Equifax Data Breach

Summary

Equifax, one of the three largest consumer credit reporting agencies in the United States, announced in September 2017 that its systems had been breached and the sensitive personal data of 148 million Americans had been compromised. The data breached included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The credit card numbers of approximately 209,000 consumers were also breached. The Equifax breach is unprecedented in scope and severity. There have been larger security breaches by other companies in the past, but the sensitivity of the personal information held by Equifax and the scale of the problem makes this breach unprecedented.       

Top News

  • Government Report on One Year Anniversary of Equifax Breach Finds No Action by Federal Agencies: The Government Accountability Office released a report on "Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach." The GAO report details the Equifax data breach in 2017 that compromised the authenticating details (SSN, Data of Birth) of over one hundred million Americans. The response also summarizes the response of Equifax and federal agencies. To date no federal agency has taken action against Equifax, following one of the largest data breaches in US history. Rep. Luetkemeyer (R-MO) has introduced a bill that would codify basic data breach notification standards for the financial services industry but would preempt stronger state laws. The House Financial Services Committee is expected to mark up the bill this week. In testimony before the House Financial Services Committee in February, EPIC called on Congress to ensure that the CFPB takes action against Equifax and to pass comprehensive data protection regulation that would not preempt state laws. (Sep. 12, 2018)
  • EPIC Joins Coalition Urging CFPB To Maintain Public Database of Consumer Complaints: EPIC and a coalition of consumer organizations have sent a letter to Mick Mulvaney urging the Acting Director not to ban public access to the CFPB consumer complaint database. "The public complaint database is a tool that empowers individuals to inform and protect themselves in the marketplace," the groups stated. In recent remarks at a banking industry conference, Mulvaney said that he is considering closing off access to the database. The database has helped expose wrongdoing by numerous financial institutions-including failures by Equifax following its data breach, as detailed in a report just released by three Senators. EPIC has called on the CFPB to more vigorously pursue its investigation of Equifax, and has filed a Freedom of Information Act request to obtain communications about that investigation. (May. 3, 2018)
  • More top news

