Equifax’s Data Breach Is a Nightmare. Their Handling of It Is Worse.

The data breach announced by Big Three credit monitoring giant Equifax is absolutely the†worst incidence of personal information theft of all time. The successful hacking of the company’s data stores compromised the most sensitive and vulnerable data a person has–unchangeable identifying information like their driver’s license and social security numbers, birth dates, and home addresses.

The magnitude of the breach is astounding: nearly half of the people in the United States are affected, along with currently unknown numbers of people in Canada and the UK. A breach of this particularly severe nature at such a scale is unprecedented, but as terrible as it is, Equifax’s handling of it has been worse.

The first thing Equifax did on discovering the breach was keep it a secret for six weeks. The company’s entire raison d’Ítre is managing information, but Equifax only figured out at the end of July that it had been bleeding personal info since mid-May. Although the timing of the discovery was already belated enough, the sleazy secret-sellers decided to hide the severe threat they’d exposed some hundred-million-plus adults to for another month-and-a-half while trying to determine how to handle the fallout, and this is criminally negligent.

When one’s personal information has potentially been compromised, time is of the essence. Many banks and credit card companies monitor their customer’s financial activity for irregularities and contact them quickly when something suspicious happens.

Ironically, Equifax also offers such a service. The people whose personal data were exposed (in other words, perhaps the majority of Americans over 18 and a similar ratio in the UK and Canada) have been unable to take steps to protect themselves in all this time that Equifax has delayed announcing the breach. Some people were exposed to the worst kind of identity theft for four months without knowing it, and it is likely that many individuals have already suffered severe financial damage and are not yet aware of it.

The second thing Equifax did, or at least many of its executives did, just prior to finally admitting the breach, is sell their stock. Within days of the breach going public Equifax stock dropped by $3.5 billion, or just over 20 percent. Some of the dozens of lawsuits already filed against the company and executives are for securities fraud, specifically insider trading of the sort that involves dumping tons of stock right before announcing your company has catastrophically failed at its singular job: managing and protecting data.

These accusations have not been proven in court and Equifax denies the executives in question were aware of the breach or its impending announcement. So you can believe them or not.

The third thing Equifax did was announce the breach and their solution-slash-apology fruit basket, a website that didn’t completely work. The idea was to submit a portion of your social security number and name to the website and get a response that said your personal information was (probably) not compromised or that it (we think) was.

But sometimes if a person went to the website one day to find out if their personal information was stolen they would get one response, and then when they tried a different day they got another. And some people tried putting in fake SINs and names and still got an answer from the website that stated definitively whether the made-up person’s info was compromised or not.

The website also identified a PIN to lock your credit report, which was about as insecure as a PIN can be. (They fixed it, only after users of the site pointed out the mistake publicly.)

The fourth thing Equifax did was to offer a tone-deaf and apparently unironic effort at restitution to those people whom the website identified as compromised. For both losing their most sensitive information and then compacting the risk by waiting to admit to it, Equifax offered to make it right by providing their own credit protection service for free, so that when the stolen data was inevitably used for an attempt at identity theft, there would be some minimal contingency plan in place. Not remotely as good as keeping our SINs secure to begin with, but this weak response is even worse than it sounds.

The service is only offered for one year. When a person’s social insurance number has been compromised, this is a life-long security risk for them. One year of monitoring service and then, what, Equifax will want the people whose information they lost to pay for the service? They hope to make money off of the worst screw-up in financial history?

The fifth thing Equifax did was add a clause in their offer of the free protection service that said anyone who accepted it couldn’t sue the company. This did not go over well: Care2, for example, had a petition up immediately calling out the company for this egregious and slimy move. Under fire from all sides, Equifax quickly backtracked and retracted that clause.

What’s the next thing Equifax will do? One thing they haven’t done is tell Canadian or British citizens whether their individual data has been compromised, even though the identities of the much larger number of affected Americans were identified by the time the breach was announced and citizens in these other countries are in just as much danger. Another thing Equifax hasn’t done is truly take responsibility, nor have they made a real effort that approached serious restitution for the damage they allowed to happen and compounded by their response.

Yet another thing Equifax hasn’t done is be even minimally proactive about getting the information out to the people who have been affected. Putting out a press release that tells people to go to a hastily-constructed and error-ridden website? You have our contact information, and the people affected range from 18 to 108. Some don’t watch the news; others don’t own a computer. Many have no idea that Equifax has their data, because they are not Equifax’s customer, they are a product, selling their data management and analysis services to lenders who want to know individual client ratings and give over to this company all of our personal data so they can render a verdict.

So Equifax doesn’t really care about the people they’ve hurt. They don’t need our direct support or loyalty. But that doesn’t mean they aren’t legally responsible to the people whose data they hold in their care. So we will hold them accountable. A first step–and believe me when I say it is only a first step–is to tell us, all of us, individually, that they have screwed up and we have to take steps to protect ourselves. Then we’ll start to have the conversation about consequences for the company that hundreds of millions of people and three separate countries at risk.

Take Action

Please sign the Care2 petition†demanding that Equifax identify and inform all customers who were impacted by this massive data breach.

35 comments

Philippa P
Philippa Powers7 days ago

Thanks.

SEND
Cruel J
Cruel Justice9 days ago

The only concern Equifax has, is how this will affect it's stock price.

SEND
Norman P
Norman P11 days ago

They'll get away with it. Oh, they're to big to punish or close down or some other excuse. That or the fine will sound so astronomical to us but will be a drop in the bucket for them. Compared to what the normal person who's accounts were exposed, to them it will be like us being fined ten bucks! In short, they'll get away with it.

SEND
Jaime J
Jaime J11 days ago

Thank you!!

SEND
Jan S
Jan S11 days ago

Thank you

SEND
Brandy S
Brandy S11 days ago

Thanks.

SEND
Sherri S
Sherri S11 days ago

Flippin' unbelievable!

SEND
Janis K
Janis K11 days ago

Thanks for sharing.

SEND
Jonathan Harper
Jonathan Harper12 days ago

Noted!!!

SEND
heather g
heather g12 days ago

Crooked bunch - like most others

SEND