Equifax is doing an effective job at sneaking in and flying ’’below the radar” with regards to hacking news these days. While the US, and some of the world, is consumed with the Trump-Russia saga, or the ’’dueling memos” relating to the probe emanating from Congress, the company snuck in a bombshell. As if the loss of 143 million folk’s personal information wasn’t bad enough.
Last year’s breach was way bigger than disclosed - even after adding a damage assessment later. Equifax seems to have mastered the game of deny, delay and let the dust settle so that, one day, no one will care anymore. Equifax may have underestimated regulators and consumers stamina for the chickens have come home to roost in the latest disclosure from the firm to Senator Elizabeth Warren’s (D-Mass) probe.
Involved in similar travails, companies are usually transparent, empathetic, and take immediate action to protect consumers. Not Equifax - not in the aftermath, or immediately upon learning of the breach. Not only was it remiss in coming up with a viable crisis communication strategy, the company apparently turned a blind-eye as three of its executives dumped shares before the hack was made public a month later.
The data-compromise exposed more consumers’ personal information than the company first disclosed last year, according to information it just released to Congress. You may recall that it totally bungled the release of data initially. It is especially mind-boggling that a data company - personal data at that - could mishandle that which is its bread and butter, i.e. data!
Warren released a report on Wednesday that described the hack as “one of the largest and most significant data security lapses in history.” Her office is always hot to champion consumer causes.
When Equifax finally 'fessed up to the damage, it told the public that the stolen data “includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers,” as well as some credit card information for about 200,000 people, according to the company’s own website. Now we’re learning that the breach was deeper and more pervasive than originally disclosed.
We are now advised that the credit card information was so detailed that it even included expiry dates and CV2 numbers ( the three-digit security number on the back.) Also, the most recent disclosure included tax identification numbers, email addresses, phone numbers, and issuing information regarding driver’s licenses. Incidentally, consumers have yet to be made aware of this latest trove of information directly. It had only come to light in a report made to Senator Warren whose office conducted an investigation into Equifax's missteps.
Equifax’s letter to Warren’s office also divulged that Canadian citizens' information was compromised, including Social Insurance Numbers. Among other items of interest to the hackers was passport information, but Equifax assured Warren that no passport numbers were stolen. It is, however hard to believe them after the initial chicanery, the cover-up, and subsequent foot-dragging.
The company has issued many mea culpas, and claims to have taken appropriate steps to see that this never happens again as it continues to deal with multiple regulatory investigations into the matter, as well as hundreds of consumer lawsuits. Equifax has replaced its CEO, and spent millions to rectify the breach and prevent a recurrence. One such step, launched in January, allows consumers to lock and unlock their credit report.
Equifax executives were duplicitous enough to sell their shares of its stock before the damaging news became public, and, indeed, tried to bury the news long enough to enrich themselves. Who’s to say that the recent revelation over the size and scope of the breach six-months later isn't also to fool the public, regulators, and lawmakers? As for its steps to recover from the breach - are they sufficient and comprehensive enough?
The onus should be squarely on companies to be more forthcoming - especially where public privacy is concerned. Oversight must be stronger and the penalties should have more teeth. This event could have and should have been a catalyst for broad Congressional action to protect consumers. Too bad, for the swamp that is Washington is too busy tilting at other windmills these days.