It has been one year since the massive data breach of a vulnerable Equifax server that compromised sensitive data for approximately 148 million Americans. The number of impacted consumers from the Equifax data breach has increased several times since the initial notification offered in September 2017, including another 2.4 million victims reported March 1, 2018. This is nearly 60% of all adults in the U.S. over the age of 18 whose personal information – in some cases names, addresses, birth dates, social security numbers, credit card numbers, and driver’s license numbers – is now in the hands of criminals.
Despite lots of headlines and numerous committee discussions in Congress following the Equifax data breach, little has changed to protect from future breaches the sensitive consumer data collected by credit reporting bureaus. After several months, it is unclear whether any significant improvements – either through government regulations and enforcement or by Equifax itself – will be made to safeguard sensitive consumer data.
If nothing happens, here is the discouraging news we all can expect:
Credit Bureaus can take as long as they want to patch vulnerable systems
Safeguarding sensitive data includes, first, knowing what data any organization has collected, as well as where and how it is stored. Having a thorough data inventory helps in many areas, including allowing system administrators to secure those systems better and apply security updates as they become available, along with performing any incident response once a breach occurs.
The Equifax Consumer Dispute Portal was operating an Apache Struts server when the Equifax data breach occurred May 14, 2017. Apache fixed a security issue on these servers in March 2017; however, it took more than four months for Equifax to identify the system in its network and to patch the vulnerable server after Apache released the fix. Equifax later reported that it had actively searched for systems in their enterprise needing security patches, but, mysteriously, failed to identify this one server.
How many other attacks could occur in such a wide window of opportunity?
Credit Bureaus can take as long as they want to report a breach
Equifax waited nearly six weeks to report the data breach (that is based on the date the company reported the episode occurred and the time Equifax reported it). That is six weeks where criminals could use the stolen data to open new fraudulent accounts or loans in the name of victims and slip away before consumers were made aware that their data was compromised. In the aftermath, consumers were left with the burden of cleaning up their credit status through no fault of their own.
Credit reports will not be automatically frozen after a breach
Freezing credit reports prevents unauthorized individuals from obtaining credit reports. This action blocks fraudulent loans and other financial activity from occurring until the consumer gives consent. It is often one of the first steps consumers should take if they suspect any credit fraud. This is also the minimal action that the credit reporting bureau should take on any consumer’s reports once they identify that a breach of data has occurred. However, they do not. To add insult, it is the consumer who must do so—after paying a fee.
Many attempts have been made to require this action to be taken automatically by credit reporting bureaus. So far, those efforts continue to be unsuccessful.
Most recently, a bipartisan bill was introduced in Congress that would require Equifax and the other credit reporting bureaus to allow consumers to freeze and unfreeze their credit reports for free. The same bill also aimed to provide free credit monitoring services for active military personnel. However, an amendment made to that same bill included provisions preventing those same military service men and women from suing a credit reporting company.
This move seems not only devious to those who put their lives on the line for this country, but also appears to be adding protection to the credit agencies at a time when major changes are needed.
There will be no fines for data breaches
Currently, there are no federal laws holding companies accountable for major breaches of sensitive data. Because of a lack of federal oversight on matters of data compromise, several states have tried to fill that void in their own jurisdictions.
Recently another attempt was made to introduce federal legislation to fine credit reporting agencies who fail to protect consumer data. This move, by Senators Elizabeth Warren and Mark Warner (both Democrats), would establish fines of $100 or more for each affected consumer of a sensitive data compromise, such as the Equifax data breach.
Opponents of this legislation point out, among other things, that since many states have moved ahead and enacted some of their own regulations, those enforcements could now be threatened if federal legislation is implemented. So far, no action has been taken.
Consumers must deal with multiple credit bureaus instead of one authority
After the Equifax data breach, fraudulent loans or credit applications can be opened based on those affected consumers’ data. Rather than having a single point for a consumer to place freezes on credit or to perform the arduous steps to clean up credit reports following any fraud, consumers must deal with each of the three major credit reporting agencies individually – Experian, Equifax, and TransUnion.
Credit reporting bureaus will continue to profit from breaches
Following last year’s Equifax data breach, many consumers reacted by placing freezes on their credit. The fees for doing so ranged roughly from $10 to $23 for each freeze made by consumers who were known to be affected by the breach – and those who had not.
This resulted in some significant profits for the credit agencies. By some estimates, the fees resulted in those credit bureaus raking in as much as $1.4 billion. That’s a pretty nice windfall for companies that were pilloried in the press and suffered no federal penalties.
Credit Bureaus will continue to profit on consumers’ personal data
The credit reporting agencies have created a lucrative business model – collecting and compiling consumer credit data into a commodity that now follows each of our financial footprints, with or without our consent. They make the determination that an individual’s credit is good or bad and profit from it. The onus is on consumers to monitor that data and make significant sacrifices of time and often more money just to clean up any errors (or worse) committed by the major three agencies.
There is no way to opt out of this system. Consumers cannot obtain loans, mortgages, credit cards, or even a mobile phone without this system. Given the pervasive presence of this system, there should be greater regulation over how they operate, including how they collect and protect massive amounts of sensitive consumer data.
This is an industry in desperate need of an overhaul. There is no assurance, however, that with political gridlock and rampant partisan antipathy, that any changes that do come won’t make things even worse for consumers.