The spectacular data breach at Equifax has exposed a murky industry in need of reform.
Hackers broke into the credit reporting company's computers and stole key personal data, including names, addresses, birthdays, Social Security numbers, and some credit card numbers from 143 million Americans. The upshot is hackers now have the most important pieces of identification for nearly half the country.
Obtaining such personal information makes it easy for hackers to steal an individual's ID, apply for loans, credit cards, and even government benefits. Hackers can sell the information to others to be used for years to come.
Equifax's handling of this disaster has been feeble and dishonest, which only increases the need for improved security measures and increased regulation of credit-reporting companies — not less regulation, as Equifax wants.
Equifax waited six weeks to report the data breach, the third hacking at the company this year. But the day after the Atlanta-based company discovered the hack, three senior executives, including the chief financial officer, sold $1.8 million worth of stock.
Even worse, in the months leading up to the breach, Equifax was lobbying lawmakers and federal agencies to relax regulation of credit-reporting agencies. In this year's first six months, Equifax spent at least $500,000 to lobby Congress and federal regulators.
Equifax has been lobbying lawmakers and regulators on issues regarding "data security and breach notification" and "cybersecurity threat information sharing." It has also pushed to repeal a federal regulation upholding consumers' rights to sue.
After the hack, Equifax offered consumers one year of free credit monitoring to guard against identity theft. Initially, it also wanted consumers to waive their right to sue the company in return for the service. The public backlash prompted Equifax to back off that brazen demand, but what happens after the year is up? The company could then charge for the service.
In other words, Equifax stands to profit from its blunder. That is an insult to the millions of individuals who will be impacted. Equifax should be required to provide the credit-monitoring service in perpetuity. What's to stop the hackers from waiting a year or more to use the stolen information?
The problem is not going away. Now that people's personal information is out, it can be used again and again. That argues for greater regulation and an overhaul of the entire credit-bureau system.
Equifax has proven it cannot protect individuals' key personal and financial information. And it is not the first credit-reporting company to get hacked. Reports that data obtained by hackers may be used to impact voting systems further underscores the need for tighter regulation and better security across the board.
At least 23 class-action lawsuits have been filed. State investigators in several states have also launched a probe.
In addition to holding Equifax accountable, federal officials need to implement enhanced security measures to guard against identity theft from credit bureaus, perhaps requiring a PIN and password in addition to a birthday and Social Security number.