawsuits against Equifax. Equifax quickly clarified that the terms did not apply to suits related to the data breach. Within days, at least 100 suits had been filed. Equifax also faces scrutiny from Congress, which is to hold two hearings, and several state attorneys general, including New York’s.
Markets have already punished Equifax’s share price, which fell by around 15% on the day after the breach was revealed. Standard & Poor’s, a credit-rating agency, has revised its outlook on Equifax’s BBB-plus rated bonds from stable to negative. Banks and other lenders are reported to be reconsidering their relationships with Equifax, and might move some of their business to its competitors.
The breach raises a number of issues. Richard Parris, chief executive of Intercede, a cyber-security company, notes that it is just the latest of many. In 2013 hackers stole the credit-card data of 40m customers at Target, an American retailer. In 2015 the American government revealed that information about millions of employees had been stolen. Like many other experts, Mr Parris fears that data from these different breaches could be combined to create detailed profiles.
Another question is whether it makes sense for three large, private CRAs to aggregate so much information when they are vulnerable to such incidents. The use of SSNs for so many purposes unrelated to their original purpose also deserves scrutiny. Finally, there are the inevitable worries about whether financial data are properly protected elsewhere. As Richard Nesbitt, chief executive of the Global Risk Institute (GRI), which advises the financial industry on risk management, points out, if a firm such as Equifax, whose very business is managing data, appears so vulnerable, concerns will mount that nowhere is safe. GRI surveys show that financial institutions have lately changed their views of the most serious danger facing their industry. In 2015 it was “conduct risk/risk culture”. This year’s most acute worry was “cyber/IT risk”.