The hackers who attacked Equifax exposed vital personal identification data—including social security numbers, names, addresses and dates of birth—of potentially as many as 143 million Americans.
Quickly after Equifax revealed the massive damage, advice to consumers started flowing, but this time, the advice was somewhat questionable. Authorities urged consumers to sign up for the free credit-monitoring service being offered by Equifax and a few elected officials told state residents to consider placing a freeze on their credit reports. They noted that tax identity fraud was a possible result of the Equifax hack since social security numbers were compromised.
The specter of widespread fraud is a serious problem for lenders – Equifax’s customers. The prospect of millions of frozen credit reporting accounts could stall lending and that would hampers economic growth. At the same time, widespread blossoming of fraud could be fertilized by data pilfered from Equifax. Some observers suggest that this cyberattack “has the potential to do systemic damage in the way that the financial crisis did systemic damage, extending beyond single companies and even markets.”
There have been massive cyberattacks against our critical infrastructures before – including the Office of Personnel Management, the Defense Department, and a few of the “too big to fail” banks. The Equifax attack cuts deep into the trust needed for the financial sector to operate. When you cannot tell if a prospective borrower is legitimate, you will require additional time and validation before agreeing to extend a loan. That will slow the pace of the economy.
Advice urging consumers to freeze their Equifax accounts is of questionable value since the pin that Equifax was giving to each consumer was a simple mashup of the date-time stamp as of the time of account freeze. Such PINs could be revealed through brute-forced methods and then used to unlock a credit report for the purpose of identity theft.
Equifax’s website is set up so that consumers browsing or obtaining anything from the Equifax site are obligated by the site’s terms and conditions to use arbitration instead of resolution through the court system for any dispute with Equifax.
The arbitration obligation was quietly supplemented a day after announcement of the breach. A well-hidden opt-out option was added requiring that site visitors who want to retain the option of court action must file a snail mail objection to Equifax headquarters within 30 days.
Mandatory arbitration is not counterbalanced by a carefully hidden opt-out option. Equifax kept customers and consumers in the dark for 41 days – 41 days for Equifax to line up its legal defense strategy for the forthcoming battle.
Neither Equifax nor its consumers (including customers damaged by the security breach) expect that cozy meetings with an Equifax-paid arbitrator will result in an acceptable settlement. The colossal failure by a major credit agency is not equivalent to a fist full of cents off coupons and free credit monitoring, especially monitoring by a firm that lacked the arrangements to do security right.
To compound the customers’ erosion of trust in Equifax, three Equifax executives dumped $2 million of Equifax shares during the 41 days Equifax was devising its legal defense strategy. Equifax claims the three had no knowledge of the data breach. The resolution of this ugly mess will take years and the perpetrators should be treated as high value targets – the crime is borderline terrorism.