There's no delicate way to announce that cybercriminals have stolen sensitive information about half of the United States population, but Equifax at least deserves points for trying.
Equifax, one of “big three” agencies that control the shadowy credit reporting industry, first announced its discovery of an unfortunate “cyber security incident” in early September.
The incident potentially impacted 143 million consumers, then-chairman and CEO Richard Smith said, adding that the firm “acted immediately to stop the intrusion.” An Equifax-led investigation into the matter would be complete in several weeks, the company said.
That turned out to be an extremely optimistic assessment. Another eight months passed until, finally, in a May 8 filing to the SEC, Equifax quietly said its investigation into the breach was complete, at least where the hack of government-issued identification is concerned.
“Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators,” the credit reporting behemoth wrote in the filings. “It does not anticipate identifying further impacted consumers.”
The filing, Equifax seems to hope, will finally bring this dark chapter in its history to a close. Over those previous eight months, the Equifax breach evolved from a “clearly disappointing event” that Equifax said would soon be resolved to an ongoing international scandal and criminal case.
From a small sale to insider trading
Though Equifax said it “acted immediately” upon discovering that consumer information was accessed on July 29 of last year, some people questioned why the official announcement about the incident did not arrive until September 7.
It didn’t take much digging for financial journalists to find a potential answer. Later that day, Bloomberg News was reporting on its discovery that three Equifax executives sold $1.8 million worth of their shares in the company on August 1, one day after Equifax had said the breach was discovered.
John Gamble, the company’s Chief Financial Officer, sold a reported $946,374 worth of stock. Joseph Loughran, the president of U.S. information solutions, and Rodolfo Ploder, president of workforce solutions, sold a respective half a million and quarter million worth of options.
In a statement to Bloomberg, an Equifax spokesperson initially described the $1.8 million sale as “a small percentage of their Equifax shares” and added that the executives “had no knowledge that an intrusion had occurred at the time.”
By November, Equifax had backtracked slightly, saying that it had agreed to launch an investigation into the sale. Luckily for the executives, the Equifax-led investigation found that the suspicious-looking stock dumping was perfectly legal.
But by March, a former Equifax executive was facing federal insider trading charges -- only this executive was a different one from the three that were cleared in the company investigation.
Jun Ying, a former information officer, "used confidential information to conclude that his company had suffered a massive data breach” and “dumped his stock before the news went public,” federal prosecutors said.
It remains unclear why Ying knew about the breach while other executives did not. Equifax says it is cooperating with authorities, explaining to the press in March that "we take corporate governance and compliance very seriously, and will not tolerate violations of our policies.”
John Gamble, the Chief Financial Officer who sold nearly a $1 million worth of his stock on August 1, remains at the company and is “responsible for all financial functions” at Equifax, according to his Equifax bio.
Monitoring credit and giving away rights
One potential way to keep people from panicking or getting angry about their data being stolen is to frame the unpleasant announcement as a chance to get something for free.
“Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers,” the first Equifax press release revealing the breach said in big, bold letters.
Shortly after, Equifax had its new crediting monitoring website live and ready to go.
At the unfortunately titled page equifaxsecurity2017.com, users were instructed to enter the last four digits of their social security numbers and their last names. From there, they could find out if they were impacted by the breach and enroll in credit monitoring.
But some consumers reported being told that their data was impacted, regardless of whether they put in a correct name and matching social security number. And after reading through the terms and conditions, advocacy groups warned that consumers may be walking into a trap. By agreeing to the terms on the website, consumers were agreeing to waive their rights to sue the company, according to a vague arbitration clause included in the fine print.
The National Consumer Law Center was among the advocacy groups warning consumers that the open-ended language in the clause would prevent consumers from taking Equifax to court.
“Consumers and media have raised legitimate concerns about the services we offered and the operations of our call center and website,” CEO Rick Smith responded in an editorial in USA Today. “We accept the criticism and are working to address a range of issues.”
Former New York Attorney General Eric Schneiderman, Sen. Elizabeth Warren, and other prominent Democratic lawmakers pressed Equifax about the arbitration clause. Equifax subsequently agreed to reword the agreement, explaining in the new fine print that the arbitration measure only applied to the credit monitoring service itself, not “the cyber security incident” in question.
Meanwhile, as that controversy played out, the official Equifax Twitter account continued to urge consumers to visit their security page and sign up for free credit monitoring. It took several weeks for people to notice that Equifax had been sending people to the wrong page.
Instead of sending consumers to equifaxsecurity2017.com, the Equifax Twitter account instead directed consumers to securityequifax2017.com, a fake phishing site that someone had created for the express purpose of ridiculing Equifax for creating “an easily impersonated domain.”
Equifax eventually apologized for the confusion, admitted that it had shared the wrong link, and removed the offending posts.
Credit locking, and more of the same
Several months later, in February 2018, Equifax rolled out Lock & Alert, a service offering a credit “lock,” marketed as a step below a credit freeze. While locks are not as secure as credit freezes, they are also cheaper and easier to implement.
In fact, Equifax said that its lock service was completely free. And, responding to the previous criticism about arbitration agreements, Equifax explicitly said that consumers who signed up for Lock & Alert were not agreeing to any arbitration provision.
“The consumer-empowerment approach that is offered through Lock & Alert is what people have come to expect,” Equifax said in promotional materials.
