The Equifax Breach – Background
Equifax, one of only two credit bureaus operating in Canada (and one of three in the United States), has been in the business of collecting, analysing, and selling consumer information for nearly 120 years. In its infancy, the Atlanta-based company helped lenders gauge the trustworthiness of borrowers by conducting overt, targeted consumer surveillance. Correspondents tracked individuals and recorded their indiscretions and liabilities — financial or otherwise — in reports later sold to businesses and banks. These reports, which could not be consulted or revised by the public until the early 1970s, combined financial information and moral assessments of individuals. Plans to digitize these these records in the late 1960s were met with significant public outcry, with Professor Alan Westin warning that easy access to computerized credit records posed a risk to Americans’ privacy, civil liberties, and basic humanity.
Amidst advances in computer technology and a shift from qualitative to quantitative assessments of creditworthiness, credit bureaus have dramatically increased, digitized, and diversified their data holdings since the mid-1980s. To date, Equifax alone now manages 1200 times more data than the United States Library of Congress, and stores information about millions of consumers worldwide. With that in mind, its hard to overstate the impact of the massive data breach Equifax suffered in 2017, which impacted over 143 million adults in the United States and at least 19,000 individuals in Canada.
Dubbed the “largest leak of personal information in history,” the Equifax breach has attracted significant regulatory, political, and legal attention since it was first announced on September 7, 2017. Attackers breached Equifax’s servers through a vulnerability in the company’s online disputes portal in May 2017. After reportedly discovering the breach on July 29, 2017, the company waited an additional two months before disclosing the incident to the public. In written testimony before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, former Equifax CEO Richard F. Smith explained that the breach was caused by “both human error and technology failures.” Equifax IT staff reportedly failed to patch the affected Apache Struts software after a vulnerability was publicly announced in March 2017, and network scans failed to detect the mass exfiltration of consumer data during the attack.
After infiltrating Equifax’s systems, attackers stole a wide range of personal information including social security numbers, birthdates, addresses, and driver’s license numbers. The attackers also stole 200,000 individuals’ credit card numbers. Given the volume of data stolen, and the fact that hacked data has yet to surface on online black markets, some have speculated that the breach may have been part of a nation-state level attack.
Equifax was widely criticized for responding clumsily in the days following the breach. Consumers struggled to get information about whether or not they were affected, and many waited for hours to speak with Equifax representatives on understaffed phone lines. The website that Equifax set up to provide information about the breach, www.equifaxsecurity2017.com, required users to provide detailed personal information in online forms, and attracted the suspicion of some users. The site was soon spoofed by a web developer unaffiliated with Equifax, and the company’s Twitter account repeatedly directed people to the fake website. New York state attorney general Eric Schneiderman also slammed Equifax for including an “unacceptable and unenforceable” arbitration agreement in the terms and conditions of credit protection tools the company released after the breach. Equifax has since made its credit lock tools free, waived credit protection fees, and removed the offending arbitration agreement and class action waiver.
The Equifax breach has since prompted over a hundred class action lawsuits in the United States and Canada. In Ontario, a class action for breach of privacy is ongoing. Affected individuals have also sought recourse through lawsuits in small claims court, with some plaintiffs in the United States opting to use an online chatbot to help draft their legal documents.
Since the breach, international regulators have responded by launching investigations and issuing notices for affected individuals. The U.S. Federal Trade Commission has issued general guidance, providing next steps for affected individuals, warning against Equifax-related phone scams, and explaining credit freezes, alerts, and locks to American consumers. The Canadian Office of the Privacy Commissioner similarly opened an investigation in September 2017, and is working with Equifax to issue notices and provide information to affected Canadian consumers. Public discussion about cybersecurity best practices and potential legislative and policy reforms in response to the Equifax breach remain ongoing in the United States, Canada, and abroad.