On Thursday, September 7, Equifax, one of the biggest credit reporting agencies in Canada and the United States, announced in a press release a security breach that compromised the personal information of potentially 143 million U.S. consumers and an unknown number of consumers in Canada and the UK. The company, which holds personal information for more than 820 million consumers, 91 million businesses, and 7,100 of its employees worldwide, is a high-profile target for cybercriminals and virtually exposes anyone with a credit report to the risk of stolen information.
The agency first discovered the hack on July 29th of the same year and believes the breach has occurred any time between mid-May to July. In the announcement, the firm lists the cause as, “criminals exploit[ing] a U.S. website application vulnerability to gain access to certain files.” Although Equifax currently predicts that the breach affects 143 million consumers in the United States, the estimated number of affected consumers in Canada and the UK have not been disclosed.
Equifax has so far claimed “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” Data exposed in the breach includes names, birth dates, Social Security numbers, addresses and driver’s licence numbers. It is believed that the credit card information of 209,000 Americans have also been stolen.
1. Questionable Stock Sale by Executives
There have been claims that three executives sold a combined $1.8 million US in stock of the company on August 1st and 2nd, just a few days after the company discovered the breach. Equifax’s stock price has since dropped more than 14 per cent by Friday morning, falling $20.64 USD. The company claims executives “had no knowledge that an intrusion had occurred at the time they sold their shares.” However, the public remains wary of this claim.
2. Forced Arbitration Clause
In its Thursday press release, Equifax directs concerned consumers to a dedicated website for information and updates on the hack, as well as confirmation on whether or not a consumer has been affected.
Although unaffected consumers are told instantly that they were not affected, affected consumers were prompted to enrol in a free identity theft protection and credit file monitoring program, TrustedID Premier. However, Equifax faced further scrutiny as the terms and conditions, that consumers must agree with to join the program, enforced an arbitration clause that prevented consumers from participating in a class-action lawsuit.
Equifax has since updated the clause as of Friday morning, allowing consumers to opt out of the arbitration clause by notifying the company within 30 days of signing the agreement. However, the agency continues to face backlash from consumers.
3. No Recourse for Canadian or UK Consumers
Canadian and British Equifax consumers are left in the dark as the firm continues to only provide information and remediation programs to its American clients. Canadians are very frustrated with not knowing whether or not their personal information has been compromised. Equifax has declined to further comment on the situation.
4. The 40-day Announcement Delay
Although its 40 day delay in announcing the breach is questionable. It is not unusual for firms of this size to hold off on releasing this information to the public until a proper investigation has been completed. However, the delay further worsens the public’s trust in a company whose core function revolves around providing trusted financial information to consumers.
What are security experts saying about it?
“So this means [the perpetrators] have a detailed financial history, obviously all of your current information, and a lot of your current debts, as well as, sort of, paying history… with the type of information that’s exposed in a breach like this, [the thieves] can start going out and getting new credit, getting new financial products under your identity and those have a much longer lifetime”– Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro (via CBC News)
“On a scale of one to 10, this is a 10 in terms of potential identity theft… Credit bureaus keep so much data about us that affects almost everything we do.”– Avivah Litan, Security Analyst at Gartner (via The Globe and Mail)
“Every company will have some exposure to risk depending on the kinds of information they keep about their customers. The more information you keep, the more likely it is that adversaries will target your organization… If we create these ‘superentities’ – like super data collection companies – we are collecting much larger data sets and they will be more likely to be targeted”– Hasan Cavusoglu, Associate Professor of Accounting and Information Systems at UBC Sauder School of Business (via The Globe and Mail)
“It’s a huge deal… You would expect these guys to have compartmentalized this data far enough away from a web server — that there would not be any way to directly access it.”– Tim Crosby, Senior Consultant of Spohn (a security-assessment firm) (via The Star)