Equifax Data Breach
Equifax, one of the three largest consumer credit reporting agencies in the United States, announced in September 2017 that its systems had been breached and the sensitive personal data of 148 million Americans had been compromised. The data breached included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The credit card numbers of approximately 209,000 consumers were also breached. The Equifax breach is unprecedented in scope and severity. There have been larger security breaches by other companies in the past, but the sensitivity of the personal information held by Equifax and the scale of the problem makes this breach unprecedented.
- EPIC FOIA: CFPB Raise Further Questions About Equifax Investigation: Through a Freedom of Information Act request, EPIC obtained records of email communications between Consumer Financial Protection Bureau staff members regarding the Equifax data breach investigation. The emails reveal that the CFPB was contacted by a Reuters reporter days before the article alleging the CFPB halted the Equifax investigation was published to confirm certain facts about the story. At that time, the CFPB did not correct the allegations in the article but instead provided the reporter a brief official statement stating they will not comment to ongoing investigations but the CFPB has the "desire, expertise, and know-how, in-house, to vigorously hypothetically pursue matters such as these." In the aftermath of the Reuters Equifax article, the CFPB exchanged emails about how to respond to the story and one staffer stated, "no more specific reaction than 'reports are incorrect.'" Acting Director Mick Mulvaney has since publicly confirmed that the CFPB's Equifax investigation is still ongoing. (Mar. 26, 2018)
- SEC Issues Guidance on Cybersecurity Disclosures: The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security. (Mar. 5, 2018)
- FTC Report - ID Theft Complaints Rank High (Mar. 1, 2018) +
- In Congressional Testimony, EPIC to Call For Comprehensive Privacy Law, New Privacy Agency (Feb. 12, 2018) +
- Following EPIC Letter, 31 Senators Demand Answers from CFPB on Equifax Investigation (Feb. 8, 2018) +
- EPIC Files FOIA Request About Mulvaney's Decision to Halt CFPB Equifax Investigation (Feb. 7, 2018) +
- EPIC Urges Senate to Investigate Mulvaney’s Failure to Pursue Equifax Probe (Feb. 6, 2018) +
- Uber Hid Massive Data Breach For Over A Year And Paid Hackers (Nov. 21, 2017) +
- EPIC Backs Privacy Act Protections for "Insider Threat" Database (Jul. 5, 2017) +
- House Report Criticizes OPM Handling of Massive Data Breach Last Year (Sep. 7, 2016) +
- EPIC Defends Right of Data Breach Victims to Seek Legal Relief (Jul. 20, 2016) +
- Markey and Barton Pursue VTech Data Breach (Dec. 2, 2015) +
- Administrative Decision Tosses LabMD Data Security Case (Nov. 21, 2015) +
- Appeals Court Upholds FTC's Data Security Authority (Aug. 24, 2015) +
- Massive AT&T Consumer Privacy Violation Results in $25 Million FCC Penalty (Apr. 8, 2015) +
- Federal Courts Considers FTC's Data Protection Authority (Mar. 3, 2015) +
- Anthem breach Shows Risks of "Big Data" (Feb. 5, 2015) +
- Data Breach Legislation Moves Forward in the Senate (Sep. 26, 2011) +
- California Passes Updated Data Breach Legislation (Sep. 1, 2011) +
- House Subcommittee Approves Weak Data Breach Bill (Jul. 21, 2011) +
- In Response to Mounting Evidence of Data Breach Risk, EPIC Urges Congress to Act (Jun. 21, 2011) +
- EPIC Testifies in Congress on Data Breach Legislation (Jun. 15, 2011) +
- Epsilon Data Breach Threatens E-mail Privacy of Millions (Apr. 7, 2011) +
- Senate Holds Hearing on Data Security and Breach Notification Bill (Sep. 24, 2010) +
- California Governor Vetoes Consumer Privacy Bill, but Signs Bill to Strengthen Celebrity Privacy (Oct. 16, 2009) +
- Congress Holds Open Markup Session on Data Breach Bill (Jun. 3, 2009) +
- Data Breaches on the Rise in the US (Jan. 6, 2009) +
More top news
Equifax and the Credit Reporting Agencies
Equifax is one of the three major credit reporting agencies (CRAs)—also known as credit bureaus—in the U.S. CRAs create credit reports on individuals that give a detailed picture of a person’s credit history, including whether they have kept up with loan and credit card payments. CRAs do not collect information from consumers, but rather collect it from businesses, including credit card companies, banks, employers, landlords, and others. When an individual applies for credit, the lender will pull their credit report from Equifax or one of the other CRAs to see if they have a history of repaying their debts. A lender is much more likely to extend an offer of credit and a favorable interest rate to an individual that has a history of repaying other lenders regularly and on time. In addition to lenders, landlords may request your credit report before deciding whether to accept you as a tenant and employers may before deciding whether to hire you. Credit reports can have major impacts on people’s lives.
