Social Security numbers, especially when combined with other exposed data such as driver’s license numbers, birth dates and home addresses, can allow identity thieves to impersonate you. They can apply for loans, housing, utilities and even government benefits in your name. Or, more likely, they can sell this data on the open market to those who will use it for those purposes and perhaps for other crimes we can't imagine.
“Once your personally identifiable information has been stolen, people can use that information to basically impersonate you. They can create fake loans and fake bank accounts. And the names will be posted on lists that become available to future hackers,” said Fleming Shi, a senior vice president for Barracuda cybersecurity company.
Equally troubling to many consumer advocates was the six-week-long delay between the day Equifax said it discovered the hack — July 29 — and Thursday’s public disclosure. The company has not responded to repeated requests from The Washington Post to explain this gap, a time frame when affected consumers might have taken measures to protect themselves by closely monitoring their credit card and bank statements and other financial records.
But the reality is that there are few meaningful rules on how and when companies must report hacks and other cybersecurity incidents, despite calls in Congress to legislate regulations.
Sen. Mark R. Warner (D-Va.), the head of the Senate’s Cybersecurity Caucus and a longtime advocate for such rules, issued a statement Thursday night calling the hack “profoundly troubling” and demanding congressional action. Both the House Financial Services Committee and the House Energy and Commerce Committee announced they will hold hearings on the matter. Sen. Ron Wyden (D-Ore.) said in a statement the Senate should “thoroughly investigate” the Equifax hack. And Sen. Richard Blumenthal (D-Conn.) called on the Federal Trade Commission to investigate as well.
“Only stiffer enforcement and stringent penalties will make sure companies are taking precautions to guard consumer data with the strongest available technology,” Blumenthal said in a statement Friday.
As these investigations proceed, public anxiety is being fueled by the sensitivity of the information collected by Equifax and the other big credit rating agencies — one of which, Experian, was hacked in 2015. Equifax, based in Atlanta, says that it operates in 24 countries, analyzing data from 820 million people and 91 million businesses.
Based on this data, little of which consumers turn over by their own choice, Equifax issues credit ratings that can affect access to jobs, credit, housing and more. Equifax also acts as a data broker, slicing and dicing millions of consumers into blunt and sometimes unflattering categories such as “X-tra Needy,” “Fragile Families” and “Ethnic Second-City Strugglers.”
“What’s most ironic and frightening about this breach is that many victims don’t even know the extent to which their personal information is affected,” said Craig A. Newman, head of the privacy and data security group for Patterson Belknap Webb & Tyler in New York. “Credit reporting agencies collect information from the credit card companies, banks and public records and not just from the consumers themselves.”
Equifax said in its news release Thursday that it had “found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” But it also said the investigation was ongoing, and it released little information on the nature of the intrusion itself or what the hackers did once inside. In hacks of other companies, the initial reports often turned out to be too limited in scope, with more troubling information coming out months or even years later.
The clumsy handling of the incident by Equifax seemed to exacerbated consumer frustration. The company issued a contrite statement from its chief executive, Richard F. Smith, saying: “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.”
The company also offered a year of credit monitoring and identify theft protection to all U.S. consumers. But many have complained on Twitter (and in emails to reporters) that the site set up to check to see who was affected by the hack required that people submit their last names and six digits of their Social Security numbers to a company that had just suffered a massive security breach.
Several news reports also outlined security glitches with the site. Consumers have complained about the response they received when they called Equifax by phone. Others have argued that Equifax should offer to “freeze” the issuing of credit reports of affected consumers, a step favored by some consumer advocates because it would make it harder for identity thieves to use personal data.
In the past, the Federal Trade Commission has taken companies to task when they did not live up to their own policies on data protection, but critics have lamented for years that consumers have few legal rights in this area. Some observers think Congress is moving closer to imposing new standards on how companies must report hacks, but consumer advocates say the deeper issues regarding how data is collected, analyzed and protected are unlikely to be addressed.
“It’s just another Category 4 or 5 hurricane that no one’s paying attention to,” said Jeff Chester, executive director of the Center for Digital Democracy and a critic of data-collection businesses. “There’s going to be absolutely nothing.”
Elizabeth Dwoskin contributed from San Francisco.