  • Senators Release Report On Consumer Complaints Following Equifax Breach (May. 1, 2018) +
    Senators Warren (D-MA), Schatz (D-HI) and Menendez (D-NJ) have published a report examining thousands of consumer complaints filed with the Consumer Financial Protection Bureau after Equifax's massive data breach last fall. The report, entitled "Breach of Trust," reveals the extent of Equifax's failure to address significant harms consumers faced as a result of the breach. The Senators sent their report along with a letter to the CFPB demanding the agency hold Equifax accountable. Despite the massive number of complaints, the CFPB has yet to announce any action against Equifax eight months after the breach. The Senators also admonished Director Mulvaney for his recent suggestion that he would end public access to the CFPB's complaint database. In testimony before the House Financial Services Committee in February, EPIC called on Congress to ensure that the CFPB takes action against Equifax. A February Reuters story indicated that the CFPB had halted its investigation into Equifax, but Mulvaney since confirmed that an investigation is still ongoing. EPIC submitted a Freedom of Information Act request to obtain information about the CFPB's Equifax investigation.
  • EPIC FOIA: CFPB Raise Further Questions About Equifax Investigation (Mar. 26, 2018) +
    Through a Freedom of Information Act request, EPIC obtained records of email communications between Consumer Financial Protection Bureau staff members regarding the Equifax data breach investigation. The emails reveal that the CFPB was contacted by a Reuters reporter days before the article alleging the CFPB halted the Equifax investigation was published to confirm certain facts about the story. At that time, the CFPB did not correct the allegations in the article but instead provided the reporter a brief official statement stating they will not comment to ongoing investigations but the CFPB has the "desire, expertise, and know-how, in-house, to vigorously hypothetically pursue matters such as these." In the aftermath of the Reuters Equifax article, the CFPB exchanged emails about how to respond to the story and one staffer stated, "no more specific reaction than 'reports are incorrect.'" Acting Director Mick Mulvaney has since publicly confirmed that the CFPB's Equifax investigation is still ongoing.
  • SEC Issues Guidance on Cybersecurity Disclosures (Mar. 5, 2018) +
    The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security.
  • FTC Report - ID Theft Complaints Rank High (Mar. 1, 2018) +
    Identity theft ranked second among all complaints submitted to the Federal Trade Commission in 2017. Although the total number of complaints dropped, consumers reported losing $63 million more to identity theft and fraud in 2017 than in 2016. EPIC has warned that "the FTC's failure to act against the growing threats to consumer privacy and security could be catastrophic." 2017 marked a record year for data breaches. EPIC urged the FTC to enforce data security standards as part of its 10 recommendations for the FTC's five-year strategic plan. EPIC President Marc Rotenberg also testified before the Senate and the House following the Equifax breach, calling for comprehensive data protection legislation.
  • In Congressional Testimony, EPIC to Call For Comprehensive Privacy Law, New Privacy Agency (Feb. 12, 2018) +
    EPIC President Marc Rotenberg will testify before the House Financial Services Committee this week. Rotenberg will say that "Data breaches pose enormous challenges to the security of American families, as well as our country's national security." EPIC will call for comprehensive data protection legislation and the creation of a federal data protection agency. EPIC also challenged the decision of the CFPB Director to drop the investigation into the Equifax data breach. EPIC has repeatedly urged Congress to address the data protection crisis in the United States, warning that it endangers national security and international trade. Last year EPIC testified before the Senate in the wake of the Equifax breach, emphasizing the growing risks to American consumers.
  • Following EPIC Letter, 31 Senators Demand Answers from CFPB on Equifax Investigation (Feb. 8, 2018) +
    A group of 31 Senators wrote to Acting Director Leandra English and Director Mick Mulvaney of the Consumer Financial Protection Bureau about the agency's failure to pursue the probe of the 2017 Equifax breach. The Senators wrote that "the CFPB has a clear duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary." Earlier this week, EPIC urged the Senate Banking Committee to investigate the CFPB. EPIC also filed a FOIA request seeking records about Mulvaney's decision to halt the CFPB's Equifax investigation.
  • EPIC Files FOIA Request About Mulvaney's Decision to Halt CFPB Equifax Investigation (Feb. 7, 2018) +
    EPIC has filed an urgent Freedom of Information Act request for records about Acting Director Mulvaney's decision to shut down the CFPB investigation of Equifax. The 2017 data breach, likely undertaken by a foreign adversary, compromised the personal data of 143 million Americans. Last year CFPB warned that US servicemembers were at particular risk as a result of the Equifax breach. EPIC is seeking communication between Mulvaney and Equifax officials, as well as records of meetings and any related memos regarding the decision to close the investigation. In a letter to the Senate Banking Committee yesterday, EPIC recommended that the Committee undertake a thorough investigation of the CFPB's recent decision regarding the investigation.
  • EPIC Urges Senate to Investigate Mulvaney’s Failure to Pursue Equifax Probe (Feb. 6, 2018) +

    According to recent reports, the Consumer Financial Protection Bureau has shut down the investigation of the 2017 Equifax data breach that exposed the personal data of 145.5 million Americans. CFPB Acting Director Mulvaney failed to seek subpoenas or obtain sworn testimony from Equifax executives. Mr. Mulvaney also ended plans to test Equifax’s security systems, and rejected offers from regulators to assist with the investigation. EPIC urged the Senate Banking Committee to investigate, stating: “If the reports are accurate, Director Mulvaney’s failure to pursue a thorough investigation of the Equifax matter verges on malfeasance.” Last fall, EPIC President Marc Rotenberg testified at a Senate hearing on the Equifax breach. EPIC described the data breach as one of the worst in U.S. history. EPIC’s Christine Bannan also proposed steps to strengthen data protection safeguards for American consumers.

  • Uber Hid Massive Data Breach For Over A Year And Paid Hackers (Nov. 21, 2017) +
    Uber just admitted that hackers stole the personal data of 57 million Uber customers and drivers in October 2016. The data included names, e-mail addresses, phone numbers, and the license numbers of 600,000 drivers. Rather than disclose the data breach to the public, as required by law, Uber paid the hackers $100,000 to delete the information. Uber has a well-documented history of abusing consumer privacy. EPIC recently testified in the Senate for strong data breach legislation that would require companies to immediately notify affected consumers of data breaches. EPIC filed a complaint with the FTC in 2015 regarding Uber's egregious misuse of personal data. That complaint led to an FTC settlement with Uber in August, 2017. In 2015, EPIC also proposed a privacy law for Uber and other ride-sharing companies.
  • EPIC Backs Privacy Act Protections for "Insider Threat" Database (Jul. 5, 2017) +
    EPIC has sent comments to the Department of Justice criticizing a proposed "insider threat" database. This database replaces a similar database that was proposed and later rescinded by the FBI last fall and would allow the DOJ to collect virtually unlimited amounts of personal data from employees, contractors, interns, and visitors to DOJ facilities. Citing the size and scope of the database combined with recent government data breaches, EPIC warned that the database was putting federal employees and contractors at risk. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases.
  • House Report Criticizes OPM Handling of Massive Data Breach Last Year (Sep. 7, 2016) +

