Published By Janet Gershen-Siegel at October 18th, 2017
There has been a lot going on, so here is your 2017 Equifax data breach update. Note: this blog post has been updated in 2019 to account for new information about the 2017 Equifax data breach.
As you have undoubtedly heard, during the first week in September of 2017, credit reporting agency Equifax reported a data breach which compromised the data of some 143 million Americans. Furthermore, a good 209,000 Americans also had their credit card numbers stolen. The breach affected residents in the UK and Canada as well.
It took a while to get the international numbers. But the Toronto Globe and Mail reports that Equifax Canada says there are a good 100,000 Canadian citizens who are also affected. The Globe and Mail also notes that the Canadian privacy watchdog is investigating the breach. And they are not alone.
In 2019, the Canadian government required Equifax to submit to ongoing third party audits of its security operations. Daniel Therrien, the Canadian Privacy Commissioner said “Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices.”
On September 15, Business Insider reported that two of the executives at Equifax had retired. They are the company’s Chief Security Officer, Susan Mauldin, and its Chief Information Officer, David Webb. Interestingly enough, while the retirements were of the people who were most likely closest to the breach and should have known about it (and reported it far earlier), neither of them were the three executives who dumped more than one million dollars in Equifax stock a few days after the discovery of the breach.
And then on September 26th, the New York Times reported that the Equifax CEO, Richard Smith, would retire. He has been replaced, albeit only on a temporary basis, by Paulino do Rego Barros Jr, the head of the company’s Asia-Pacific region. Equifax is now conducting a search for a replacement CEO, as many potential candidates were considered as tainted by the scandal. This included Joseph Loughran, Equifax’s president of United States information solutions, one of the people who dumped their stocks.
Furthermore, the Board of Directors took the rare step of saying they could retroactively reclassify Smith as having been fired for cause. Currently, Smith receives over $18 million in pension benefits and he holds $20.8 million in stock awards, plus $23.6 million in Equifax stock. These are the perks of being a part of a large company’s C-suite. A firing for cause would likely mean he would be forced to repay or forego some of that compensation.
If Smith is on the receiving end of a lawsuit and loses, then the Board may very well change its records and say they fired him for cause. And speaking of Equifax lawsuits …
On September 12th, Senators Orrin Hatch (the Finance Committee Chair) and Ron Wyden (the ranking Democrat on that committee) wrote to Equifax demanding answers, including a detailed timeline of the breach, its discovery, and the stock dumps, according to UPI.
On September 13th, Senator Mark Warner asked for the Federal Trade Commission to start investigating the hack. Warner’s open letter was to the Acting Chairman of the FTC, Maureen Ohlhausen. He noted that the Fair Credit Reporting Act requires all credit reporting bureaus (such as Experian, Dun & Bradstreet, and TransUnion) zealously protect consumer confidentiality and privacy. Warner said the scope of the breach, along with the sensitivity of the stolen data, raised ‘serious questions’ about whether Equifax had been living up to its obligations under the FCRA.
And then on October 3, 2017, there was a hearing in front of the US Senate. Smith laid the blame on a single employee who failed to upload and install a security patch. During that hearing, Senator Elizabeth Warren said, “At best you are incompetent; at worst you were complicit. Either way, you should be fired.” But Equifax evidently didn’t agree, and let Smith grab his golden parachute as he bailed.
Warren also said, “Equifax is making money—millions of dollars—off its own screw-up.”
None of this should anyone feel comfortable about the upshot to the 2017 Equifax data breach.
On September 19th, Massachusetts Attorney General Maura Healey filed the first enforcement action. The Attorney General’s Consumer Protection Division is handling the matter. They allege:
On September 20th, Info Security reported that small businesses, using the services of the Doss Firm of Marietta, Georgia, have sued in a class action. The complaint was filed in the US District Court for the North District of the Atlanta division. The name of that case is O’Dell Properties, LLC, O’Dell & O’Neal, P.C., Jellie Donuts, LLC, et. al. v. Equifax, Inc. Attorney Jason Doss noted that it was a kind of double whammy for small business owners. Not only are their personal and business credit accounts potentially breached, thereby affecting their ability to get credit cards, they are also, likely, going to be affected when trying to get loans, including from the SBA.
The suit seeks legal fees plus damages for time spent monitoring financial accounts for any signs of identity theft or other criminal issues. But don’t expect a big payout from class action suits. Bloomberg estimates perhaps a $200 million payout when all is said and done. This would provide consumers with the miniscule comfort of a $1 reward for their damages. The O’Dell Properties case won’t go away any time soon.
A year after the 2017 Equifax data breach, the United States General Accounting Office released a report. The report essentially pointed out that not too much had changed. The report outlined a ton of errors. These included a lack of internal controls and security reviews. And they also included the failure to use well known security best practices.
In 2017, it seemed that consumers and Congress would force changes. Yet in the 2018 report, the GAO noted there had been very few changes made. While Equifax’s stock took an initial hit, it has largely recovered. And the company continues to get huge government contracts. So that begs the question of when – not if – something similar happens again.
Furthermore, the GAO noted attackers made some 9,000 queries on a single Internet-facing web server before the discovery of the 2017 Equifax data breach. These queries were not detected, due to the fact that the network data inspection system on that server was out of date. And, even worse, this system had failed to work for 10 months before workers noticed.
According to the Information Security Media Group, the 2017 Equifax data breach cost some $1.4 billion. These costs include legal, plus ongoing investigations. Many of these issues led to a first quarter 2019 earnings loss of $555.9 million. And those costs are far from being done. The company’s first quarter 2019 results also included $690 million spent on legal fees and ongoing investigations.
As you might imagine, unless you are a named plaintiff in the class action suit, you are probably not going to see a lot of cash no matter how the case goes. However, there are going to be Congressional hearings. Smith already appeared in front of the Senate Banking Committee on October 4th. It should make for interesting television if nothing else.
Will there also be an investigation and a civil or criminal case for insider trading? We don’t know that yet. Stay tuned, as there is undoubtedly more to come as the Senate and lawyers start to turn over rocks to expose what’s underneath.
Data breaches are pretty much everywhere these days. It is hard to find a major corporation which has not experienced at least one. So cut Equifax some slack there.
But only there.
Otherwise, their behavior has been, and continues to be, appalling. For a company with a net worth in the billions, failing to hire enough of the right people to oversee security was just plain unconscionable. This is not to mention how Smith vehemently threw one employee under the bus while happily accepting what must have been a lucrative retirement package.
For consumers, merchants, and entrepreneurs – not to mention people who wear all three hats – credit monitoring is essential. This is the case whether it’s business credit monitoring or consumer credit monitoring.
And keep track of your Equifax business credit reports. That way, you’ll be better able to handle any future issues that come along. And if Equifax has done as little to change as the GAO says, then that will likely be sooner rather than later.
On February 10, 2020, the Boston Globe reported that Attorney General William Barr and the United States Justice Department were charging four members of China’s military on suspicion of the 2017 hack into Equifax. The Attorney General noted there have been any number of data theft by the Chinese military in recent years. These thefts have been of sensitive information such as identifying American intelligence officers. Equifax’s financial data could be used to find out if any intelligence officers have money issues – and would thereby be subject to bribery or blackmail. Stay tuned as we continue to follow this story.