The Rise of Consumer Data Breach and Identity Theft
The scope of the data breach problem extends well beyond Equifax. The consumer reporting industry has a sordid history of poor cybersecurity. For example, in May 2016 identity thieves stole the tax and salary data of more than 431,000 people from Equifax. In October 2015, Experian breached the records of 15 million T-Mobile customers, which included names, addresses, SSNs, dates of birth, and identification numbers. Equifax, Experian, and TransUnion all exposed the credit reports of celebrities in March 2013. These are only a few examples of breaches at credit bureaus.
Both the scope of data breaches and the frequency at which they occur have increased in recent years. Notable breaches include:
- The 2013 Yahoo breach, in which hackers stole names, birth dates, phone numbers, and passwords, is now estimated to have impacted all 3 billion users, making it the largest data breach on record.
- In 2015, a data breach at the Office of Personnel Management compromised the personal data, including biometric identifiers, of more than 20 million people, many of them with security clearances.
- Recent data breaches have affected Chipotle, Home Depot, and Target, impacting over 100 million stolen credit card numbers combined.
- Data breaches have also impacted large banks, educational institutions, healthcare providers, and many other businesses.
Identity theft is an enormous problem for consumers. The Federal Trade Commission reported 399, 225 cases of identity theft in the United States in 2016. Of that number, 29% involved the use of personal data to commit tax fraud. More than 32% reported that their data was used to commit credit card fraud, up sharply from 16% in 2015. A 2015 report from the Department of Justice found that 86% of the victims of identity theft experienced the fraudulent use of existing account information, such as credit card or bank account information. The same report estimated the cost to the U.S. economy at $15.4 billion.
Identity theft can completely derail a person’s financial future. Criminals who have gained access to others’ personally identifiable information can open bank accounts and credit cards, take out loans, and conduct other financial activities using someone else’s identity. Identity theft has severe consequences for consumers, including:
- Being denied of credit cards and loans
- Being unable to rent an apartment or find housing
- Paying increased interest rates on existing credit cards
- Having greater difficulty getting a job
- Suffering severe distress and anxiety
The 2017 Equifax Breach
On September 7, 2017, Equifax announced that it had breached the data of approximately 143 million U.S. consumers. The same announcement stated that some UK and Canadian consumers had been affected as well, but did not give a specific number. The company stated that the unauthorized access occurred from mid-May through July 2017. The hackers did not access the data from Equifax’s core consumer credit reporting databases, but from the company’s U.S. online dispute portal web application. The data included:
- Social Security Numbers
- Birth Dates
- Addresses, and
- Driver’s License Numbers.
The vulnerability that caused the breach was vulnerability Apache Struts CVE-2017-5638. Apache Struts is a popular framework for creating Java Web applications maintained by the Apache Software Foundation. The Foundation issued a statement announcing the vulnerability and released a patch on March 7, 2017.
