Equifax Inc. (EFX) announced on Sept. 7, 2017 that 143 million of its customers were affected by a hack that occurred between mid-May and July. That figure was bumped to 145.5 million over the following weeks, then to 147.9 million on Mar. 1, 2018, when the company said it had identified 2.4 million additional victims.
After market close the same day, the company reported fourth-quarter and full-year financial results. The company's fourth-quarter revenues rose 5% year-over-year to $838.5 million. Net income in the quarter rose 40% year-over-year to $172.3 million. Full-year revenues and profits also rose compared to 2016: revenues were up 7% to $3.4 billion, while net income increased 20% to $587.3 million. The company said the hack had cost it $26.5 million in the fourth quarter and $114.0 million in the full year, net of insurance payouts. The stock, which closed down 1.3% in line with the S&P 500, is up 0.6% in after-hours trading at the time of writing.
As many as 209,000 customers' credit card numbers were exposed, according to Equifax, and dispute documents related to 182,000 U.S. consumers – which include personal information – were compromised. British consumers were also have been affected by the breach; it is possible that some Canadians were compromised. According to The Wall Street Journal, citing an unnamed source, 10.9 million Americans' drivers license data was stolen in the breach.
The company had known about the attack since July 29, but waited over a month to alert the public. On Sept. 20 it was reported that Mandiant, the FireEye Inc. (FEYE) subsidiary contracted by Equifax, estimates the breach to date back to at least March 10.
There is little information regarding the source of the attack, which is being investigated by the FBI, but according to Bloomberg, similarities to earlier attacks on the Office of Personnel Management and Anthem Inc. suggest the attacker could be state-sponsored, perhaps Chinese. That Equifax customers' information has not shown up on the black market also suggests the hackers were not simply criminals. Bloomberg also reports that the attackers targeted specific individuals, perhaps because of their wealth or intelligence value.
Given that the adult population of the U.S. is around 250 million, chances are good that you were affected by the breach. It is also possible that you have already been a victim of fraud, since the attack began nearly six months ago.
Atlanta-based Equifax, one of the big three consumer credit reporting agencies – the other two are Experian PLC (London: EXPN) and TransUnion (TRU) – collects data including Social Security numbers, credit card numbers, drivers license numbers, rent and utility payment information, and demographic data. Because Equifax's model is primarily business-to-business, many of its customers are unaware that their data is stored by the firm. Aside from avoiding the financial and credit system altogether, there is no straightforward way to opt out of having personal data stored by Equifax.
How to Check If You Were Affected
Equifax has set up a site where you can check if your information was compromised by giving your last name and the last six digits of your Social Security number. This site has been the subject of intense criticism, and we've removed the link due to questions regarding its security. It was set up using WordPress, an off-the-shelf blogging platform. It is housed at a separate domain to Equifax's main site. The company neglected to register similar URLs, which could be used for phishing attacks; one white hat hacker set up just such a site to prove a point, and an official Equifax account tweeted out the link to the fake site. More than once.
Equifax offered customers – affected or not – the following services, which it calls TrustedID Premier: copies of an Equifax credit report, credit monitoring and automated alerts for all three major credit bureaus, the ability to block third-party access to your Equifax credit report (with exceptions), Social Security number monitoring, and $1 million in identity theft insurance. The deadline to apply was Nov. 21, 2017.
The company says these services are all complimentary, but placing a security freeze on a credit file was not initially free – at least not for everyone. When I tried to freeze an Equifax credit file on Sept. 8, the company's site said the service would cost $3.00 and asked for credit card information to process the payment.
A screen grab from www.freeze.equifax.com (Sept. 8, 2017 at 11:46 a.m. EDT).
As a New York resident, I was able to place a freeze on my Experian file for free. TransUnion's site was unable to process the request initially – likely a symptom of increased traffic – but later allowed me to place a freeze free of charge.
In an emailed statement, an Equifax spokesperson told Investopedia on Sept. 14 that the firm is waiving all charges to freeze credit files and is automatically refunding customers who paid to do so after the hack was made public. A new concern – and clear lapse in security – has now arisen around the PINs the company issued to customers who had frozen their credit reports. These PINs, which allow customers to unfreeze credit reports, follow an easily identifiable pattern. The spokesperson said that customers with these faulty PINs must call 866-349-5191 to speak to a live agent.
If you got a PIN after reporting the hack, yours may be one of the faulty ones. Having it fixed is not easy. Twelve calls to the line on the morning of Sept. 15 yielded eight busy signals and four instances of total silence.
The TrustedID Premier services Equifax lists as complimentary are only free for a year. An Equifax spokesperson told Investopedia that the company is not asking for credit card information when customers sign up for the service and that the company will not automatically renew it or charge a fee. Equifax's standard rate for credit monitoring is $17 per month.
What to Do If You Were Affected
Liz Weston, a personal finance writer at NerdWallet, has the following advice for those affected by the Equifax breach, which she shared with Investopedia in an email: "Equifax will reach out to the victims and offer them credit monitoring. Victims should make sure that agreeing to the monitoring doesn't prevent them from joining in lawsuits or other actions down the road."