    In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

  • EPIC Defends Right of Data Breach Victims to Seek Legal Relief (Jul. 20, 2016) +
    EPIC has filed an amicus brief urging a federal appeals court to protect a consumer’s ability to sue companies that fail to protect their personal information. A group of consumers sued a grocery chain after faulty security practices left  their credit card information exposed to hackers. A lower court dismissed the privacy case because consumers had not yet suffered from fraudulent transactions. In its brief, EPIC explained that the court misunderstood the relevant law, confusing the legal obligations of companies to maintain good security with the harm that consumers eventually suffer. For the purposes of filing a lawsuit, EPIC said courts should focus on whether companies have violated a legal obligation such as safeguarding personal data, including credit card information. EPIC regularly files briefs defending consumer privacy.
  • Markey and Barton Pursue VTech Data Breach (Dec. 2, 2015) +
    Senator Edward Markey (D-Mass.) and Congressman Joe Barton (R-Tex) have asked VTech, "How do you protect children's information?" The electronic toy produced,recently exposed the personal profiles of millions of children in a cyber hack. The personal date included names, mailing addresses, email addresses, download history, birthdates, and genders. Senator Markey and Congressman Barton asked about VTech's data and security practices, including compliance with the Children's Online Privacy Protection Act, data the company collects about children, and security standards. EPIC has testified several times before Congress on protecting children's data and supported the updates to the Childrens Online Privacy Protection Act.
  • Administrative Decision Tosses LabMD Data Security Case (Nov. 21, 2015) +
    An administrative law judge has dismissed an FTC complaint alleging that LabMD failed to provide reasonable data security for personal information. The admin judge found that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible." The decision--which is not binding on federal or state courts--leaves in place the decision in FTC v. Wyndham, which held that the FTC can enforce data security standards. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."
  • Appeals Court Upholds FTC's Data Security Authority (Aug. 24, 2015) +
    A federal appeals court ruled that the Federal Trade Commission can enforce data security standards. In FTC v. Wyndham, the agency sued Wyndham hotels after the company exposed financial data of hundreds of thousands of customers. The company argued that the FTC lacked authority to enforce security standards, but the court disagreed. EPIC filed an amicus brief, joined by leading technical experts and legal scholars, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers.
  • Massive AT&T Consumer Privacy Violation Results in $25 Million FCC Penalty (Apr. 8, 2015) +
    The Federal Communications Commission has settled an enforcement action against AT&T for the company's massive consumer privacy violations. According to the Commission, employees at AT&T call centers around the world accessed the "CPNI" (call record information) of nearly 280,000 U.S. customers without their permission. Then AT&T distributed that information to traffickers of stolen cell phones. As a condition of settlement, AT&T will pay a $25 million penalty, eclipsing the 2014 Verizon settlement as the FCC's largest ever data security action. EPIC has long supported the robust defense of CPNI privacy.
  • Federal Courts Considers FTC's Data Protection Authority (Mar. 3, 2015) +
    A federal appeals court heard arguments today in FTC v. Wyndham, an important data privacy case. Wyndham Hotels, which revealed hundreds of thousands of customer records following a data breach, is challenging the FTC's authority to enforce data security standards. In an amicus brief joined by legal scholars and technical experts, EPIC defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that the damage caused by data breaches - more than $500 million last year - makes data security one of the top concerns of American consumers. EPIC warned the court that "removing the FTC's authority to regulate data security would be to bring dynamite to the dam."
  • Anthem breach Shows Risks of "Big Data" (Feb. 5, 2015) +
    One of the largest health insurers in the country has lost millions of medical records of American consumers. The most recent breach of sensitive medical information shows the dangers of "Big Data" and the mistaken conclusion of the report of the Presidents Science Advisors, which simply assumed the benefits of data collection. EPIC has urged the FTC to establish data minimization procedures for companies limit the risks of data breaches.
  • Data Breach Legislation Moves Forward in the Senate (Sep. 26, 2011) +
    Three data breach bills are headed to the Senate floor after a favorable vote in the Senate Judiciary Committee. The bills [S. 1151, S. 1535, S. 1408] set out a variety of approaches to protecting user data and warning users when personal data is improperly released. Testifying recently before the Senate and the House, EPIC has supported new measures for online privacy but warned against a federal law that would "preempt" stronger state laws.
  • California Passes Updated Data Breach Legislation (Sep. 1, 2011) +