The following day, the Department of Homeland Security contacted Equifax, Experian, and TransUnion to notify them of the vulnerability. On March 9, 2017, an internal email notification was sent to Equifax administrators directing them to apply the Apache patch. Equifax's information security department ran scans on March 15, 2017 that were meant to identify systems that were vulnerable to the Apache Struts issue, but the scans did not identify the vulnerability.
The vulnerability was left unpatched until July 29, 2017 when Equifax’s information security department discovered “suspicious network traffic” associated with its online dispute portal and applied the Apache patch. On July 30, 2017, Equifax observed further suspicious activity and took the web application offline. Three days letter the company hired cybersecurity firm Mandiant to conduct a forensic investigation of the breach. The investigation revealed that the data of an additional 2.5 million U.S. consumers had been breached, bringing the total number of Americans affected to approximately 145.5 million. Equifax disclosed in the same announcement that 8,000 Canadians had been impacted and stated that the forensic investigation related to UK consumers had been completed, but did not state the amount of UK consumers affected. A later announcement from Equifax stated that the data of 693,665 UK citizens was breached.
Equifax Response and Criticisms
Equifax’s response to the breach raised concerns among security experts and consumer advocates. Security expert Brian Krebs called Equifax’s public outreach after the breach “haphazard,” ill-conceived,” and a “dumpster fire.” Equifax created a separate domain—equifaxsecurity2017.com—for consumers to find out if their information was compromised in the breach. This caused the site to be flagged as a phishing threat by browsers. Developer Nick Sweeting bought the domain securityequifax2017.com to demonstrate that Equifax’s decision to create a separate domain made it much easier for phishing sites to imitate it and confuse people. The Equifax Twitter account accidentally tweeted a link of the spoofed site. Consumers who contacted Equifax in the immediate wake of the breach to freeze their credit were given PINs that corresponded to the date and time of the freeze, making them easier to guess.
Congressional Hearings, Agency Investigations, and Proposed Legislation
The Equifax breach has captured the attention of local, state, and federal governments in the U.S. as well as UK and Canadian regulators.
The cities of San Francisco and Chicago have sued Equifax. San Francisco’s complaint alleges violations of California’s unlawful, unfair or fraudulent business practices law when it (1) failed to implement and maintain reasonable security practices; (2) failed to provide timely notice of the breach; and (3) failed to provide clear and complete information. It seeks restitution for California consumers who purchased credit monitoring services from Equifax prior to the announcement of the breach, up to $2,500 for each violation of the law, and a court order requiring Equifax to implement and maintain appropriate security procedures. Chicago’s complaint alleges violations of the Illinois Personal Information Privacy Act, the Illinois Consumer Fraud and Deceptive Business Practices Act and the Chicago Consumer Fraud ordinance for (1) exposing personal information; (2) failing to provide timely notice of the breach; and (3) misleading consumers by representing its credit monitoring service as complimentary when it included a mandatory arbitration clause that barred users of the service from bringing future legal action against Equifax.
State attorneys general have been active in responding to the breach. Maura Healey, the Attorney General of Massachusetts, brought an enforcement action against Equifax. The complaint alleges violations of Massachusetts consumer protection and data privacy laws. New York’s Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The bill would (1) require any business that holds sensitive data of New Yorkers to adopt reasonable administrative, technical, and physical safeguards; (2) expand the types of data that trigger reporting requirements, to include username-and-password combinations, biometric data, and HIPAA-covered health data; and (3) provide safe harbor protection for companies that obtain independent certification that their data security measures meet the highest standards. The attorneys general of Connecticut, Illinois, Pennsylvania, and the District of Columbia sent a joint letter to Equifax notifying the company of their intent to investigate the breach. The letter was signed by the attorneys general of dozens of other states.
The federal government is also conducting investigations. In a rare move by the Federal Trade Commission, Peter Kaplan, the agency's acting director of public affairs, confirmed that the agency is investigating the Equifax breach. The Consumer Financial Protection Bureau is also investigating the company, though recent reports indicate that the agency may be pulling back from its probe. The SEC and U.S. attorney’s office in Atlanta (where Equifax is headquartered) are investigating Equifax for insider trading related to the sale of stock by executives before the breach was announced to the public.
