Equifax has been scrambling to explain itself since disclosing last week that it exposed vital data about 143 million Americans — effectively most of the U.S. adult population. It’s come under fire from members of Congress, state attorneys general, and people who are getting conflicting answers about whether their information was stolen.
The company keeps track of the detailed financial affairs of all Americans in order to gauge how much of a risk they are for borrowing money. That means it and its competitors, TransUnion and Experian, are a detailed storehouse of some of the most personal and sensitive information of Americans’ financial lives. And all of it could be used for identity theft.
Here’s the latest on what you need to know about the breach:
What Equifax is saying
Equifax is trying again to clarify language about people’s right to sue, and said Monday it has made other changes to address customer complaints.
The company is trying to staff up its call centers more in order to handle the increased customer service calls. It also now says people will get randomly generated PINs when they try to put a security freeze in place. People had complained about PINs being based on the time and date requests were made.
Equifax also acknowledged that its language particularly over the right to sue has been confusing at best, and said it was removing that language from their website. “Enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action,” it said.
Some lawyers have already announced suits that they hope will be class-action cases.
Am I affected? It’s been hard to tell
Equifax has been the focus of anger and distrust, not only for the breach but over how it initially was handled.
It discovered the hack July 29, but didn’t publicly announce it until more than a month later. People trying to find out if they were affected have gotten some confusing or contradictory information. Consumers calling the number Equifax set up complained of jammed phone lines and uninformed representatives, and initial responses from the website gave inconsistent responses. Many got no response, just a notice that they could return later to register for identity protection. Equifax says it’s fixed the issue of inconsistent responses, in which people could get one response on the computer and a different one when checking on the phone.
The site is equifaxsecurity2017.com and the number is 866-447-7559. Equifax also says it’ll send a notice to all who had personally identifiable information stolen. Equifax is offering free credit monitoring for a year, which people can sign up for at the website.
But considering the size and scope of the breach, it’s probably better just to assume you were part of it.
What about the controversy over the right to sue them?
There has been a significant amount of confusion about that. It partly comes from the industry practice of mandatory arbitration, in which the fine print on many financial products says customers have to use a private third-party arbitration service in order to resolve their disputes. Regulators are trying to crack down on the practice, particularly after the Wells Fargo sales practices scandal.
Equifax released a statement Friday evening declaring that the arbitration requirement and class-action waiver will not apply to this particular breach. In its statement Monday, it said it had again adjusted the language in the FAQs on its website.
What should I do?
Ultimately, the onus will probably be on consumers to try to protect themselves. People should do all the things they’re probably already heard about:
- Closely monitor their own credit reports, which are available free once a year, and stagger them to see one ever four months.
- Stay vigilant, possibly for a long time. Scammers who get ahold of the data could use it at any time — and with 143 million to choose from, they may be patient.
- Consider freezing your credit reports. That stops thieves from opening new credit cards or loans in your name, but it also prevents you from opening new accounts. So if you want to apply for something, you need to lift the freeze a few days beforehand.
Who’s investigating this?
A host of state and federal authorities as well as politicians have stepped in to investigate. Credit bureaus like Equifax are lightly regulated compared to other parts of the financial system. Expect more scrutiny from regulators over the credit bureaus.
The chairmen of at least two U.S. House committees say they want to hold hearings. Like the Wells Fargo sales scandal, the Equifax breach is causing bipartisan outrage and concern, but there has been no talk of any new laws to further regulate the industry. Several state attorneys general have also said they would investigate, which could result in fines at the state level.
Lastly the Consumer Financial Protection Bureau, the nation’s watchdog entity for financial issues, says it has the authority to investigate the data breach, and fine and sanction Equifax if warranted.
Company executives are also under scrutiny, after it was found that three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach, according to documents filed with securities regulators. Equifax said the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Given the seriousness of the breach, there are worries about the long-term future of the company. The sole purpose of why Equifax and the other credit bureaus exist is to be a secure storehouse of crucial financial information. Equifax failed at that.
The stock has fallen more than 25 percent since Thursday and the company is meeting with investors this week in New York in hopes to contain the fallout.