Massive Equifax Data Breach Prompts Outrage, Investigations, Bills to Ban Credit Freeze Fees

September 16, 2017 – Equifax is scrambling to contain the fallout from the disclosure that a massive data breach compromised the sensitive personal data of as many as 143 million consumers, leaving them at risk of identity theft.

In the days since Equifax announced the hack, outraged consumers reported struggling to determine whether they’d been affected and having trouble accessing fraud protection services Equifax offered. Equifax is facing inquiries from lawmakers, the Federal Trade Commission and state attorneys general, including Illinois’ Lisa Madigan, along with multiple lawsuits seeking class-action status.

As of Friday, the company’s stock price plummeted 35 percent since Sept. 7.

The breach has already prompted proposed legislation that would let consumers freeze their credit for free. Fees vary by state, and cost $10 in Illinois.

One bill, introduced in the U.S. Senate Friday by Sens. Elizabeth Warren, D-Mass., and Brian Schatz, D-Hawaii, would also require all credit agencies refund fees charged for credit freezes in the wake of Equifax’s breach. The bill was co-sponsored by Sen. Dick Durbin, D-Ill. In the Illinois legislature, Rep. Greg Harris, D-Chicago, on Tuesday introduced a similar measure banning freeze fees.

Additional information Equifax has provided appeared to do little to stem the backlash.

Equifax publicly disclosed the data breach Sept. 7, saying hackers accessed data including Social Security numbers, birth dates, addresses and, for another 209,000 consumers, credit card numbers. According to Equifax, that announcement came nearly six weeks after it had discovered the breach, which took place between mid-May and July.

The company said it acted immediately to stop the hack, hired a cybersecurity firm to review the scope of the breach and data affected and “took appropriate steps” to begin notifying consumers as soon as it had enough information.

But Equifax’s explanation of the specific vulnerability hackers used to access the sensitive data suggests the breach could have been prevented. The Apache Software Foundation, which oversees the software Equifax used, issued a patch correcting the flaw in March and said the breach “was due to their failure to install the security updates provided in a timely manner.”

Since Equifax’s announcement, several state attorneys general have launched investigations into the breach, and Massachusetts Attorney General Maura Healy said Tuesday the state intends to file a lawsuit alleging Equifax failed to maintain appropriate safeguards protecting consumers’ personal information.

Madigan said the Equifax hack was more concerning than other recent data breaches because of the scope — it potentially affects about half of all Americans, and 5.4 million Illinoisans — and the type of personal information exposed.

Several consumer lawsuits seeking class-action status have also been filed, including three in the U.S. District Court in Chicago. The most recent, filed Thursday by three Cook County residents, alleges Equifax did not take reasonable precautions to protect consumers’ data and failed to give them timely warning of the breach, preventing them from addressing potential fraud.

In the meantime, customers said they struggled to get answers and assistance from Equifax.

Equifax set up a website, www.equifaxsecurity2017.com, where customers could determine whether their data were potentially exposed.

But its website and call center struggled to handle the flood of inquiries. The day after it announced the breach, Equifax said it was “ramping up” its website and call center team, which had tripled in size.

Chicago-based credit reporting bureau TransUnion also scrambled to cope with the deluge of inquiries. The company kept call centers open over the weekend and brought in an outside contractor to help, but still struggled to keep up, TransUnion Chief Financial Officer Todd Cello told analysts earlier this week.

Many consumers also weren’t satisfied with the remedy Equifax initially offered — a year of free identity theft protection and credit file monitoring. Equifax had to clarify that enrolling in the service did not require consumers to waive certain legal rights, as the program’s terms of use required at the time, nor would it automatically bill consumers when their free year was up.

Experts encouraged consumers to consider a more aggressive step: placing a credit freeze, which bars credit bureaus from releasing their credit reports, preventing identity thieves from opening lines of credit.

So many sought to freeze their credit that Equifax said it was still experiencing technical difficulties tied to the number of requests a week after announcing the hack, despite the fact that it initially charged a fee for the service.

The company later agreed to drop the fee through Nov. 21 and issue refunds to customers who had already paid. But consumers still need to pay fees, which vary by state, at the other major credit bureaus, and could end up paying again if they need to unfreeze credit before making a big purchase, opening a new credit card or seeking a loan.

Reports that three Equifax executives sold nearly $1.8 million in corporate stock shortly after the company learned of the breach — but before it notified the public — sparked another backlash.

Equifax said the executives weren’t aware of the hack when they made the sales, and they still own thousands of the company’s shares.

But 37 senators signed letters sent to the Securities and Exchange Commission, Department of Justice and Federal Trade Commission asking the agencies to investigate whether the stock sales violated insider trading laws.

By Lauren Zumbach, Chicago Tribune
Read more here