    California has enacted Senate Bill 24, first introduced in 2001 by Senator Joe Simitian, which strengthens existing state breach notification law. Since 2002, California law has required data holders to notify individuals if their data is breached, but the law did not specify what information should be included in the notification. This new law specifies the information that should be provided, including instructions on how to contact credit agencies. The law also requires that the state Attorney General be notified in the event of a breach. EPIC testified in 2009 before the House Commerce Committee against "federal preemption" in national data breach legislation, citing important legislative innovations to protect consumers that take place in states such as California. For more information, see EPIC: ID Theft.
  • House Subcommittee Approves Weak Data Breach Bill (Jul. 21, 2011) +
    A House Commerce Subcommittee voted in favor of the SAFE Data Act, a data breach bill sponsored by Rep. Bono Mack (R-CA). The bill requires companies to act quickly in the case of breach and encourages minimization of data collection. However, the bill preempts stronger state laws and does not adequately protect personal information. EPIC Executive Director Marc Rotenberg testified before the Subcommittee on this bill. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. For more information, see EPIC: Identity Theft. Webcast.
  • In Response to Mounting Evidence of Data Breach Risk, EPIC Urges Congress to Act (Jun. 21, 2011) +
    EPIC Executive Director Marc Rotenberg testified before the Senate Banking Committee, urging lawmakers to apply breach notification regulations to financial institutions and promote authentication techniques that reduce risks to consumers. EPIC observed that "current laws do not adequately protect consumers," and highlighted a series of recent high profile data breaches in the financial sector. The hearing, "Cybersecurity and Data Protection in the Financial Sector" follows May 2011 data breaches at Citigroup and Bank of America. The breaches exposed sensitive financial data linked to hundreds of thousands of consumers; individuals lost millions of dollars from their accounts. EPIC previously testified before the House concerning data breach legislation. For more, see EPIC: Identity Theft and EPIC Testifies in Congress on Data Breach Legislation.
  • EPIC Testifies in Congress on Data Breach Legislation (Jun. 15, 2011) +
    EPIC Executive Director Marc Rotenberg testified today before the House Commerce Committee on the SAFE Data Act, a bill introduced by Rep. Bono-Mack to require greater protection for sensitive consumer data and timely notification in case of breach. EPIC emphasised the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC supported recent changes in the bill that would require companies to act more quickly in case of breach and encourage minimization of data collection. EPIC recommended changes in the bill to strengthen enforcement, require notification, protect identifiers linked to individuals, and ensure that state governments are able to respond on behalf of consumers as new problems emerge. Webcast
  • Epsilon Data Breach Threatens E-mail Privacy of Millions (Apr. 7, 2011) +
    Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data. For more information, see EPIC: Identity Theft.
  • Senate Holds Hearing on Data Security and Breach Notification Bill (Sep. 24, 2010) +
    The Senate Commerce Committee held a hearing on S. 3742, The Data Security and Breach Notification Act of 2010. This bill requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. EPIC director Marc Rotenberg testified on a similar bill in the House recommending support but also urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. The Senate thus far has not addressed these concerns. For more information, see EPIC: Identity Theft.
  • California Governor Vetoes Consumer Privacy Bill, but Signs Bill to Strengthen Celebrity Privacy (Oct. 16, 2009) +
    Governor Schwarzenegger has terminated S.B. 20, a bill that would have strengthened California's data breach laws by requiring that consumers be notified every time their privacy was compromised. But the Governor and "Terminator" star signed A.B. 524, an amendment to California's current anti-paparazzi law that will protect the privacy of celebrities by making it easier to sue photographers and media outlets for taking or purchasing unauthorized pictures. For more information about privacy in California, see the California Office of Information Security and Privacy Protection.
  • Congress Holds Open Markup Session on Data Breach Bill (Jun. 3, 2009) +
    The Committee on Energy and Commerce held an open markup session on the Data Breach Bill. The Chairman of the subcommittee intends to have a law that is strong and adequately protects consumers. EPIC testified before Congress on this bill, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. For more information, see EPIC's page on Identity Theft.
  • Data Breaches on the Rise in the US (Jan. 6, 2009) +
    A new report from the Identity Theft Resource Center found a 47 percent increase in data breaches in the United States over 2007. Noting 656 reported breaches at the end of 2008, the report identified the company, the category of breach and the number of records exposed. The Center concluded that most breached data was unprotected by either encryption or even passwords. According to the FTC, data breaches are the leading cause of identity theft. For more information, see EPIC's page on Identity Theft.

