Until something goes wrong, few people give much thought to the surveillance they undergo by credit-reporting agencies (CRAs). Yet these agencies’ business is deeply intrusive: quantifying character. They assign individuals credit scores based on how they previously managed debt. The scores are then sold to lenders. In America, Equifax, Experian and TransUnion, the “Big Three” CRAs, have gathered credit histories and identifying information for nearly every adult.
On Sept. 7, Equifax admitted that something had indeed gone very wrong: Hackers had gained access to personal information on about 143 million people. The data compromised included Social Security numbers (SSNs), dates of birth and driving-license numbers, and for 209,000 people, possibly their credit card numbers.
Given the dire potential consequences, Equifax’s response did little to reassure those affected by the hack. After it became aware of the hacking on July 29, it took six weeks before letting the public know about it. That three Equifax employees — even if they were unaware of the breach as the company says — had sold shares in the company after the discovery but before its announcement further dented the company’s reputation.
Within days, at least 100 lawsuits had been filed. Equifax also faces scrutiny from Congress — which is to hold two hearings — and several state attorneys general, including New York’s.
The breach raises a number of issues. Richard Parris, CEO of Intercede, a cybersecurity company, notes that it is just the latest of many. In 2013, hackers stole the credit-card data of 40 million customers at Twin Cities-based Target. In 2015, the American government revealed that information about millions of employees had been stolen. Like many other experts, Parris fears that data from these different breaches could be combined to create detailed profiles.
Another question is whether it makes sense for three large, private firms to aggregate so much information when they are vulnerable to such incidents. The use of SSNs for so many purposes unrelated to their original purpose also deserves scrutiny. Finally, there are the inevitable worries about whether financial data are properly protected elsewhere.
As Richard Nesbitt, chief executive of the Global Risk Institute (GRI), which advises the financial industry on risk management, points out, if a firm such as Equifax, whose very business is managing data, appears so vulnerable, concerns will mount that nowhere is safe.