A year after Equifax breach, no enforcement actions


A new report by congressional investigators details how hackers broke into Equifax last year in a breach that exposed the financial information of more than 145 million Americans.

The lawmakers who requested the report say they will press the Trump administration on the lack of enforcement actions against the giant credit-reporting agency.

Shares of Equifax plunged by about one-third last year after news broke about the massive breach. Since then, the stock has recovered to about $10 below its peak before all the bad news and closed Friday at $135.91 a share. The company has reported a profit of $236 million this year, and second-quarter profit was down just 12 percent from the same period last year despite the breach.

Here is what you need to know about the breach and events since then:

HOW DID HACKERS BREAK IN?

The Government Accountability Office, the investigative arm of Congress, confirmed that a server hosting Equifax's online dispute portal was running software with a known weak spot. The hackers, who have not been identified, jumped through the opening. Hiding behind encryption tools, they sent 9,000 queries to dozens of databases containing consumers' personal information, then methodically extracted the information.

The attack went unnoticed by Equifax for more than six weeks.

Equifax officials told GAO the company made many mistakes. Some were as simple an outdated list of computer systems administrators — when the company circulated a notice to install a patch for the software vulnerability, the employees responsible for installing the patch never got it.

WHAT HAS EQUIFAX DONE?

The company has said in regulatory filings that it has taken steps to fix the issues that allowed the breach to occur. Equifax said it has added tools to better monitor network traffic, restrict traffic between internal servers, and tighten controls on who can access certain systems and networks.

The congressional investigators said they did not judge those efforts.

Equifax spokeswoman Ines Gutzmer said the company will increase investment in security and technology by more than $200 million this year. She said the company has given consumers more control over their Equifax data and introduced a free credit-alert service in January.

There was also a management shakeup. The chief information officer and top security executive both retired, and Equifax hired a new chief technology officer from IBM.

WHAT INFORMATION WAS STOLEN?

The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and other information. Criminals can use those bits of personal information to commit identity theft.

Equifax stores a trove of data that provides a financial profile of millions of consumers, including how much they owe on their homes and whether there are court judgments against them.

WHAT SHOULD CONSUMERS DO?

Get your credit reports at AnnualCreditReport.com. By federal law, consumers can get a free copy of their credit report every 12 months from each of the three big agencies — Equifax, Experian and TransUnion —

Examine all your listed accounts and loans to make sure that the personal information is correct and that you authorized the transaction. If you find something suspicious, contact the company that issued the account and the credit-rating agency.

Consider freezing your credit, which stops thieves from opening new credit cards or loans in your name. It can be done online. Starting Sept. 21, consumers can freeze their credit for free because of a law that President Donald Trump signed in May, avoiding fees that were typically $5 to $10 per rating agency.

You'll need to remember to temporarily unfreeze your credit — that will also soon be free — if you apply for a new credit card or loan. And a freeze won't protect you from thieves who file a fraudulent tax return in your name or make charges against an existing account.

A new survey commissioned by LendingTree Inc. subsidiary CompareCards.com found that 91 percent of respondents had done something to protect themselves since the Equifax breach, with at least half looking up their credit score and examining account statements more closely. Only about 8 percent had frozen their credit.

Equifax has a page, https://www.equifaxsecurity2017.com , with a link to looking up whether your information was exposed.

WHO IS INVESTIGATING?

The Federal Bureau of Investigation, the Consumer Financial Protection Bureau and the Federal Trade Commission, among others. It is not clear whether the FBI investigation is limited to the theft of information, or extends to the actions of the company and its executives.

Regulators in eight states including California, Texas and New York, reached a consent order with the company requiring it to improve its cybersecurity risk. As part of the agreement, the company did not admit wrongdoing.

WILL EQUIFAX BE PUNISHED?

One year after the public learned of the breach, no federal agencies have announced any enforcement actions.

"Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information," said Sen. Elizabeth Warren, D-Mass., one of the lawmakers who requested the GAO report. She blamed the Trump administration and Republicans in Congress, and has proposed legislation aimed at preventing similar breaches.

Warren and Rep. Elijah Cummings, D-Md., said they have asked the Consumer Financial Protection Bureau and the FTC what they are doing about the matter.


Reader Comments ...


Next Up in Business

Ohio thieves target these vehicles more than any other
Ohio thieves target these vehicles more than any other

The National Insurance Crime Bureau has released its annual “Hot Wheels” report, identifying the 10 most stolen vehicles in the United States — and in Ohio. The report examines vehicle theft data submitted by law enforcement to the National Crime Information Center and determines the vehicle make, model and model year most reported...
The stage is set: UD ready for first gubernatorial debate tonight
The stage is set: UD ready for first gubernatorial debate tonight

After years of discussions and weeks of work, now it comes down to just a few hours: The University of Dayton will host the first 2018 Ohio gubernatorial debate tonight at Daniel J. Curran Place. Eric Spina, UD president, sounded a confident note this morning, saying the university community is ready. “For many years, we have been letting folks...
Health care a top ballot box concern for older Ohioans
Health care a top ballot box concern for older Ohioans

The majority of Ohioans over the age of 50 say concerns about health care will affect their vote this fall. About 81 percent said health care is a “very important” issue when it comes to their vote for Congressional candidates this fall. About 80 percent said Social Security is a very important issue and 76 percent said Medicare is, according...
760-mph hyperloop from Ohio to Chicago moves closer with new regulations
760-mph hyperloop from Ohio to Chicago moves closer with new regulations

An exceptionally fast transportation system may be a step closer to Ohio. Hyperloop Transportation Technologies (HyperloopTT) and German insurance company Munich Re said Monday that a set of core safety requirements and certification guidelines for the fledgling mode of transportation have been created. The hyperloop is expected to transport pods of...
A ‘clean’ meatloaf

Dear Heloise: I have a pretty good hint: When you MAKE MEATLOAF, the cleanup is a pain in the you-know-where. I spray the pan with any kind of cooking spray, then line it with foil. When you take the meatloaf out of the pan, there is very little cleanup. — Linda W., Bakersfield, Calif. ‘lettuce’ explain Dear Heloise: I buy iceberg...
More Stories