By Fei-Lu Qian
Equifax Inc. (EFX), one of the largest credit reporting agencies ("CRAs") in the US, made $3.1 billion in revenue last year by selling consumer credit reporting and scoring products based on consumers' personal information and credit history. The Fair Credit Reporting Act ("FCRA") requires CRAs such as Equifax to protect a consumer's privacy by guarding against inappropriate disclosure to third parties, and permits a CRA to disclose a consumer's information only for a handful of exclusively defined "permissible purposes." To ensure compliance, CRAs must maintain reasonable procedures to ensure that such third party disclosures are made exclusively for permissible purposes.
On September 7, 2017, after the stock market closed, Equifax disclosed a massive data breach that have compromised personally identifiable information ("PII") of approximately 143 million U.S. consumers, plus PII of United Kingdom and Canadian residents. Equifax later increased its estimate to a total of 145.5 million people. According to Equifax, from mid-May through July 2017, hackers were able to gain access to a website application utilized by Equifax where they were able to obtain critical consumer information including "names, Social Security numbers, birth dates, addresses and in some instances, driver's license numbers." The hackers were also able to get access to "credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers." As has become typical when breaches such as this are announced, Equifax offered impacted American consumers a one year free subscription to identity protection services.
Public officials were outraged and dozens of consumer lawsuits were filed almost immediately. Senate Minority Leader Chuck Schumer called the data breach, "one of the most egregious examples of corporate malfeasance since Enron." In a letter to Equifax, Senator Brian Schatz of Hawaii criticized Equifax's complimentary one year free subscription as "insufficient given the scope and scale of this data breach," without offering "to pay for or reimburse credit freezes, which can cost $10 per credit reporting agency." In a joint letter by the leaders of the Senate Finance Committee to Equifax, they asked whether Equifax plans "to promote its paid service to these individuals at the end of the free year" as a tactic to profit from the massive breach.
On September 15, 2017, Equifax revealed that the hackers had exploited a vulnerability with an open source application that Equifax utilized called Apache Struts CVE-2017-5638. However, this vulnerability was easily fixable by updating the software with a patch that was developed and available on March 7, 2017. Equifax has admitted that it was "aware of this vulnerability at" the time that the patch was available, but it appears that Equifax failed to update the Apache Struts software. In fact, in his prepared testimony to Congressional committees, Equifax's recently retired Chairman of the Board of Directors and Chief Executive Officer, Richard F. Smith admitted "that the vulnerable version of Apache Struts within Equifax was not...patched in" time, and therefore, "allowed hackers to access personal identifying information."
Shockingly, Equifax discovered the massive breach on July 29, 2017, but waited six weeks to reveal to consumers and its shareholders that sensitive information of more than half of the entire adult American population had been stolen. To make matters worse, it was revealed through various media reports that on August 1 and 2, 2017, less than a week after discovering the breach, three top Equifax executives, including its Chief Financial Officer, sold Equifax shares for proceeds of almost $1.8 million.
Since the initial public revelation of the breach on September 7, 2017, Equifax has announced the retirement of three major executives, including Smith. In addition, Equifax common stock has declined more than 20%, or nearly $30.00 per share, erasing shareholder value of more than $3.5 billion. Various state attorneys general and federal agencies are investigating the massive breach and multiple Congressional committees have held hearings on the matter.
According to a security expert, "Considering Equifax is one of the largest credit reporting agencies whose sole business relies on both credibility of data and securely handling the sensitive data of millions of consumers, it is fair to say that they should have patched it as soon as possible, not to exceed a week." A letter from the Credit Union National Association to the leaders of the U.S. House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection sums up the long-term impact of the data breach, and how it has exposed practically every adult American "to damages in replacing...payment cards, covering fraudulent purchases and taking protective measures to reduce risk of identity theft and loan fraud and assuming financial responsibility for various types of fraudulent activity related to stolen identities and misuse of PII and payment card data."
In the coming weeks we will look at some of the legal claims being asserted against Equifax, and remedies consumers may have against Equifax.