Background

Equifax and the Credit Reporting Agencies

Equifax is one of the three major credit reporting agencies (CRAs)—also known as credit bureaus—in the U.S. CRAs create credit reports on individuals that give a detailed picture of a person’s credit history, including whether they have kept up with loan and credit card payments. CRAs do not collect information from consumers, but rather collect it from businesses, including credit card companies, banks, employers, landlords, and others. When an individual applies for credit, the lender will pull their credit report from Equifax or one of the other CRAs to see if they have a history of repaying their debts. A lender is much more likely to extend an offer of credit and a favorable interest rate to an individual that has a history of repaying other lenders regularly and on time. In addition to lenders, landlords may request your credit report before deciding whether to accept you as a tenant and employers may before deciding whether to hire you. Credit reports can have major impacts on people’s lives.

The Rise of Consumer Data Breach and Identity Theft

The scope of the data breach problem extends well beyond Equifax. The consumer reporting industry has a sordid history of poor cybersecurity. For example, in May 2016 identity thieves stole the tax and salary data of more than 431,000 people from Equifax. In October 2015, Experian breached the records of 15 million T-Mobile customers, which included names, addresses, SSNs, dates of birth, and identification numbers. Equifax, Experian, and TransUnion all exposed the credit reports of celebrities in March 2013. These are only a few examples of breaches at credit bureaus.

Both the scope of data breaches and the frequency at which they occur have increased in recent years. Notable breaches include:

  • The 2013 Yahoo breach, in which hackers stole names, birth dates, phone numbers, and passwords, is now estimated to have impacted all 3 billion users, making it the largest data breach on record.
  • In 2015, a data breach at the Office of Personnel Management compromised the personal data, including biometric identifiers, of more than 20 million people, many of them with security clearances.
  • Recent data breaches have affected Chipotle, Home Depot, and Target, impacting over 100 million stolen credit card numbers combined.
  • Data breaches have also impacted large banks, educational institutions, healthcare providers, and many other businesses.

Identity theft is an enormous problem for consumers. The Federal Trade Commission reported 399, 225 cases of identity theft in the United States in 2016. Of that number, 29% involved the use of personal data to commit tax fraud. More than 32% reported that their data was used to commit credit card fraud, up sharply from 16% in 2015. A 2015 report from the Department of Justice found that 86% of the victims of identity theft experienced the fraudulent use of existing account information, such as credit card or bank account information. The same report estimated the cost to the U.S. economy at $15.4 billion.

Identity theft can completely derail a person’s financial future. Criminals who have gained access to others’ personally identifiable information can open bank accounts and credit cards, take out loans, and conduct other financial activities using someone else’s identity. Identity theft has severe consequences for consumers, including:

  • Being denied of credit cards and loans
  • Being unable to rent an apartment or find housing
  • Paying increased interest rates on existing credit cards
  • Having greater difficulty getting a job
  • Suffering severe distress and anxiety

The 2017 Equifax Breach

On September 7, 2017, Equifax announced that it had breached the data of approximately 143 million U.S. consumers. The same announcement stated that some UK and Canadian consumers had been affected as well, but did not give a specific number. The company stated that the unauthorized access occurred from mid-May through July 2017. The hackers did not access the data from Equifax’s core consumer credit reporting databases, but from the company’s U.S. online dispute portal web application. The data included:

  • Names
  • Social Security Numbers
  • Birth Dates
  • Addresses, and
  • Driver’s License Numbers.

The vulnerability that caused the breach was vulnerability Apache Struts CVE-2017-5638. Apache Struts is a popular framework for creating Java Web applications maintained by the Apache Software Foundation. The Foundation issued a statement  announcing the vulnerability and released a patch on March 7, 2017.