Congress has held several hearings to investigate events surrounding the breach and explore reforms to the credit reporting industry. Those hearings included:
- House Financial Services Committee, “Examining the Current Data Security And Breach Notification Regulatory Regime” (February 14, 2018)
- Senate Banking, Housing, and Urban Affairs Committee: “An Examination of the Equifax Cybersecurity Breach” (October 4, 2017)
- Senate Judiciary Subcommittee on Privacy, Technology, and the Law: “Equifax: Continuing to Monitor Data-Broker Cybersecurity” (October 4, 2017)
- House Financial Services Committee: “Examining the Equifax Data Breach” (October 5, 2017)
- Senate Banking, Housing, and Urban Affairs Committee: "Consumer Data Security and the Credit Bureaus" (October 17, 2017). EPIC President Marc Rotenberg testified.
- House Energy and Commerce Subcommittee on Digital Commerce & Consumer Protection: “Securing Consumers’ Credit Data in the Age of Digital Commerce” (November 1, 2017)
- Senate Commerce, Science, and Transportation Subcommittee on Communications: “Protecting Consumers in the Era of Major Data Breaches” (November 8, 2017)
- House Financial Services Committee: “Examining the Current Data Security And Breach Notification Regulatory Regime” (February 14, 2018). EPIC President Marc Rotenberg testified.
Members of Congress have introduced bills in both the House and the Senate concerning the security and privacy of CRAs. These bills include:
Regulators in the United Kingdom and Canada are also investigating the Equifax breach. The UK Financial Conduct Authority has the power to fine the company and withdraw the authorization that allows it to run credit checks in the UK. The UK privacy regulator, the Information Commissioner’s Office, and the Office of the Privacy Commissioner of Canada are also investigating Equifax.
- March 7, 2017- The Apache Software Foundation reported the vulnerability Apache Struts CVE-2017-5638 and released a patch.
- March 8, 2017- Department of Homeland Security (US CERT) contacted Equifax, Experian, and TransUnion to notify them of Apache Struts CVE-2017-5638.
- March 9, 2017- An internal email notification was sent to Equifax administrators directing them to patch the Apache vulnerability.
- March 15, 2017- Equifax's information security department ran scans meant to identify systems that were vulnerable to the Apache Struts issue, but the scans did not identify the vulnerability.
- May 13, 2017- Hackers began to access personal identifying information.
- July 29, 2017- Equifax discovered “suspicious network traffic” associated with its consumer dispute website. Its information security department applied the Apache patch.
- July 30, 2017- Equifax’s information security department observed further suspicious activity and took the web application offline.
- July 31, 2017- Equifax’s Chief Information Officer notified CEO Richard Smith of the suspicious activity.
- August 1-2, 2017- Three senior Equifax executives sold stock worth almost $1.8 million.
- August 2, 2017- Equifax hired cybersecurity firm Mandiant to conduct a forensic investigation of the breach.
- September 7, 2017- Equifax announced the security breach to the public on Twitter.
- September 11, 2017- Twenty U.S. Senators wrote Equifax a letter asking the company to clarify its position on the Consumer Financial Protection Bureau’s rule limiting use of forced arbitration clauses. Equifax had previously lobbied for the rule’s repeal.
- September 13, 2017- Senator Mark Warner (D-VA) wrote a letter to FTC Acting Chairwoman Maureen Ohlhausen asking her to open an investigation into the breach.
- September 14, 2017- Representative Lamar Smith and Representative Trey Gowdy sent Equifax CEO a letter notifying him that the House Committee on Oversight and Government reform and the House Committee on Science, Space, and Technology are conducting an investigation into the breach and requesting relevant business records.
- September 15, 2017- Two Equifax executives resigned.
