What we know about Equifax being hacked is frightening.
What the public doesn’t know, however, is far more frightening. Equifax had been trying to limit its own financial exposure and culpability in the event of a hack.
Besides spending millions of dollars on lobbying, Equifax’s PAC (political action committee) has been doling out money to legislators who, in turn, write bills to protect the company from consumers suing if their data is stolen and from regulators who could investigate and fine the company in response to negligence.
In fact, the day Equifax reported it had been hacked, a House Financial Services panel was discussing a bill being pushed by Equifax to limit credit reporting companies’ liability if hacked.
Equifax’s Dirty Secret
Equifax is one of three giant credit reporting companies. They all keep data on consumers’ borrowing and bill-paying habits.
Credit rating agencies, as they’re sometimes called, calculate credit scores for banks, lenders, insurance companies and other “creditors” who are the rating agencies’ real customers.
Consumer credit history is their bread and butter; it’s what they sell. What’s worse is that they also sell credit protection services to the same consumers whose data they’re already storing.
Credit rating companies are essentially depository institutions, like a bank. But it’s not your money they keep; it’s your personal data and credit history related to money you borrowed and how you paid it back.
They know they have liability if they are robbed. And in Equifax’s case, 143 million consumers’ names, addresses, birthdays, Social Security numbers, driver’s license numbers, and 209 thousand credit card numbers were exposed. In this context, being hacked is the same as being robbed.
Why the company waited a month to report the theft is mystifying. Then again, maybe it isn’t.
The Wall Street Journal reported: “Executives said the company waited more than a month to announce the breach in part because of the need to set up a website for affected consumers and decide on services for them, according to a person familiar with the matter.”
Or, maybe the company waited to tell the public and regulators about the breach to give their lobbyists and paid-for legislators time to ram bills through Congress to limit their responsibility after the hack.
Equifax spent $1.02 million on lobbying in 2015 and $1.1 million in 2016. Its congressional-lobbying-disclosure reports state it has spent $500,000 lobbying Congress and federal regulators in just the first half of 2017.
According to its own lobbying disclosures, the principal issues Equifax has lobbied Congress and regulators for included: limiting the legal liability of credit-reporting companies, issues around “data security and breach notification,” and “cybersecurity threat information sharing.”
Additionally, Equifax wants to change rules governing how companies “repair” consumers’ credits. The disclosures also mention that the company wants to offer credit-education and identity-protection services without being subject to the rules governing actual credit-repair companies.
Equifax also lobbied the Consumer Financial Protection Bureau and the Federal Trade Commission, two principal agencies that regulate most aspects of credit-reporting companies.
More to the point, the company’s political action committee made contributions to 13 members of the Financial Services Committee during the 2016 election cycle, according to data from the Center for Responsive Politics.
Another recent WSJ investigative piece stated: “Rep. Blaine Luetkemeyer (R., Mo.), chairman of the Financial Institutions and Consumer Credit subcommittee that directly handles matters relating to the reporting companies, received $2,000. Also receiving $2,000 was Rep. Barry Loudermilk (R., Ga.), sponsor of the bill that would place a $500,000 cap on the statutory damages consumers could win in a lawsuit against the credit-reporting companies, as well as eliminate punitive damages against them entirely.”
Rep. Loudermilk has subsequently denied the bill was “a credit bureau protection act,” saying it was intended “to protect consumers and all Americans.”
Of course, Equifax’s PAC contributions “are made in a legal, ethical and transparent manner” and in accordance with federal laws and regulations, the company says.
Sure, that’s why the company waited a month to disclose the massive breach. Sure, that’s why some of Equifax’s top executives sold stock immediately after they knew about the breach, but before notifying the public, which would have tanked the stock. Just look at what happened once they did make the breach public.
We know Equifax was aware of the breach. We know executives dumped stock. We know the company had legislators in Congress trying to pass a bill. And we know the purpose of that bill: to limit a credit company’s liability in the event of a hack. But we don’t know if the timing was purely coincidental or when Equifax disclosed the hack to regulators. Hopefully all of that will come out in the not-too-distant future.
What You Need to Do Now
In the meantime, you must protect yourself.
The first step you can take is a security freeze. It will be a pain, but so is having your data exposed. A security freeze restricts anyone from opening any account or credit facility in your name. The only drawback is that this same security freeze slows you down when you open a new account or take out a loan. But it’s worth it.
You must set up a security freeze at each of the three bureaus. Here are the websites you’ll need:
- Equifax: Freeze Your Equifax Credit Report
- Experian: Freeze Your Experian Credit Report
- TransUnion: Freeze Your TransUnion Credit Report
Here’s a link to the FTC’s identity theft page that will give you step-by-step instructions on how to protect the rest of your information.
You can also make sure to protect yourself and your data by using strong passwords for your accounts. The BBC reported this week that the Argentinian branch of Equifax had a database with thousands of customers’ national identity numbers that could be accessed by typing “admin” as both the login and the password. Really.
Taking your security into your own hands, even if just a little bit, could change everything for your future. Imagine what the people who will be affected by this breach will be wishing they had done before some hacker tanked their credit.
You now have the tools you need to protect yourself, so I expect you all to take advantage of it.