The following day, the Department of Homeland Security contacted Equifax, Experian, and TransUnion to notify them of the vulnerability. On March 9, 2017, an internal email notification was sent to Equifax administrators directing them to apply the Apache patch. Equifax's information security department ran scans on March 15, 2017 that were meant to identify systems that were vulnerable to the Apache Struts issue, but the scans did not identify the vulnerability.

The vulnerability was left unpatched until July 29, 2017 when Equifax’s information security department discovered “suspicious network traffic” associated with its online dispute portal and applied the Apache patch. On July 30, 2017, Equifax observed further suspicious activity and took the web application offline. Three days letter the company hired cybersecurity firm Mandiant to conduct a forensic investigation of the breach. The investigation revealed that the data of an additional 2.5 million U.S. consumers had been breached, bringing the total number of Americans affected to approximately 145.5 million. Equifax disclosed in the same announcement that 8,000 Canadians had been impacted and stated that the forensic investigation related to UK consumers had been completed, but did not state the amount of UK consumers affected. A later announcement from Equifax stated that the data of 693,665 UK citizens was breached.

Equifax Response and Criticisms

Equifax’s response to the breach raised concerns among security experts and consumer advocates. Security expert Brian Krebs called Equifax’s public outreach after the breach “haphazard,” ill-conceived,” and a “dumpster fire.” Equifax created a separate domain—equifaxsecurity2017.com—for consumers to find out if their information was compromised in the breach. This caused the site to be flagged as a phishing threat by browsers. Developer Nick Sweeting bought the domain securityequifax2017.com to demonstrate that Equifax’s decision to create a separate domain made it much easier for phishing sites to imitate it and confuse people. The Equifax Twitter account accidentally tweeted a link of the spoofed site. Consumers who contacted Equifax in the immediate wake of the breach to freeze their credit were given PINs that corresponded to the date and time of the freeze, making them easier to guess.

Equifax advised people to sign up for their credit monitoring service TrustedID Premiere, but in doing so consumers agreed to terms of use with a mandatory arbitration clause. After public outcry that Equifax was forcing consumers to give up their right to sue, the company issued a press release explaining that the arbitration clause would not apply to claims arising from the security breach.

Congressional Hearings, Agency Investigations, and Proposed Legislation

The Equifax breach has captured the attention of local, state, and federal governments in the U.S. as well as UK and Canadian regulators.

Local Governments

The cities of San Francisco and Chicago have sued Equifax. San Francisco’s complaint alleges violations of California’s unlawful, unfair or fraudulent business practices law when it (1) failed to implement and maintain reasonable security practices; (2) failed to provide timely notice of the breach; and (3) failed to provide clear and complete information. It seeks restitution for California consumers who purchased credit monitoring services from Equifax prior to the announcement of the breach, up to $2,500 for each violation of the law, and a court order requiring Equifax to implement and maintain appropriate security procedures. Chicago’s complaint alleges violations of the Illinois Personal Information Privacy Act, the Illinois Consumer Fraud and Deceptive Business Practices Act and the Chicago Consumer Fraud ordinance for (1) exposing personal information; (2) failing to provide timely notice of the breach; and (3) misleading consumers by representing its credit monitoring service as complimentary when it included a mandatory arbitration clause that barred users of the service from bringing future legal action against Equifax. 

State Governments

State attorneys general have been active in responding to the breach. Maura Healey, the Attorney General of Massachusetts, brought an enforcement action against Equifax. The complaint alleges violations of Massachusetts consumer protection and data privacy laws. New York’s Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The bill would (1) require any business that holds sensitive data of New Yorkers to adopt reasonable administrative, technical, and physical safeguards; (2) expand the types of data that trigger reporting requirements, to include username-and-password combinations, biometric data, and HIPAA-covered health data; and (3) provide safe harbor protection for companies that obtain independent certification that their data security measures meet the highest standards. The attorneys general of Connecticut, Illinois, Pennsylvania, and the District of Columbia sent a joint letter to Equifax notifying the company of their intent to investigate the breach. The letter was signed by the attorneys general of dozens of other states.

Federal Government

The federal government is also conducting investigations. In a rare move by the Federal Trade Commission, Peter Kaplan, the agency's acting director of public affairs, confirmed that the agency is investigating the Equifax breach. The Consumer Financial Protection Bureau is also investigating the company, though recent reports indicate that the agency may be pulling back from its probe. The SEC and U.S. attorney’s office in Atlanta (where Equifax is headquartered) are investigating Equifax for insider trading related to the sale of stock by executives before the breach was announced to the public.