Not long after, consumers discovered that the experience of locking one’s credit might not be as empowering as they were led to believe.
It turned out that consumers who signed up for the service were unknowingly agreeing to let Equifax use their information for marketing purposes, according to advocacy group US PIRG, which reviewed the site’s fine print. And a reporter at NBC News found that the service didn’t work; an error message repeatedly appeared on the screen saying that “we are experiencing technical issues.”
“I think it's fair to say as with any service we did have some initial operational issues shortly after the launch,” Equifax spokeswoman Nancy Bistritz-Balkan told NBC News. “But our team has been working around the clock to document the issues and address it appropriately.”
Equifax goes abroad
Equifax focused its breach investigation on United States consumers, giving only a brief mention to impacted people in Canada in the UK. “Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” is all the firm had to say about the matter in September.
When people questioned what “limited personal information” for “certain UK and Canadian residents” actually meant, Equifax clarified that 400,000 people in the UK and 100,000 Canadians were affected.
That might sound like a figure a little too significant to describe as “limited,” but Equifax said that the breach was related to something else, an apparent “process failure,” as the company called it, that occurred a year earlier.
“This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016,” Equifax told the British press.
Several weeks later, Equifax revised the number yet again. The company announced that 700,000 UK residents would receive notices about their data being hacked.
An additional 14 million records in the UK were also stolen, Equifax clarified, but the cases were not considered serious enough to warrant direct notifications to those consumers.
An Equifax spokesman later offered this explanation about the many discrepancies affecting British Equifax victims to the BBC: "This information does not change the number of consumers affected or any of the UK figures/statements already provided.”
More people exposed
In March, Equifax said that an additional 2.4 million consumers in the United States had their information hacked, bringing the original figure of 143 million Americans that Equifax had tallied closer to 145.5 million. Though the announcement seemed like new information, Equifax insisted that it was not.
“This is not about newly discovered stolen data,” interim CEO Paulino do Rego Barros Jr. said. In what has become a familiar talking point, he said a new analysis of the stolen data had simply provided Equifax more clarity.
“It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals,” Barros explained.
Exposed phone numbers and passports
In February, Equifax submitted a document to the Senate Banking Committee saying that hackers also accessed phone numbers, email addresses, and the expiration dates for credit cards. That appeared to be worse than the “ birth dates, addresses, and, in some instances, driver’s license numbers” and “credit card numbers” that Equifax said had been stolen to the public.
An Equifax spokesman explained to Wall Street Journal that "in no way did we intend to mislead consumers." Rather, she said that the list given to Congress only reflected “minimal portion” of consumers affected.
Based on the statements from Equifax, the public seemed to have the impression that their passport data at least was safe.
“And some data — like passport numbers — were not stolen,” the Associated Press confidently reported in February.
However, Sen. Elizabeth Warren published an independent report not long after claiming that passport information was, in fact, stolen. Equifax said that the senator’s characterization of what was stolen was not accurate.
“The easiest way to understand this is that there was a field labeled passports [that was hacked] with no actual data in it,” an Equifax spokeswoman told the New York Post in February.
But in an SEC filing in early May, Equifax indicated that scanned images of passports were stolen from thousands of consumers who had used the agency’s dispute portal.
In a statement, Equifax said it hadn’t been trying to hide that information. The passport information that it said wasn’t hacked came from a different data set than the stolen passport data it had discovered more recently.
“Our response earlier this year regarding passports was related to the data elements contained in the database tables accessed by the attackers,” an Equifax spokeswoman told ConsumerAffairs in a statement.
“In response to a request from Congress to provide quantities of each data element impacted, in the interest of completeness, we manually reviewed the images stolen from the dispute portal in order to include the numbers of government-issued identifications contained within those images,” she added.
No unauthorized activity on core services
Throughout its repeated “updates” and disclosures about what was hacked, Equifax has maintained that it found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”
What that statement actually means is up for debate. Senators and consumer groups have complained that the definition of “core consumer or commercial credit reporting databases” is overly broad.
From a consumer standpoint, identity theft crimes possibly related to the hack already seem to be taking place, affecting “core” business at least where victims are concerned.
Earlier this year, an accountant and several consumers went public with stories about identity thieves collecting government benefits on their behalf. Experts said the crimes could have been made possible thanks to the Equifax hack, as well as vulnerabilities on the social security website itself.
“While I’m not entirely sure how the thief obtained my personal information, it’s likely that the Equifax data breach...contributed to the identity theft,” accountant Jim Shambo, one such identity theft victim, wrote in a blog post.
Luckily for Equifax, such scenarios could turn out to be beneficial for the credit reporting agency. Or as Equifax CEO Rick Smith told a conference in August; “Fraud is a huge opportunity for us. It is a massive growing business for us.”
Equifax has not yet returned an inquiry from ConsumerAffairs asking, among other questions, whether there is any truth to the allegations leveled by Warren and others that it has profited off its own breach.
But, in the grand tradition of Equifax disclosures, Smith also appears to have changed his story and updated his perspective on the matter. A month after saying fraud was a “huge opportunity” for Equifax, the CEO published an editorial in USA Today clarifying that the Equifax hack had been “humbling” and bad for the company.
“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith wrote. “We will make changes and continue to strengthen our defenses against cyber crimes.”
Two weeks after making that promise, Smith suddenly decided to retire. He left with a compensation package worth $90 million.