Equifax Breach May Have Been Worse Than Everyone Thought

Inman News

12 February 2018

Senator Elizabeth Warren says hackers not only accessed but removed 145 million consumers’ personal information.

Massachusetts Senator Elizabeth Warren has released a 15-page report about Equifax’s 2017 data breach that includes claims about the company’s cybersecurity, the removal of 145 million consumers’ personally identifiable information (PII), and “hardball tactics” Equifax used to delay rival Experian from obtaining an IRS contract.

“After months of investigation, our office finally learned that hackers exfiltrated — not just accessed — the data of millions of Americans,” said the report. “Rather than just having access to the data, this means the hackers removed the data from the Equifax system and potentially [have] access to it forever.”

“Equifax failed to make this distinction in any of its public statements, effectively misleading the American people.”

report by CertifID released after the breach described the extent to which real estate may be affected.

“This historical breach may be most harmful to consumers that are in the market to purchase a home,” the report noted. “To get a sense of how widespread the breach was, consider this simple math; If there are roughly 236 million U.S. adult consumers with credit and 143 million of their credit records were stolen, that amounts to approximately 60 percent of the U.S. adult population with a credit history. That is a staggering number given the level of information that is now in the hands of cybercriminals. The information obtained in the Equifax breach arms cybercriminals with all the information needed to open new lines of credit which could jeopardize someone’s ability to qualify and/or close on a mortgage loan.”

Warren says Equifax failed to act on warnings they received from the Department of Homeland Security about Apache Struts, the software that was used to complete the May 13 breach, where hackers not only accessed but removed social security numbers, addresses, birthdates and passport numbers of Equifax customers.

The Senator also lambasted Equifax for waiting until September 7 — 40 days after they became aware of the breach — to tell consumers that their information was compromised.

Furthermore, Warren says Equifax’s customer service post-breach has been woefully inadequate and has garnered more than 7,500 Consumer Financial Protection Bureau complaints.

“Equifax exposed the sensitive personal information of over 145 million individuals, yet the hackers that stole this information had more than a month to take advantage of consumers who had no idea they were at risk,” reads the report. “Equifax did not give consumers a chance to obtain credit freezes, cancel their credit cards, place fraud alerts or credit monitoring on their accounts, or take any number of precautionary measures to ensure their financial safety.”

“And four months after the breach, Equifax still has not affirmatively notified all individual consumers that were impacted by the breach.”

Moreover, Warren says Equifax protested an IRS contract with Experian, another credit bureau, that resulted in a 100-day delay and Equifax being awarded a $7.2 million “bridge contract” until the contract with Experian began.

Equifax spokesperson Meredith Griffanti denied some of the complaints levied in Warren’s report, mainly the finding that consumers’ passport numbers were removed during the breach.

“We examined passport numbers as an element of our forensic investigation, however, we found no evidence that any passport numbers were affected, accessed or stolen,” Griffanti told The Hill in an interview.

Lastly, Warren called out CFPB director Mick Mulvaney for discontinuing the Bureau’s part in the investigation (The Federal Trade Commission is the lead investigator) of the Equifax breach, saying “The American public deserves answers.”

The 15-page report is part of Warren and Virginia Senator Mark Warner’s Data Breach Prevention and Compensation Act, a bill that would create mandatory penalties of $100 for each consumer that was compromised during a breach, up to 50 percent of a company’s gross revenue.

“The financial incentives here are all out of whack — Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” said Warren in a statement on her website. 

“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again.”

What can you do about this?

Although the breach initially happened 10 months ago, security expert Robert Siciliano says there are a number of things consumers can do to mitigate current and future potential damages:

  1. Don’t give out your social security number just because it’s asked for. An employer needs it. A real estate transaction needs it. Your medical carrier needs it. But no retailer on this planet needs it unless the client is applying for a store card, which you shouldn’t do.
  2. Place outgoing mail in a mailbox if your personal mailbox is not locked and can be opened by anyone passing by.
  3. Have personal checks delivered to your bank so you can pick them up if your mailbox doesn’t have a lock.
  4. If you haven’t gotten mail in several days, contact the post office.
  5. Twice a year check your credit report, plus your spouse’s and kids’.
  6. Carefully review the statements of all your credit cards every month.
  7. Never make a late payment for anything.
  8. If you’re expecting a new credit card and it’s even a day late, spring into action to find out why. When it arrives, sign immediately.
  9. Shred any documents before tossing them in the trash, and that includes credit card offers.