Congress has held several hearings to investigate events surrounding the breach and explore reforms to the credit reporting industry. Those hearings included:

Members of Congress have introduced bills in both the House and the Senate concerning the security and privacy of CRAs. These bills include:

Foreign Governments

Regulators in the United Kingdom and Canada are also investigating the Equifax breach.  The UK Financial Conduct Authority has the power to fine the company and withdraw the authorization that allows it to run credit checks in the UK. The UK privacy regulator, the Information Commissioner’s Office, and the Office of the Privacy Commissioner of Canada are also investigating Equifax.

Timeline

  • March 7, 2017- The Apache Software Foundation reported the vulnerability Apache Struts CVE-2017-5638 and released a patch.
  • March 8, 2017- Department of Homeland Security (US CERT) contacted Equifax, Experian, and TransUnion to notify them of Apache Struts CVE-2017-5638.
  • March 9, 2017- An internal email notification was sent to Equifax administrators directing them to patch the Apache vulnerability.
  • March 15, 2017- Equifax's information security department ran scans meant to identify systems that were vulnerable to the Apache Struts issue, but the scans did not identify the vulnerability.
  • May 13, 2017- Hackers began to access personal identifying information.
  • July 29, 2017- Equifax discovered “suspicious network traffic” associated with its consumer dispute website. Its information security department applied the Apache patch.
  • July 30, 2017- Equifax’s information security department observed further suspicious activity and took the web application offline.
  • July 31, 2017- Equifax’s Chief Information Officer notified CEO Richard Smith of the suspicious activity.
  • August 1-2, 2017- Three senior Equifax executives sold stock worth almost $1.8 million.
  • August 2, 2017- Equifax hired cybersecurity firm Mandiant to conduct a forensic investigation of the breach.
  • September 7, 2017- Equifax announced the security breach to the public on Twitter.
  • September 11, 2017- Twenty U.S. Senators wrote Equifax a letter asking the company to clarify its position on the Consumer Financial Protection Bureau’s rule limiting use of forced arbitration clauses. Equifax had previously lobbied for the rule’s repeal.
  • September 13, 2017- Senator Mark Warner (D-VA) wrote a letter to FTC Acting Chairwoman Maureen Ohlhausen asking her to open an investigation into the breach.
  • September 14, 2017- Representative Lamar Smith and Representative Trey Gowdy sent Equifax CEO a letter notifying him that the House Committee on Oversight and Government reform and the House Committee on Science, Space, and Technology are conducting an investigation into the breach and requesting relevant business records.
  • September 15, 2017- Two Equifax executives resigned.
  • September 15, 2017- Equifax issued a press release confirming that the vulnerability was Apache Struts CVE-2017-5638.
  • September 18, 2017- New York Governor Andrew Cuomo announced proposal to apply the state’s banking regulations to credit reporting agencies.
  • September 26, 2017- Equifax CEO Richard Smith retired and Board of Directors appointed Paulino do Regos Barros Jr. as Interim CEO.
  • September 27, 2017- Interim CEO Paulino do Regos Barros Jr. published a public apology on behalf of Equifax, and announced a new free service allowing people to lock and unlock their credit.
  • October 3, 2017- IRS awarded multimillion-dollar fraud-prevention contract to Equifax.
  • October 12, 2017- IRS temporarily suspended its contract with Equifax.
  • October 12, 2017-Security researchers discovered that Equifax’s website contains false Adobe Flash download links that trick users into downloading malware that displays unwanted ads online.
  • January 31, 2018- Equifax launches its free “Lock & Alert” product to help consumers better control access to their credit report.
  • February 2018- Sen. Elizabeth Warren (D-MA) released a report detailing the findings of her office’s investigation of the breach.
  • March 1, 2018- Equifax announced that an additional 2.4 million U.S. consumers had their names and partial driver’s license information stolen, bringing the total to about 148 million people impacted by the breach.
  • March 14, 2018- Senate passes the Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) 67-31. The bill would give consumers free credit freezes but would also preempt states from passing stronger laws.
  • March 28, 2018- Equifax names Mark Begor as CEO.

Proposed Reforms

In the wake of the Equifax breach, immediate action should be taken to reform not only the credit reporting industry, but also to address the broader problem of secret profiling and mishandling of consumers’ personal data. It is time to change the defaults and time to put consumers back in control of both their credit reports and their personal information. Consumers must have free and easy access to their credit information, and control over when and how that information is disclosed. Companies collecting consumers’ personal data must establish effective safeguards, including requirements for prompt disclosure of any data breach. Congress should end the use of the social security number as a general-purpose identifier. And Congress should promote the use of innovative technology to minimize the collection of personal data.

