Equifax is one of three major consumer credit reporting agencies in the United States. On September 7, 2017, the company announced a cybersecurity data breach that exposed the information of more than 143 million consumers in the United States, approximately 44 percent of the population. The breach occurred because of a vulnerability on Equifax’s website. Hackers were able to obtain names, birth dates, addresses, driver license numbers, Social Security numbers, and some credit card numbers, putting many people at risk of identity theft. Equifax officials became aware of the hack on July 29, 2017, more than a month before they let consumers know. The company reported that unauthorized access happened from mid-May through July.
This was not the first time Equifax faced hacking due to flaws in the company’s security. Earlier, in March 2017, Equifax faced a separate breach. In this instance the company notified a small number of banking customers and brought in a security firm to assist its investigation into the breach. While this was not made public by Equifax, it did not find evidence that data had been accessed or stolen. Earlier still, in December 2016, a security researcher examined Equifax’s servers and alerted the company that its system was vulnerable to the kind of hack that occurred in 2017. Equifax eventually patched this vulnerability, but only after the mid-2017 breach had taken place. Upon investigation by an independent cybersecurity team after the mid-2017 breach, other security flaws were also found.
Journalist Stephen Gandel detailed Equifax’s process to verify that consumer data was compromised. After the discovery on July 29 it was not until two weeks later that the company’s team of 225 cybersecurity experts could report to the CEO that the firm had been hacked. It was another two days before Equifax was certain that consumer data was compromised. Five days later, Equifax’s board was notified. More than two more weeks went by before the security breach was made known publicly. Gandel wrote, “It’s important to understand that what happened at Equifax was not just a technological failure but more important a failure of management and corporate governance.”
Soon after the data breach was announced in September 2017, reporters discovered that four senior executives at Equifax sold shares of company stock worth nearly $1.8 million in the days after the July 29 discovery of the breach. Equifax conducted its own investigation and concluded that none of these executives knew of the breach at the time they sold stock. Another executive, however, chief information officer Jun Ying, sold nearly $1 million worth of stock only days before the breach was publicly announced on September 7. On September 8, Equifax shares fell 14 percent. Ying avoided more than $117,000 in losses that he would have sustained had he sold after the disclosure.
After the announcement of the hack, Equifax directed consumers to a website where they could check if their data had been compromised. Users had to submit their last name and the last several digits of their Social Security number. Users also had to check a box in agreement of Equifax’s terms of service. These terms included a hidden clause that use of the site waived a user’s rights to a class-action lawsuit.
In September 2017, the Consumer Financial Protection Bureau opened an investigation into the data breach on behalf of consumers. A change in leadership at the Bureau stalled investigations, and as of April 2018, further actions have not been taken. In March 2018, the Securities and Exchange Commission filed criminal charges of insider trading against Ying.