A year after hackers broke into Equifax's network and stole the personal information of 148 million Americans, a report by a consumer watchdog group is lambasting the credit reporting agency for not addressing its vulnerabilities earlier and for botching its response to the unprecedented breach.
Moreover, the report, issued by the U.S. Public Interest Research Group and the National Consumer Law Center, criticized lawmakers and regulators for not holding the Atlanta-based company accountable for its failures.
"Equifax has yet to pay a price or provide consumers with the information and tools they need to adequately protect themselves," said Mike Litt, consumer campaign director for the U.S. Public Interest Research Group.
Equifax officials, however, are touting their efforts to shore up data defense and say the agency is offering more ways for consumers to protect themselves, for example, free credit freezes and locks that seal credit reports and prevent thieves from opening lines of credit in a consumer's name.
"In the past year, we have undertaken a host of security, operational and technological improvements," the company, which declined an interview, wrote in a written statement. "In fact, in 2018 alone, we will increase our investment in security and technology by more than $200 million."
Critics said those efforts are overdue. The breach's cause was "Equifax's carelessness," Litt said. "This may not have been the biggest breach ever, but it's the worst."
That exposure — unprecedented in scope and magnitude — gave thieves the chance to steal millions of identities and possibly lure consumers into costly scams. Even after realizing the data had been accessed, Equifax was slow to let the public know of the hacking, the report says.
Then, to make matters worse, the company botched its response, the report said, by setting up flawed assistance online, understaffing its call center and — at first — compelling aggrieved consumers to sign away their right to sue.
Despite the public vitriol and the money spent on better processes, the data world is not that different a year later, said Humayun Zafar, professor at Kennesaw State's Center for Information Security Education. "What I've not seen from Equifax is a marked change in their cybersecurity culture, post breach," he said. "Without a shift in culture, a lot more breaches will continue to occur."
Kanell writes for the Atlanta Journal-Constitution.