On September 7th, 2017 the credit bureau Equifax announced a massive security breach. The press release explained that from May to July, hackers obtained the personal information of approximately 143 million Americans. The developments that followed the initial announcement were concerning, to say the least.
Equifax offered a free credit monitoring service, which until outcry forced them to amend it, had a clause that prevented participants from ever pursuing a class-action lawsuit against Equifax.
This, a week after the initial announcement wherein they explained that the breach was caused by a server flaw that had been discovered in March, months before the breach happened. It also came to light that three Equifax managers sold stocks days after the company, but not the public, knew of the security breach.
The Equifax hack was not particularly unique, or even unprecedented. At the time the news broke, the largest single data breach on record belonged to Yahoo, which in December 2016 revealed 1.5 billion user accounts had been compromised, more than ten times as many as Equifax. In October 2017, Yahoo updated the number: All accounts, more than 3 billion, had been breached.
Of course, the Equifax breach seemed especially severe given the fact that instead of email passwords and social media accounts, Social Security Numbers, Driver’s License Numbers, and other sensitive identification and financial information was stolen.
However, it wasn’t the first major financial institution to be hacked, either. Anthem, America’s largest health insurance company, saw similar information stolen on upwards of 79 million customers in February of 2015; similar attacks targeting insurers and hospitals, both of which store SSNs and similarly sensitive data, have become almost commonplace in recent years.
What made the hack of Equifax truly unique was not the scale or the nature of the data, but the relationship between the organization, one of the three main credit reporting companies, and the individuals whose information was stolen.
How Credit Scores Work
To companies like Equifax, the individual isn’t the customer, they’re the product. As Michael Hiltzik wrote for The Los Angeles Times, “The most important lesson in the Equifax breach is an old one: Consumers whose information is held by Equifax are not its customers or clients — they’re the product, and their personal information merely raw material to be exploited by the firm for its own profit.”
Equifax, Experian, and TransUnion are the three major credit reporting agencies, also known as credit bureaus. These credit reporting companies gather information from lenders and other financial operators about every individual with whom they transact. The bureaus then use that information to compose a portrait of who an individual is financially. Two other companies, VantageScore and FICO, use that data to calculate a credit score, a representation of what the risk associated with lending to that individual is.
While all three bureaus are for profit companies and are publicly traded, they are subject to some government regulation, specifically the Fair Credit Reporting Act, but that only regulates how these companies share an individual’s personal information.
“Generally speaking, a credit score is an estimation of your likelihood to pay back debt. It’s valuable because it shows entities that might do business with you – like landlords or anybody lending you money – whether doing so will be safe or risky,” notes our own Shoshanna Cohen.
That portrait, summarized by your credit score, is largely responsible for how lenders see a potential customer. In other words, lenders — banks, credit card companies, car dealerships, credit unions — are the real customers of the credit bureaus.
Unlike almost every other major data breach to date, the Equifax hack didn’t affect the company’s customers. The people whose information was stolen didn’t choose to do business with Equifax or any other credit bureau. Instead, the participation of those impacted was implicit given the fact that credit card bureaus collect personal information from all the other businesses individuals do business with.
Equifax and it’s competing credit bureaus make money by selling personal information to credit card firms, marketers, and banks. Their priority is always going to be making that money, and in this situation it appears they were willing to let things fall to the wayside in favor of that ultimate end goal.
What Is Wrong With Credit Reporting, Scores, and the Bureaus?
The Equifax breach obviously points to a serious flaw in the credit reporting system: security. This is exceedingly concerning given the fact that the information of virtually everyone with debt, credit cards, or other accounts payable is stored by at least one of the three major bureaus — whether they like it or not. The sensitive nature of the information combined with the central organization of it all make credit bureaus a hacker’s dream.
“Credit bureaus are supposed to safeguard information, but no government agency has authority to go in and review their security practices. Tighter federal oversight of the bureaus is needed,” notes USA Today.
While the Equifax hack shone a spotlight on just how vulnerable the credit bureaus may be, this is not the first or only problem with the credit reporting and scoring system to be revealed.
Credit scores have undergone many iterations since FICO first came onto the scene in 1958. While some changes were made to improve the product and secure dominance in the analytics marketplace, other updates came in response to government regulation, as well as problems with accuracy and accountability.
A lack of trust on consumers’ part toward the credit bureau has been validated many times over the years, by rampant mistakes on credit reports, a lack of responsiveness to complaints or requests for correction, as well as a wholesale failure to accurately predict and report risk. The housing bubble of 2008 can be partly blamed on irresponsible lenders, but the recession that followed saw major changes to how credit reporting was done. The formation of the Consumer Financial Protection Bureau was partly a response to lack of standards in credit monitoring and risk-assessment in lending markets.
And yet, the risks of participating in the American mode of commerce are still clearly prevalent given the long and continuing history of stolen data. Credit bureaus are given access to personal information, and in exchange they’re obligated to protect it, and the only acceptable response when that agreement is violated is that if an individual is adversely affected by the company’s failure, that individual must be compensated.
As noted above, the most recent reports claim that the Equifax breach happened because of a security weakness that the company had been notified of beforehand. Which means, it was preventable and thus, the priority of the company seems to have been made painfully clear.
Can Credit Bureaus Still Be Trusted?
In the stir that the breach left in its wake, the question being asked over and over again was whether or not there should be more stringent government legislation that will make the penalty for not taking every possible precaution to protect consumer information, exceedingly costly for the company that fails to do so.
The credit reporting system is full of weak links. But, perhaps three companies having the personal information of millions of Americans, in addition to the nature of cyber-attacks, means that there is little that can be done to eliminate the problem.
It gives reason to look more closely at the nature of trust within the credit reporting industry. Equifax failed to protect information. And in the aftermath, they seemed most interested not in righting the wrong, but in turning the situation into a marketing opportunity.
“The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich,” security expert Brian Krebs wrote on his website just after.
Rich, for Equifax at least. The dust hasn’t even settled, and they’re relentless in their pursuit of everyone’s information.
The Equifax breach wasn’t the first data breach, not even for the company itself, and it won’t be the last. Data storage is always at risk, and it’s fair to say it always will be.
But, for now, this is the way it works. Society as a whole, has agreed that assigning a credit score is the best way to deal with the subjective nature of the risks associated with individuals. If someone misses a mortgage payment, Equifax will not give them the benefit of the doubt. Hopefully, as we venture into the future, credit bureaus aren’t given the benefit of the doubt when they fail either.
Looking for more information on how to keep your personal information and credit score secure? Visit our credit score resource and learning center. Is there an error on your credit report? Visit our dispute letter template resource center for more information on contacting the credit bureaus.
Image Source: https://www.pexels.com/