- September 15, 2017- Equifax issued a press release confirming that the vulnerability was Apache Struts CVE-2017-5638.
- September 18, 2017- New York Governor Andrew Cuomo announced proposal to apply the state’s banking regulations to credit reporting agencies.
- September 26, 2017- Equifax CEO Richard Smith retired and Board of Directors appointed Paulino do Regos Barros Jr. as Interim CEO.
- September 27, 2017- Interim CEO Paulino do Regos Barros Jr. published a public apology on behalf of Equifax, and announced a new free service allowing people to lock and unlock their credit.
- October 3, 2017- IRS awarded multimillion-dollar fraud-prevention contract to Equifax.
- October 12, 2017- IRS temporarily suspended its contract with Equifax.
- October 12, 2017-Security researchers discovered that Equifax’s website contains false Adobe Flash download links that trick users into downloading malware that displays unwanted ads online.
- January 31, 2018- Equifax launches its free “Lock & Alert” product to help consumers better control access to their credit report.
- February 2018- Sen. Elizabeth Warren (D-MA) released a report detailing the findings of her office’s investigation of the breach.
- March 1, 2018- Equifax announced that an additional 2.4 million U.S. consumers had their names and partial driver’s license information stolen, bringing the total to about 148 million people impacted by the breach.
- March 14, 2018- Senate passes the Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) 67-31. The bill would give consumers free credit freezes but would also preempt states from passing stronger laws.
- March 28, 2018- Equifax names Mark Begor as CEO.
In the wake of the Equifax breach, immediate action should be taken to reform not only the credit reporting industry, but also to address the broader problem of secret profiling and mishandling of consumers’ personal data. It is time to change the defaults and time to put consumers back in control of both their credit reports and their personal information. Consumers must have free and easy access to their credit information, and control over when and how that information is disclosed. Companies collecting consumers’ personal data must establish effective safeguards, including requirements for prompt disclosure of any data breach. Congress should end the use of the social security number as a general-purpose identifier. And Congress should promote the use of innovative technology to minimize the collection of personal data.
Reform the industry by giving consumers control over their credit reports
First, CRAs should offer free credit “freezes” and “thaws,” changing the default for report disclosure to opt-in. Credit reporting agencies should change the default on access to credit reports by third parties. Instead of the current setting, which allows virtually anyone to pull someone’s credit report, credit reporting agencies should establish a credit freeze for all disclosures, with free and easy access for consumers who wish to disclose their report for a specific purpose.
Second, CRAs should provide free monitoring and easy access to credit history. Current laws allow consumers access to free credit reports, but the process is cumbersome, and few consumers take advantage. A rationalized market would help ensure that consumers have as much information as possible about the use of their personal data by others. Instead, Equifax and other credit reporting agencies profit from the very problems they create.
Third, Congress should require mandatory disclosure of secret scores and algorithms used by CRAs. Algorithmic transparency is key to accountability. Absent rules requiring the disclosure of these secret scores, lists, and the underlying data and algorithms upon which they are based, consumers will have no way to even know, let alone solve, these problems.
Improve Breach Notification
First, Congress should set national, baseline data breach notification standards to limit the damage caused by data breaches. The federal standard should require immediate and efficient notification of impacted consumers, regulators, and the public. Companies are increasingly interacting with consumers on social media and via automated text and e-mail messages, so it is reasonable to expect that companies can notify consumers within 48-72 hours of a breach.
Second, Congress should mandate reasonable data security measures. Prompt breach notifications are necessary to ensure that consumers and regulators can quickly deal with a data breach after it happens.
Third, consumers affected by data breaches should have a private right of action. Companies often require consumers to agree to contracts with arbitration clauses that block consumers from bringing lawsuits. Credit reporting agencies and other financial institutions should be prohibited from using these arbitration agreements to block consumer actions for breach, improper disclosure, or misuse of their personal data. And a breach of personal data should be sufficient harm to provide a cause of action.
