Equifax could make money from its own breach; 2.4 million more are exposed

Atlanta-based Equifax disclosed in September that a “cybersecurity incident” exposed the data of approximately 143 million U.S.-based customers. Six months later, the credit-rating agency added another 2.4 million U.S.-based customers to that number as part of an ongoing analysis. But while the company appears to be apologetic and embarrassed over the hack on the outside, Senator Elizabeth Warren, D-MA, believes the company could actually generate cash from the breach. 

How? Because it sells credit protection “devices,” or services. Even if customers swear they will never do business with Equifax again after the 2017 breach, third-party credit protection services may still use Equifax. That means the company is reeling in the big bucks from its own breach no matter where customers land. But Senator Warren and Senator Mark Warner, D-VA, want to change that. 

According to their proposal called “strict liability,” every customer gets $100 for the theft of the first piece of data, and $50 for every piece of data stolen thereafter up to half the value of the company. They believe this will push credit-rating agencies to get serious about investing in what is needed to protect Americans and their personal information. If not, we can count on another massive Equifax-style breach in the near future. 

“It’s hard. It’s flat. It’s easy to read,” she said. “And the point is to get the credit-rating agencies to take the right level of security. They take the right level of security, they invest enough in security, then the American people will be protected.” 

After a five-month investigation, Warren released a report detailing Equifax’s shortcomings regarding data protection. She details how security researchers warned of a vulnerability in the website, and how the company never confirmed that administrators actually patched the security hole. The Department of Homeland Security and external experts even warned Equifax of various vulnerabilities before the breach. Smaller break-ins took place prior to 2017. 

What’s interesting is Equifax’s fight with the Internal Revenue Service (IRS). According to the report, Equifax essentially coerced the IRS into signing a new $7.2 million contract by using “federal contracting loopholes” knowing full well it had security issues. But the IRS eventually canceled the contract after discovering the additional security weaknesses that could expose the sensitive information of taxpayers. 

“We found out that Equifax failed to follow its own internal requirements for notifying consumers following the breach of sensitive data,” she said. “And we found that Equifax’s entire cybersecurity apparatus was inadequate to protect American consumers.” 

The 2017 hack exposed credit card numbers, Social Security numbers, names, birth dates, addresses, and partial driver’s license numbers. Equifax discovered the network breach on July 29 but didn’t make the data leak known until the following September. The hack took place sometime between May and July of that year. 

“We put [our investigation] together from a lot of different places and found out that Equifax, quite simply, had not told the whole story to the American people,” Warren said. “What they did was worse, a whole lot worse, than they originally admitted.”