Just when you think nothing can surprise you when it comes to corporate incompetence, along comes the massive data breach at the credit reporting agency Equifax.
The breach may have given hackers the names, birth dates, driver’s license numbers, Social Security numbers and other personal, intimate data of 145.5 million Americans, about half the country’s adult population. This data is what allows people to buy or rent homes, get auto loans and have credit cards.
Failing to secure consumer information puts Americans at risk of identity theft, tax return scams, and financial fraud for the rest of their lives. The extent of the pain and expense people will endure as a result of the breach is yet not fully understood.
Equifax is one of three primary national credit reporting bureaus. The firm collects, processes, maintains and sells the sensitive and personal data of more than 820 million consumers worldwide. Simply put, they harvest your information, sell it without your permission to companies who want to sell you stuff, and they do not pay you. Consumers are not the clients under this business model, they are the product, so the firm has no incentive to prioritize them.
By relying on an open source code that it knew was subject to hacking, Equifax left data exposed beginning at least on March 7, 2017. Free patches to the vulnerable software were available and well known to the firm by that date. The following day, the Department of Homeland Security alerted Equifax that its software was vulnerable to hackers, but the company failed to take precautions that would have protected the personal data of millions of people.
As a result, information was compromised between May 12 and July 30. The company learned of the breach on July 29 and “rushed” to get the word out to the public – six weeks later. They did not notify each consumer affected by the hack, so individuals learned that their information was stolen long after the crime occurred.
The firm initially asked consumers to provide the last six numbers of their Social Security numbers to gain access to an unworkable website. While Equifax may have been unsure about whether a consumer was victimized, it was clear that everyone could sign up for a supposedly free credit monitoring service that required customers to provide credit card numbers.
After a year, Equifax could start charging unless consumers cancelled the service. Those who signed up for credit monitoring were also asked to give up their rights to sue the company.
The firm, victims were being asked to pay for protection, was the same one that could not protect their information in the first place. Equifax’s senior managers must be graduates of Trump University. The firm changed the terms after the media attacked the story like white blood cells ganging up on a diseased organ.
Consumer anger has been further intensified by the actions of three senior Equifax executives, including the chief financial officer, who sold shares worth $1.8 million in the days after the breach was discovered, according to Bloomberg. The firm said the executives were unaware of the breach when they sold the stock. This does not pass the smell test.
The miscreants being punished and doing time in the near future is about as likely as finding a clean politician in New Jersey. Richard F. Smith stepped down as CEO and won’t get the $5.2 million in severance he would otherwise have received, but he will collect a lavish pension estimated at $18.4 million. Compare that to the tens of millions of victims who may be haunted by the breach for the rest of their lives.
Equifax’s senior management was criminally negligent. They put the firm’s self-interest before their duty to the public, betrayed the public trust with impunity and displayed contempt for consumers.
Once again, a big financial institution screws up. The CEO walks away with a golden parachute and millions of Americans are left holding the bag.
Originally Published: October 14, 2017