Fourth, the existing data security requirements for consumer-facing financial institutions under the Gramm-Leach-Bliley Act should extend to credit reporting agencies and other companies that sell consumer profiles. The Act already provides for oversight of financial institutions’ privacy practices by seven regulatory agencies, but the current regime fails to address credit reporting agencies. Specifically, although the Dodd-Frank Act transferred authority over certain privacy provisions to the CFBP, the law did not transfer regulatory authority to establish data security guidelines. As it stands, the CFPB can only bring enforcement actions based on a company’s affirmative misrepresentations about data security practices. Given that credit reporting agencies hold more sensitive personal data than many of the other financial institutions combined, it makes little sense for those companies to be exempt from the rules.
Limit the Use of Social Security Numbers by Private Companies
Congress should prohibit the use of the social security number in the private sector without explicit legal authorization. They were never meant to be used as an all-purpose identifier.
Promote innovative technology to minimize the collection of personal data
There are already initiatives to improve privacy protections in the field of data science, and these efforts could be adopted and further developed by the companies responsible for protecting consumer data. For example, there have been significant advancements in “differential privacy” algorithms and secure methods of two-factor authentication. These are the techniques that Equifax and other credit reporting agencies should invest in to limit harm to consumers going forward.
Enact baseline privacy legislation and establish a Data Protection Agency
The United States has fallen behind many other countries that are seeking to ensure that the rapid adoption of new technologies does not leave them vulnerable to data breach, identity theft, and cyber attack. A good starting point would be to enact the Consumer Privacy Bill of Rights, baseline privacy legislation that would put the responsibilities on companies that collect and use personal data to protect the information they choose to collect. The Consumer Privacy Bill of Rights follows the structure of many privacy laws in the United States and elsewhere. That means it could both harmonize and simplify compliance, and the CPBR could help resolve pending trade disputes with Europe and others about the protections for transborder data flows.
The United States should also establish as Data Protection Agency as has virtually every other advanced economy facing the challenges of the digital age. The current agencies in the United States tasked with protecting consumers and citizens lack the authority and even the personnel to do what needs to be done.
- Marc Rotenberg, Testimony before the House Committee on Financial Services, Hearing on “Examining the Current Data Security and Breach Notification Regulatory Regime” (February 14, 2018)
- Senator Elizabeth Warren, Bad Credit: Uncovering Equifax’s Failure to Protect Americans’ Personal Information (February 2018)
- Marc Rotenberg, Testimony before the Senate Banking Committee, Hearing on Consumer Data Security and the Credit Bureaus (October 17, 2017)
- Consumer Financial Protection Bureau, Identity Theft Protection Following the Equifax Data Breach (Sept. 9, 2017)
- Federal Trade Commission, The Equifax Data Breach: What to Do (Sept. 8, 2017)
- USA.gov, Identity Theft: Equifax Data Breach
- FOIA Request: Mick Mulvaney’s emails concerning the termination of the CFPB’s Equifax investigation (Feb. 9, 2018)
- Production (Mar. 22, 2018)
- Senators Back More Oversight Of Credit Bureau Cybersecurity, Law360, October 17, 2017
- Senators Bear Down on Credit Reporting Industry Over Data Security, The Hill, October 17, 2017
- Is It Time to Say So Long to Social Security Numbers?, Insurance Journal, October 13, 2017
- The End of Privacy, New York Times, October 6, 2017
- The White House and Equifax Agree: Social Security Numbers Should Go, Bloomberg, October 4, 2017
- Why does your identity depend on one number? Security experts push to replace SSN, Denver Post, September 15, 2017
- Why do companies wait so long to tell us we've been hacked?, NPR Marketplace, September 12, 2017
- The Equifax Breach Exposes America's Identity Crisis, WIRED, September 9, 2017
- More Like Social Insecurity Number, Amirite?, Motherboard, September 8, 2017
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Privacy Law Sourcebook (2016)