Equifax, one of three of the world’s largest credit reporting agencies, has now admitted to have been hit by a second cyberattack by the same hackers from before, as reported by Bloomberg, only this time, it happened five months earlier than the previously reported one.
Urgent though the occurrence of a cyberattack may be, it still begs the question, why are Equifax consumers learning about this incident six months later? Especially when the total number of people affected, approximately 143 million according to Equifax, is near to half the population of the U.S.
For those unfamiliar with what Equifax does, they collect vital information on 820 million people worldwide. For example, if one were to need a background check done for a new job or a new home, the person or business requesting that information would then rely on a company like Equifax to obtain that sensitive information. The information that was stolen in late July, according to Bloomberg and Equifax, ranged from things like Social Security numbers, birth dates, driver’s license numbers, addresses, and even credit card numbers. In the wrong hands, this information is more than enough to put any of the reported 143 million people at risk for identity theft.
In response as to why there was a delay in reporting the security breach to its consumers, Equifax replied saying, “As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.”
When the first incident was reported, many of those wishing to protect their information were prompted on the Equifax security breach website to sign up for a free year of credit monitoring service. As reported by The Washington Post, word spread around social media after a problematic buried clause was discovered in the terms for enrollment. “AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.”
The Hill reported the day after the first breach was announced that Equifax changed the wording on their terms of service so that consumers wanting to use their credit monitoring service would not also be waiving their right to file a class action lawsuit. This change happened amid pressure from both the public and government, with New York Attorney General Eric Schneiderman (D) tweeting earlier that same day, “This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it.”
Besides already being criticized for this hidden language, Equifax’s offer of free credit monitoring service was ultimately insufficient when considering the information would only be protected for a year despite it being vulnerable to attacks for a lifetime.
Also reported by Bloomberg was that $1.8 million in shares were sold by three senior Equifax executives, only days after the incident was detected. The three executives, according to a statement by Equifax, were not yet made aware at the time.
Equifax stock has dropped 34 percent since the announcement of the breach, according to CNN.