It's bad enough to hear from Home Depot or Target that your credit card information has potentially been compromised. It's another thing entirely to learn that one of the national credit bureaus responsible for archiving your financial history has left the back door unlocked. That's what happened last week, as Equifax belatedly disclosed a massive breach putting half of the adult population of the U.S. at risk for identity theft. This is the big one, and because of the magnitude and sensitivity of the lapse in diligence, change may finally be coming.
Equifax is one of the three main credit reporting agencies (with Experian and Transunion). Those agencies amass voluminous records of individual credit transactions that are then purchased by lenders to assist in assessing the creditworthiness of potential borrowers. For years, an uneasy truce has prevailed that balanced the rights of consumers against the legitimate needs of lenders. Legislators and regulators have periodically imposed additional safeguards and consumer protections to maintain this delicate balance. Equifax has now obliterated the fragile détente and virtually guaranteed the imposition of substantial alterations in how consumer data is collected and reported.
Inspector Clouseau could hardly have flubbed the incident more ineptly. While it was discovered internally on July 29, Equifax waited five weeks until Sept. 7 to disclose the hack which may have exposed 143 million credit files, including Social Security numbers, home addresses, and over 200,000 credit card numbers.
To make matters worse, the company became aware of a security vulnerability in its software system in March, and was in possession of a patch to repair it, but had failed to make the requisite fixes.
To top it off, three executives of the firm sold $1.8 million worth of their company stock two days after the breach and before the public was informed. Equifax maintains that the executives were not aware of the data theft, but the timing clearly complicates the optics of an already inept response.
A few heads are already rolling. Equifax announced the "early retirement" of its chief information officer and its chief security officer (who interestingly has no educational background in data security but does hold a master's degree in music composition). But with the stock price down 35 percent and the continuing series of embarrassing disclosures, we should expect more casualties, likely including CEO Richard Smith as the company's missteps are subjected to heightened public scrutiny.
Expect Congress to jump into the fray as well. Already, several lawmakers including Sen. Elizabeth Warren (D-Mass.) are sponsoring legislation to provide consumers with additional remedies. And both the Republican chairman and the Democratic ranking member of the Senate Social Security Committee have called on the Social Security Administration to cancel a consulting arrangement with Equifax and bar the company from future government contracts. Alas, for Equifax shareholders, the road ahead appears long, winding and downhill.
Individuals should take quick action to protect their records from potential infiltration. Check the Equifax site www.equifaxsecurity2017.com/ to see if you may be at risk. If so, placing a credit freeze on your files at the three credit bureaus will lock down your information and prohibit anyone other than current creditors from pulling your credit report unless you unlock the files. There may be a small fee involved but the extra protection is worth it. The Federal Trade Commission has an excellent blog on the topic at www.consumer.ftc.gov.
It has been a long time coming, but public outrage at the Equifax debacle is likely to be a welcome and overdue turning point in how our personal data is safeguarded and disseminated.
Christopher A. Hopkins, CFA, is a vice president and portfolio manager for Barnett & Co. in Chattanooga.