Reform the industry by giving consumers control over their credit reports

First, CRAs should offer free credit “freezes” and “thaws,” changing the default for report disclosure to opt-in. Credit reporting agencies should change the default on access to credit reports by third parties. Instead of the current setting, which allows virtually anyone to pull someone’s credit report, credit reporting agencies should establish a credit freeze for all disclosures, with free and easy access for consumers who wish to disclose their report for a specific purpose.

Second, CRAs should provide free monitoring and easy access to credit history. Current laws allow consumers access to free credit reports, but the process is cumbersome, and few consumers take advantage. A rationalized market would help ensure that consumers have as much information as possible about the use of their personal data by others. Instead, Equifax and other credit reporting agencies profit from the very problems they create.

Third, Congress should require mandatory disclosure of secret scores and algorithms used by CRAs. Algorithmic transparency is key to accountability. Absent rules requiring the disclosure of these secret scores, lists, and the underlying data and algorithms upon which they are based, consumers will have no way to even know, let alone solve, these problems.

Improve Breach Notification

First, Congress should set national, baseline data breach notification standards to limit the damage caused by data breaches. The federal standard should require immediate and efficient notification of impacted consumers, regulators, and the public. Companies are increasingly interacting with consumers on social media and via automated text and e-mail messages, so it is reasonable to expect that companies can notify consumers within 48-72 hours of a breach.  

Second, Congress should mandate reasonable data security measures. Prompt breach notifications are necessary to ensure that consumers and regulators can quickly deal with a data breach after it happens.

Third, consumers affected by data breaches should have a private right of action. Companies often require consumers to agree to contracts with arbitration clauses that block consumers from bringing lawsuits. Credit reporting agencies and other financial institutions should be prohibited from using these arbitration agreements to block consumer actions for breach, improper disclosure, or misuse of their personal data. And a breach of personal data should be sufficient harm to provide a cause of action. 

Fourth, the existing data security requirements for consumer-facing financial institutions under the Gramm-Leach-Bliley Act should extend to credit reporting agencies and other companies that sell consumer profiles. The Act already provides for oversight of financial institutions’ privacy practices by seven regulatory agencies, but the current regime fails to address credit reporting agencies. Specifically, although the Dodd-Frank Act transferred authority over certain privacy provisions to the CFBP, the law did not transfer regulatory authority to establish data security guidelines. As it stands, the CFPB can only bring enforcement actions based on a company’s affirmative misrepresentations about data security practices. Given that credit reporting agencies hold more sensitive personal data than many of the other financial institutions combined, it makes little sense for those companies to be exempt from the rules.

Limit the Use of Social Security Numbers by Private Companies

Congress should prohibit the use of the social security number in the private sector without explicit legal authorization. They were never meant to be used as an all-purpose identifier.

Promote innovative technology to minimize the collection of personal data

There are already initiatives to improve privacy protections in the field of data science, and these efforts could be adopted and further developed by the companies responsible for protecting consumer data. For example, there have been significant advancements in “differential privacy” algorithms and secure methods of two-factor authentication. These are the techniques that Equifax and other credit reporting agencies should invest in to limit harm to consumers going forward.

Enact baseline privacy legislation and establish a Data Protection Agency

The United States has fallen behind many other countries that are seeking to ensure that the rapid adoption of new technologies does not leave them vulnerable to data breach, identity theft, and cyber attack. A good starting point would be to enact the Consumer Privacy Bill of Rights, baseline privacy legislation that would put the responsibilities on companies that collect and use personal data to protect the information they choose to collect. The Consumer Privacy Bill of Rights follows the structure of many privacy laws in the United States and elsewhere. That means it could both harmonize and simplify compliance, and the CPBR could help resolve pending trade disputes with Europe and others about the protections for transborder data flows.

The United States should also establish as Data Protection Agency as has virtually every other advanced economy facing the challenges of the digital age. The current agencies in the United States tasked with protecting consumers and citizens lack the authority and even the personnel to do what needs to be done.

Resources

FOIA

  • FOIA Request: Mick Mulvaney’s emails concerning the termination of the CFPB’s Equifax investigation (Feb. 9, 2018)
  • Production (Mar. 22, 2018)

News

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.