The Equifax hack, 1 year later: What have we lost? What cost has Equifax paid?
Click to read PIRG's report (PDF)
I'm not really one for anniversary stories -- they tend to be pretty artificial news hooks. But one year after what many think is the most significant hack of U.S. consumer data in history, it's certainly worth taking stock of what's happened since.
For starters, Equifax has increased the amount of victims from 143 million to 148 million. The firm has introduced tools that make it easier to "lock" your credit report, and the other credit bureaus have matched that step. It's still not the free "freeze" that most consumer advocates would prefer, but it's something. A new federal law will make freezes free by the end of this month (the Economic Growth, Regulatory Relief and Consumer Protection Act is packed with other provisions that worry those who favored financial reform, but free freezes are good.). Equifax CEO Richard Smith resigned, then for some reason was sent to take the bullets during Congressional hearings about the incident. A few other officials resigned.
That's about the most generous list of positives I could generate. As you might imagine, the negatives are a bit longer. They begin with the shocking news that the Consumer Financial Protection Bureau has pulled back from its investigation into Equifax. It's believed that the Federal Trade Commission is continuing its investigation, but there's a big difference between the punishment the two agencies can dole out. Reuters put it this way: "The last time the FTC penalized a major credit bureau was in 2012, a $393,000 settlement with Equifax. In contrast, the CFPB fined credit bureaus more than $25 million just last year for over-marketing its monitoring services, which generated monthly fees."
Fortunately, 48 state attorneys general are continuing their investigation into the firm.
Equifax, for its part, bungled much of the hack announcement and its aftermath. From creation of a domain that looked to all the world like a scam -- EquifaxSecurity2017.com -- to including a clause that appeared to force users to waive their rights to sue the company, to not having nearly enough staff ready to handle the crush of contacts, Equifax made a big mess messier.
Trans Union jumped on the messy train, too, using the incident to trick some consumers into buying a service they didn't need.
The Public Interest Research Group has generated a laundry list of missteps by Equifax here:
● Delaying public notification for at least six weeks ● Setting up an online search tool that provided faulty results to those who used it about whether they were affected by the breach ● Initially understaffing its call center
● Initially including arbitration language that forced consumers to sign away their rights to a day in court ● Directing consumers to a fake website ● Failing to provide consumers full protection from new account identity theft -- which it still hasn’t done.
What should you do? I'm betting you have gone on with your life, a but more vulnerable to identity theft than you were before. When the freeze law takes force, I'll have more on that. In the meantime, if you want a review of what you should know and what you should do, here's my Equifax FAQ from last year.
https://bobsullivan.net/cybercrime/the-equifax-faq-youve-got-questions-i-try-to-give-you-answers/
Stopped investigation