News of yet another data breach, this time at credit bureau Equifax, was announced yesterday afternoon and sadly, it isn’t all that surprising. Time and again we experience ‘massive breaches’ where the hackers get away with troves of personal information. From retail to healthcare, government agencies to financial services, no industry is immune.
An estimated 143 million Americans and a smaller number of Canadians and UK citizens have had their information stolen. According to Equifax CEO Rick Smith, criminals got away with names, social security numbers, birth dates, addresses and, for some people, drivers licenses. In other words, hackers grabbed the mother lode for committing identity theft. A breach of this magnitude is the biggest fear of any company who collects such intimate and personal data. A nightmare come true.
Further fallout today is building from the way Equifax has so far handled the crisis. The company stated the data was first breached in mid-May and they became aware of that fact on July 29. As the initial oh, crap moment is now wearing off, people are now figuring out 41 days have lapsed since the company knew about our stolen information. And likely more than twice that amount of time has passed since the crooks actually gained access. Equifax’s offer of free identity theft protection is laughable at this point… it’s possible many people have already fallen victim to some sort of identity theft or financial fraud. And to rub even more salt in the wound, it appears that buried in Equifax’s Terms of Service for their free credit monitoring service, is a provision that waives your right to join any class action brought against them.
A uniform data breach notification law would really come in handy right now… but perhaps that may not have made any difference considering the fact that there are some significant state laws that enshrine time-to-notify in their laws already. Had this happened a few months later, Equifax would be on the line for millions of dollars in fines via GDPR given their UK customer base, because as of right now, UK citizens are still members of the EU. That isn’t set to take effect until May of next year however so company executives are surely breathing a bit easier as far as that goes.
This story will get worse before it gets better. Many people are going to lose their jobs, likely including Equifax executives; you should expect to see people brought before Congress to explain what happened; we may even see an investigation and subsequent report as Congress did in the wake of the Target breach. Perhaps most importantly, consumer trust in *all* of the credit reporting agencies will be seriously eroded.
It’s time for us to reconsider exactly how we allow companies to store all of this data. It’s clear that these mega-databases are prime targets for attack, and we need to take a hard look at sweeping legislative changes that will force data brokers and collectors to take security up a few levels.