Equifax Screw Ups: Let Me Count the Ways



WC’s apologies to Elizabeth Barrett Browning, but the count of Equifax’s multiple, awful screw ups are reaching the level of Abomination. Here’s a partial list:

(1) Five months ago, Equifax, whose business is holding securely every single bit of information necessary to permit identity theft and fraud, got hacked. It didn’t tell anyone. Nor has it been forthcoming about the details.

(2) In Mid-May, 2017, Equifax was hacked again. The criminals took advantage of a flaw in an open source tool used by many web sites, something called the Apache Struts vulnerabiity. Equifax has known of the risk since early March, but had failed to patch it. All the tools to patch it were present. But Equifax continued to run the hackable version. For more than two months. As a result, 143 million Americans’ highly confidential financial data was compromised.

(3) Even though Equifax discovered it was hacked in May, it didn’t tell anyone until the end of July. The hackers and crooks who obtained the 143 million citizens’ financial information – 44% of the U.S. population – had the use of it for 2.5 months and Equifax didn’t even tell you it had been stolen.

(4) Between the time it discovered the hack and the time it announced it had been hacked, primary shareholders in Equifax dumped their stock, getting a higher share price because news of the devastating hack hadn’t reached the street. The primary shareholders claim not to have known of the hack but, of course, that begs the question. Senior officers of Equifax might very well protect their major shareholders.

(5) Some of those 143 million victims, trying to protect themselves from credit fraud, followed the tweeted directions of an Equifax representative using the name Tim wrote. The link in those directions was to a knock-off of the official Equifax breach notification site.

(6) Even if a victim goes to the legitimate link to request a credit freeze, it is apparently so overloaded that the PIN to enable a credit lock is never sent to many victims. Equifax’s planners never considered that they might have to deal with 143 million unhappy persons. Equifax assumed it would never be hacked.

(7) Initially, Equifax tried to collect a feee for freezing the credit of the victims of its own criminal negligence. Only when the outrage ratcheted up did Equifax back down.

The thing to remember about Equifax is that it regards those 143 million victims as data. They are not Equifax’s customers. Its customers are the banks, credit card companies and insurance companies who use Equifax reports to make credit decisions as the customer. The rest of us are just data points. In Equifax’s mind, you don’t have to take care of data points; only customers.

Except that the data points include everything a thief could want. Steal your identity? Sure; Equifax had your name, address, SSN, mother’s maiden name, you name it. Equifax provided the thieves with everything they could need to do a better jobof persuading, say, your bank, that the thieves are you than you could do. Take out credit cards in your name? Sure, piece of cake.

If you aren’t outraged yet, you’re being naive. Equifax, and its two fellow credit reporting services, Experian and TransUnion, are entrusted with your most important financial information. And it turns out that Equifax, at least, couldn’t even be troubled to keep its database system up to date. Don’t get WC started on why the data was stored in an unencrypted form, or why Equifax is acting like a petulant child instead of being transparent.