Monday, September 18, 2017

Looking Under the Rock: Equifax's Credit Breach


On Sept. 8, the credit-rating agency Equifax announced that they had discovered a security breach that compromised the data of over 140 million U. S. consumers.  The company admitted they had found out about the hack on July 29, almost six weeks before their public announcement.  Hackers were able to obtain names, Social Security numbers, addresses, birthdates, and even some driver license numbers.  The hackers gained access to Equifax's data through a flaw in a piece of open-source web software called Apache Struts.  The cybersecurity arm of the U. S. Homeland Security Administration had released a fix for the Apache Struts flaw back in March, but Equifax didn't apply it well enough to prevent the hack that began three months later, in May.  Equifax is currently being sued and is overwhelmed with consumers requesting freezes of their credit reports so as to prevent hackers from applying for credit under false names. 

Most of the time, the three quasi-monopoly credit rating agencies Equifax, TransUnion, and Experian are largely invisible to the public eye.  They don't sell their products directly to consumers—their customers are banks, loan companies, and other extenders of consumer credit.  The only time you as a consumer have any dealings with one of the Big Three may be when you apply for a home loan or car loan.  The rating you receive from a credit agency can mean the difference between buying a home and renting for the rest of your life, or being able to borrow more money on a credit card without paying ruinous interest.  So although there's not much you can do to affect what the agencies say about you, they hold considerable financial power over you.  The least you can expect from them is to act as responsible guardians of the highly personal data they accumulate under your name.  And Equifax's data breach betrayed that trust.

This is an odd situation, but has come about through the nature of our consumer-credit-intensive economy.  Back in the nineteenth century, when consumer credit was most often an informal arrangement between a general-store customer and the owner who knew the customer personally, there was no widespread need for consumer credit information.  However, commercial firms were interested enough in the creditworthiness of other firms that the "Mercantile Agency" of Dun, Barlow & Co. arose.  By 1876, this firm had a network of informants all across America, typically small-town lawyers, who periodically sent reports on local merchants to headquarters in New York City.  The reports were compiled and printed in a quarterly Reference Book to which interested credit-extenders subscribed. 

Dun, Barlow & Co. eventually became Dun & Bradstreet, a firm which still provides financial data on commercial firms today.  But then as now, credit-rating agencies sell information about consumers to companies, and it is in their self-interest to protect that information from compromise.  In this, Equifax has signally failed.

I have previously discussed in this space the qualities that any company caught in a crisis should have.  Among these are prompt action and transparency.  So far, Equifax has stumbled on both counts.  While it has to take a certain amount of time to apply patches to large software systems such as Equifax runs, data security is the essence of their business, and the three-month delay between learning about the Apache Struts flaw in March and the time when the data breach began in May was too long.  It took Equifax another two months to discover the breach, and then six more weeks went by before they announced to the public that it had happened.  Such delays might be excusable in a mom-and-pop grocery store, but not for one of the three largest credit-reporting firms in the U. S. 

What can you as a consumer do if you think your data may have been compromised?  Equifax has announced the waiver of the usual ten-dollar fee for a credit freeze, and if you can manage to push your way through their clogged website and phone tree to request one, that is one thing you can do.  And at least one law firm has announced its intention to launch a class-action lawsuit on behalf of all 140 million Americans affected by the breach.  But neither of these things will address the fundamental structural problem:  too much of our personal information is stored in places that are too vulnerable to unscrupulous hackers.

If (as is possible) it turns out that the hackers were not based in the U. S., there is an international twist to this tale.  In that regard, the Homeland Security Agency deserves kudos for doing what it ought to be doing:  finding ways that hackers can attack U. S. interests and helping private firms prevent such attacks.  But if the private firms drop the security ball, the government has wasted its time telling them about the problem.

In general, I regard government regulation as a last resort when other measures fail.  But as firms get larger and affect more and more people in a country, it's probably appropriate for them to come under the regulation of that country's government.  There is always going to be some kind of relationship between large firms and government, but that relationship can be either benign or malign for the consumer.  The pre-breakup Bell System was allowed to monopolize telecommunications in the U. S. until the 1980s, and in turn it accepted close government supervision and regulation of its tariffs and profits.  It may not have been the most innovative telecomm service in the world, but it was stable, predictable, and reliable.   

It may be time to require the Big Three credit agencies to submit to some kind of data-integrity requirement, or face penalties for data breaches that are so severe they will clean up their act.  But our track record of penalizing these types of agencies for past messups is poor.  One need only think back to the housing-bubble collapse of 2008 in which commercial rating agencies were gold-plating financial instruments that looked as solid as a rock until the bubble burst and knocked them over, revealing a nest of roaches and scorpions underneath. 

Equifax is at best guilty of incompetence.  Perhaps the marketplace will punish it enough to make it mend its ways.  But it may be time to re-examine some of our basic assumptions about the responsibilities of private credit-rating firms in our consumer economy.  And in the meantime, keep an eye on your credit rating.

Sources:  I referred to an article on the CNN website at http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html, a New York Times column by Ron Lieber posted on Sept. 14 at https://www.nytimes.com/2017/09/14/your-money/equifax-answers-data-breach.html, and the Wikipedia articles on Equifax, Dun & Bradstreet, and credit freezes.  My information on Dun, Barlow & Co. in 1876 comes from p. 41 of a reproduction issue of the Asher & Adams Pictorial Album of American Industry (1876) published in 1976 by Rutledge Books. 

No comments:

Post a Comment