Equifax vows to improve breach response -- too late?
When a company tries to fix a security breach, it's never a good sign when consumers feel less secure because of its remedies.
That's the fix Equifax (EFX) finds itself in after bungling its response to its massive breach, which is fueling consumer outrage and calls for greater regulation over credit-reporting agencies, which include Experian (EXPGY) and TransUnion (TRU). Four days after Equifax said 143 million Americans had been affected by the breach, many consumers remain confused about whether their data was stolen and how to protect themselves.
A site created by Equifax where consumers can check whether their data was stolen asks them to enter their last names and the last 6 digits of their Social Security numbers. But the site provides responses even for bogus names and numbers (such as "Trump" and "123456"), leading to questions about its accuracy.
Consumer advocates pointed out that Equifax's terms of use for the credit-monitoring service it's offering free for one year required the breach victims to sign away their legal rights. On Monday, the company said it had backed away from that requirement.
Some consumers said Equifax needs to take more steps to make amends, such as offering free credit monitoring services for several years or longer, not just one year. The hackers stole Social Security numbers, which have no expiration date.
"You need to take more action," one consumer wrote on Twitter to Equifax. "Free credit freezes for those affected. Lifetime credit monitoring. Reimbursement for all other freezes."
Equifax didn't immediately return a request for comment. On Monday, it said in a blog post it's "listening to issues consumers have experienced and their suggestions" and had made changes, such as increasing call center support. The company's shares had declined about 9 percent in trading on Monday afternoon. The stock has shed more than 20 percent of its value since Wednesday, the day before Equifax announced the breach.
Security experts are recommending consumers whose data was stolen place credit freezes on their accounts. That restricts access to your credit information, which makes it more difficult for hackers to open accounts in your name.
But credit freezes aren't free: They typically cost between $5 to $10 each. It's important to place freezes at the major credit-reporting bureaus in order to halt scammers, which means consumers may need to shell out up to $30 for the service.
"Will we be reimbursed for having to pay for credit freezes?" one consumer wrote to Equifax on Twitter "I did 4 over the weekend, I do not think that I should have to pay for it!"
Adding to the frustration was the news that three Equifax senior executives, including its chief financial officer, sold $1.8 million worth of company stock just days after the company discovered the breach but weeks before it was made public.
That stock sale, plus the company's response that has been roundly criticized as inadequate and questions about why Equifax delayed informing the public about the breach for several weeks are creating a perfect storm of controversy. Chief among the questions lawmakers and consumer regulators are raising is whether the credit-reporting bureaus are subject to enough oversight.
The bureaus store sensitive financial data on about 200 million Americans, which the companies provide to banks and other financial institutions that need to check into consumers' creditworthiness. Employers, landlords and utilities also use the bureaus' data to check up on consumers.
While their services are essential to the U.S. economy, the credit-reporting bureaus don't have the same regulatory oversight as the financial industry.
Before Equifax announced the breach, some lawmakers last week were considering whether to lower penalties for credit-reporting bureaus whose inaccurate information hurts consumers, according to The Wall Street Journal.
Equifax's initial offer for free credit-monitoring services required consumers to agree to mandatory arbitration, a tactic that's a favorite of the financial industry because consumers give up their rights to join class actions. Arbitration is slated to be barred in the financial industry next year by the Consumer Finance Protection Bureau, but Republicans have sought to reverse that ruling.
Equifax's ham-handed response is reviving calls to weed out mandatory arbitration from the finance industry.
"This is just one more example why the Consumer Financial Protection Bureau's rule banning forced arbitration is badly needed to protect the rights of working Americans," said Sen. Sherrod Brown, D-Ohio, in a statement.
Years from now, the Equifax breach may provide fodder to business school students about how not to bungle a response to a security failure. For the time being, though, millions of Americans remain at risk for identity theft because of the Equifax hack.