Equifax Breach a Year Later: Record Profits, Share-Price Revival
Experts say nothing has really changed and Equifax’s primary regulators are still investigating one year later.
Data breach? What data breach?
One year after Equifax Inc. disclosed a hack of its computers that shook the financial world, sparking an FBI review and slashing a third off the company’s share price in one week, investors and the public seem to have largely moved on.
The company, whose shares have recovered about 80% of the losses suffered in the plunge, will probably post a record annual profit next year. Equifax said there was no mass defection of clients after the breach put half the U.S. population’s sensitive personal information at risk, and congressional hearings have so far yielded no major changes to federal laws protecting data. The credit-reporting company’s revenue last quarter reached a record $877 million despite the hack.
“It was certainly a bump in the road, but it doesn’t look like anything else is going to dramatically change the future,” Brett Horn, an analyst at Morningstar Inc., said in an interview.
Between May and July last year, criminals exploited a vulnerability in the software Equifax used to build its website and abscond with data on credit cards, social security numbers and drivers’ licenses. The company faced withering criticism after disclosing the hack in September 2017, and more than 90% of consumers have taken some action to protect themselves from identity theft in the aftermath.
A Government Accountability Office report released Friday details steps that have been taken since the incident, noting that Equifax’s primary regulators are still investigating.
“One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information,” U.S. Senator Elizabeth Warren, a Massachusetts Democrat who requested the report, said in a statement.
An Equifax spokeswoman declined to make company executives available for an interview, but the company said in an emailed statement that it’s made a number of improvements since the breach, including a more than $200 million boost to this year’s budget for security and technology.
“We have enhanced our leadership team to include some of the most experienced cybersecurity and technology professionals in the industry, notably new Chief Information Security Officer Jamil Farshchi and Chief Technology Officer Bryson Koehler,” the spokeswoman said.
Regulatory Landscape Following the breach, legislators held hearings and proposed policies to guard consumers’ data. The Consumer Financial Protection Bureau and the Federal Bureau of Investigation looked into the hack, and the Federal Trade Commission started an investigation.
Vermont passed a law regulating data brokers, and California enacted sweeping data-privacy rules. Eight state banking commissioners including New York’s signed a consent order with Equifax requiring the company to bolster oversight.
“There’s now momentum building among state governments in the U.S., regulators, and regulators abroad to adopt stricter cybersecurity regimes to give consumers more control of their data,” said Joseph Facciponti, an attorney with expertise in cybersecurity. “It’s a tipping point in the public’s consciousnesses.”
Free credit freezes will now be required as part of legislation rolling back the Dodd-Frank financial regulations, but some argue more action is needed.
“One year later, Equifax still hasn’t paid a price for putting 150 million U.S. consumers in harm’s way,” said Mike Litt, consumer campaign director at U.S. PIRG, which works for tougher consumer-protection laws. “There hasn’t really been consequences, at least not financial consequences, and that’s ultimately what’s needed.”
A class-action lawsuit pending in an Atlanta federal court might eventually bring some of that financial pain to Equifax. The suit, a consolidation of various cases representing a nationwide class, is in its early stages as it winds its way through the court system.
Where’s the Data? The data siphoned from Equifax likely won’t ever show up as one big package for sale on the dark web, said Munish Walther-Puri, chief research officer of Terbium Labs, which monitors data on the dark web. Instead, he said, hackers will likely bundle the information with details from other breaches — such as medical data — and sell it in packages.
When hackers combine this data together, they sell it in packages known as Fullz. A Fullz bundle typically includes a person’s name, social security number, birth date and account data and sells for about $30 on the dark web, according to Experian Plc.
“Prior to Equifax, there was a solid layer of information out there about people,” Walther-Puri said. “The Equifax data really fills out a lot of that packaging.”