Understanding the Equifax Data Breach
Like many people, I have been watching the unfolding events around the Equifax data breach with morbid fascination. I have a special interest—I was Equifax’s Chief Privacy Officer for three years until January 2014.
Equifax’s sputtering response did not surprise me, and neither did the reactions in the press, the Congress, or the consumer protection agencies. Unfortunately, most of the proposed solutions do not address the fundamental issue: to credit reporting agencies, consumers are not a product, they are a cost. To understand this, you need to know something about credit reporting.
A brief history of consumer credit reporting
The consumer credit reporting industry started over 100 years ago, and Equifax—then known as the Retail Credit Company—was one of the pioneers. Credit reporting played a critical role in democratizing access to credit, but it operated purely business-to-business as a part of the financial infrastructure. It still does. Lenders want to know which individuals present an acceptable credit risk. This judgment requires knowledge of the individual’s total debt, financial circumstances, and past history of repayment. Consumer reporting agencies (CRAs) collect data from a variety of sources, analyze it, and sell reports to credit issuers.
Originally, most consumers were not even aware that the credit reporting system existed. Of course, there were cases when someone was denied a loan based on incorrect information in a credit report, but that consumer had no way to learn where the information originated or how it related to the denial of credit. Helping consumers fix errors in their credit files wasn’t a priority for lenders as long as they had enough qualified borrowers to run successful businesses. It wasn’t a priority for CRAs, either, because they got data from businesses and sold reports to businesses. As long as their data was accurate enough to satisfy their customers, CRAs had no reason to interact with consumers, and they didn’t.
This changed with the passage of the Fair Credit Reporting Act (FCRA) in 1970. The FCRA and its amendments forced CRAs to provide consumers with access to their credit files and the ability to dispute information in these files. For CRAs, this involved significant new costs. Setting up a mechanism for access and correction of credit files is not as simple as setting up a consumer contact center. First, CRAs need a reliable way of identifying consumers in order to prevent identity fraudsters from gaining access to credit data. Second, CRAs need to address potential financial fraud, in which individuals try to remove or change correct data in order to improve their own credit standing or damage that of someone else. Preventing identity and financial fraud is difficult and expensive. Since dealing with consumers is a legally imposed cost to CRAs, it is not surprising that they have tried to minimize this cost, for example by locating contact centers in low-wage countries.
Consumers have never liked CRAs. They often feel helpless and angry when dealing with opaque, bureaucratic organizations that can greatly affect their lives but that they find hard to influence. And yet, the credit reporting system plays an important role in the economy. People living in countries without well-developed credit reporting systems find it difficult to get loans. And an entirely voluntary credit reporting system would not work because it would not be trusted by lenders.
Regulators don’t much like CRAs either. The 2011 Federal Trade Commission staff report titled “40 Years of Experience with the Fair Credit Reporting Act” offers over 100 pages of history and discussion of enforcement actions and court cases involving CRAs and their customers. The main regulatory authority of consumer financial services now belongs to the Consumer Financial Protection Bureau, but the relationship between the regulators and the CRAs has not become less tense.
When I was at Equifax, there was a palpable feeling of being in an organization under threat. Physical and data security was a priority because it was understood that if there were a problem, a widely disliked company whose role in the economy is not always appreciated would get little sympathy. This is precisely what happened since the data breach was announced. As of this writing, Equifax stock has lost a third of its value, the Congress and the regulators are investigating and threatening action, and the press is publishing rumors that Equifax’s customers plan to defect to other CRAs.
The Equifax data breach
When the data breach was announced, I noted several things. The company said that the breach happened through an online consumer-facing portal, and that it “may” have involved the data of 143 million people, but credit card numbers and drivers’ license data of about 200,000 people. There are few places in the company where this combination of factors exists, the most likely being an application related to disputes.
The disputes portal is one of the few places where consumers interact with Equifax online. In order to dispute a credit report entry, a consumer must provide proof of identity, such as a driver’s license, and information related to the dispute. Most disputes deal with credit cards. The data of 143 million consumers is likely to be “credit header” data, identifying information that includes addresses and Social Security Numbers, and links an individual to a specific credit file. There are many fewer disputes than there are credit files, which accounts for the numbers. Equifax has now confirmed the breach occurred in the disputes portal.
The delay between the discovery of the breach and its announcement was not surprising. It takes time to understand what happened, what systems were affected, and what data was accessed. If Equifax involved law enforcement, investigators may also have asked for a delay in the announcement to allow time for their investigative work.
The company’s confusing and seemingly inadequate response to the breach was not surprising, either. Equifax does not routinely deal with millions of consumers, so it had to scale its web presence and call centers. This takes time, particularly because scaling without necessary staff training and fraud prevention measures would make the situation worse.
None of this excuses what happened. If the breach took place because Equifax did not apply a publicly available security patch, the company needs to do some serious re-evaluation of its security processes. Equifax will probably do this. What is less likely to happen is a change in the company’s attitude that dealing with consumers is a cost to be minimized. Given the nature of credit reporting, only action by the Congress and diligent regulatory oversight will lead to a better balance for consumers in the long term.