Why you should worry about the Equifax breach

Business, Money, Privacy

The recent security breach of Equifax is alarming for many reasons, the most critical of which are the severity of the breach and the behavior of certain Equifax executives. Not only is this breach one of the largest successful cyberattacks ever against a major financial services corporation, but the full implications of the breach are still unclear. Dire scenarios include financial catastrophe for millions of people and a possible impact to national security.

This incident also puts a spotlight on some underlying issues with corporate culture in the United States. Regardless of whatever additional details emerge, the behavior of Equifax’s executives can be accurately described as shameful. Not only is there evidence that executives were aware of the company’s security weaknesses prior to this most recent breach, but allegedly three executives cashed out considerable amounts of stock just before Equifax made a public announcement that hackers had stolen its data.

Given the immediate and potential ramifications of the breach, it’s important to gain a clear understanding of what this event (and corporate scandal) represents, and its most likely consequences. Although we shouldn’t panic, it’s right to worry and feel alarmed.

What you need to know about the Equifax breach and your online privacy

Equifax failed to address its security issues

The sheer size of the security breach is unprecedented. The obvious question here is how Equifax had such a huge security hole in its data systems in the first place. It’s disturbing to find out that some of Equifax’s employees were aware of a high level of vulnerability prior to the attack. Earlier incidences—a number of small security breaches—provided the company with many red flags about the state of its security system. Even with this information, Equifax, which had the financial and technical means to correct the vulnerabilities in its systems, apparently failed to take the necessary steps to improve its cybersecurity. Regardless of whether Equifax is eventually found to have done anything criminal from a legal perspective, its failure to proactively apply the most rigorous protection to its data is extremely disappointing.

DOJ launches criminal investigation of top executives

The United States Department of Justice has launched a criminal investigation regarding the stock sales made by three Equifax executives after the breach was discovered, but before it was made public. Chief Financial Officer John Gamble, U.S. Information Solutions president Joseph Loughran, and Workforce Solutions Unit president Rodolfo Ploder collectively sold stock equal to roughly $1.8 million several days before Equifax made its public announcement of the security breach.

The DOJ has not yet proven that the executives were aware of the breach, although, given their positions within the company and the timing of the sale, it looks likely. If these three, or any other Equifax executives, are ultimately prosecuted, it would expose a disturbing aspect of Equifax’s corporate culture—that executives charged with protecting financial and personal data for millions of people would take the opportunity to profit from a security disaster they not only knew about, but may have had the ability to prevent. Like the Enron scandal, the Equifax debacle should prompt lawmakers to investigate and challenge what appears to be a philosophy of greed and lack of personal responsibility that has evolved in certain corporations.

Identity of hackers remains a mystery

At the time of writing, the identity of the hackers who perpetrated this crime is unknown, although there is much speculation. Given the massive scale of the security breach, it’s likely that a group of people were involved. Equifax is a hacker’s goldmine. The compromised data is extremely valuable and potentially quite lucrative. “People cannot appreciate the severity of the breach,” says Los Angeles-based attorney Amir Dibaei. “That leaked data is the modern equivalent of fingerprints.”

The negative consequences that may result from this theft are many. The thieves can sell social security numbers on the Dark Net and international cybercrime black market, make purchases using stolen credit cards, apply for credit cards using stolen identities, and, in general, carry out identity theft on a massive scale. This security breach promises to cause untold hours of administrative hassle and financial loss for millions of people.

National security is another consideration. If the group behind this crime turns out to have a political issue with the United States, there is legitimate cause for concern that they might use the stolen information to fund ways to harm the United States government. Until the identity of the hackers is revealed, we won’t know for sure what level of disaster we’re facing.

CEO resigns and lawsuits are filed

Equifax CEO Richard Smith resigned on September 26, 2017, in response to the growing scandal, and Paulino do Rego Barros took over as CEO. But Smith is not off the hook. Depending on how the investigation unfolds, Smith will most likely find himself pulled into courtrooms to provide testimony on his actions and the conduct of other Equifax executives. Consumers across the country are filing lawsuits against the credit reporting company; as of this writing, 19 lawsuits have been filed in civil court in New York State alone. It’s reasonable to expect many more lawsuits to follow in the coming months. Eventually, all lawsuits against Equifax may get consolidated into a national class-action lawsuit, brought in Georgia, where Equifax has its company headquarters. If such a lawsuit is successful, the damages could easily mount to a level that bankrupts Equifax.

Though many aspects of this security breach are still unfolding—the outcome of the lawsuits, the DOJ’s criminal investigation, the identity of the hackers, etc.—there is already enough information to cause alarm, especially the poor conduct of Equifax’s executives, the magnitude of the breach, and the possible national security implications.

“This data breach is a cataclysm, but people can’t understand it in context. This breach cannot be undone. It is like a natural disaster that may strike at any point in your life…or even afterward,” Dibaei said. “People need to be proactive and mitigate their exposure. The potential for abuse is so widespread and unpredictable. Just a couple days ago Equifax learned of a couple million more people that may have been exposed.”

Whatever happens, we can safely say that credit reporting will never be the same.