Initially, TrustedID Premier's terms of service page (archived version) did in fact require users to waive their right to join a class action suit against Equifax: "By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed." Following a backlash, the company's FAQ page was updated to say that the clause applied to the TrustedID Premier service, not the hack. As of the morning of Sept. 12, the terms of service no longer include an arbitration clause.
Weston says that affected customers should consider freezing their credit reports at all three major bureaus. As mentioned above, credit bureaus may charge fees for initiating that freeze. You may also be charged for unfreezing accounts when you need a credit check (to apply for cellphone service, for example). These fees are generally less than $10, but they can add up. Weston notes that another option is to place a fraud alert on your credit reports at the three credit bureaus.
Equifax's then-chair and CEO, Richard Smith, said after the hack that it was "clearly a disappointing incident for our company, and one that strikes at the heart of who we are and what we do." He stepped down on Sept. 26 and will not receive a bonus for 2017. His departure followed those of chief security officer Susan Mauldin and chief information officer David Webb on Sept. 14.
A few days after the company uncovered the hack internally – and before the breach was revealed to the public – Equifax's chief financial officer John Gamble, its president of workforce solutions Rodolfo Ploder, and its president of U.S. information solutions Joseph Loughran sold their Equifax shares. Equifax said in a statement that the executives did not know about the breach when they sold their stock. Gamble, Ploder and Loughran collectively earned nearly $1.8 million from the sales.
As of Feb. 28, Equifax's stock has fallen 20.1% from its close on Sept. 7 (before the hack was announced) to $113.00. After several delays, Equifax says it will report fourth-quarter earnings after close on Mar. 1.
Let the Lawsuits Begin
Reuters reported on Sept. 11 that more than 30 lawsuits – many of them seeking class action – have been filed against Equifax in U.S. courts. Several allege violations of securities law; others accuse TrustedID of pitching costly services to customers who were affected by the data breach. Five Utah residents have sued the company in U.S. District Court for failure to protect customers' sensitive data. The suit seeks monetary damages of $5 billion and the imposition of stricter industry standards.
A few affected customers are taking a less traditional route in seeking recourse from Equifax. The DoNotPay chatbot provides assistance in filing a complaint in state small claims courts, where maximum penalties range from $2,500 to $25,000. The bot can only generate paperwork for a lawsuit, not actually file it or appear in court, according to the Verge.
The FBI and Atlanta-based U.S. Attorney John Horn announced a criminal investigation into the breach on Sept. 18. The Consumer Financial Protection Bureau and 34 state attorneys general are conducting inquiries.
Mr. Smith Goes to Washington
On Oct. 3 former CEO Richard Smith testified before the House Digital Commerce and Consumer Protection subcommittee. He apologized multiple times for Equifax's failure to protect consumer data and faced questions about a range of issues related to the breach and Equifax's response. The company's stock rose following the testimony, but remained well below the levels it traded at before the hack was disclosed.
In response to questions regarding the controversial arbitration clause that was initially included in TrustedID Premier's terms of service, Smith said the "boilerplate" clause was never intended to apply to the breach and called its inclusion a "mistake." He would not say the same of similar clauses governing other Equifax services, which he called "standard."
Suspiciously timed executive stock sales also came under scrutiny: Rep. Jan Schakowsky, an Illinois Democrat, said the selling "doesn't pass the smell test," but Smith averred, "to the best of my knowledge, they did not know" about the breach at the time.
Smith described the breach as the result of human error and a technological failing: the person in charge of making sure to patch the Apache Struts software – which had a publicly known vulnerability the attackers exploited – failed to do so, and a scanner that would have alerted the company of that error also failed.
The company's flailing response to the crisis also came in for criticism: setting up a WordPress site with a suspicious URL, failing to secure similar domains (and even directing customers to one of those domains), failing to adequately staff call centers, and generally creating the impression that the company – which exists to collect, secure and sell sensitive data – was totally unprepared for a cyberattack on its databases. Rep. Markwayne Mullin, an Oklahoma Republican, told Smith his response should have been like pulling a fire alarm: "it immediately goes into place." Smith responded that his team "followed protocol." Several representatives mentioned that Smith gave a speech describing fraud as a "huge opportunity" and a "massive, growing business" in August – after he knew about the breach.
Smith declined to answer questions about the source of the attack, including whether it might be a state actor. He said simply that the FBI is conducting an investigation. He defended Equifax's investments in cybersecurity during his tenure, saying that when he arrived twelve years ago, there was practically no investment in data protection. The company spent a quarter billion dollars and hired a 225-person team to secure the company's data, Smith said, investing the industry-standard 10-14% of the company's IT budget in cybersecurity.
Some Representatives indicated the breach has opened up fundamental questions about the role of the credit-monitoring industry and consumers' rights. "What if I want to opt our of Equifax?" Schakowski asked. Smith answered, "that requires a much broader discussion around the role of credit reporting agencies." Rep. Tonko, a New York Democrat, echoed the sentiment, pointing out that he is not really a "customer," having never chosen to do business with Equifax. "Why is this company allowed to continue to exist?" he asked. At various points, Smith questioned the value of Social Security numbers as a way to prove identity and made vague references to giving "power back to the consumer."
The biggest question of the day came from California Democrat Doris Matsui: "Do I own my data?" Smith could not answer.