Even at a time when massive data breaches feel like the new normal, the Equifax breach is nothing short of shocking.
Equifax revealed Thursday that the personal information of as many as 143 million Americans — or nearly half the country — has been compromised.
The number of people impacted may pale in comparison to Yahoo’s two security breaches last year, which exposed data from more than one billion user accounts. But the Yahoo breach only involved data like like email addresses and passwords.
The Equifax breach exposes some of our most sensitive personal information: names, social security numbers, addresses, birth dates and the some driver’s license numbers.
For consumers, the situation is maddening in large part because we are nearly powerless to avoid it.
Unlike Yahoo, Equifax is not a service you intentionally sign up for and then explicitly provide with your data. Equifax, a credit reporting firm, gets its data from credit card companies, banks, retailers, and lenders who report on the credit activity of individuals to credit reporting agencies, as well as by purchasing public records.
Equifax is one of three major credit bureaus in the U.S., along with TransUnion and Experian. If you live in the U.S. and have a financial pulse, chances are they are tracking and rating your financial history.
“Our information security and technology teams are actively evaluating this incident to determine what, if any, actions from TransUnion might be appropriate,” a spokesperson for TransUnion said in a statement.
Reps for Experian did not immediately respond to requests for comment on their security measures.
“The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data,” Brian Krebs, a prominent cybersecurity blogger, wrote Thursday.
Krebs says these firms are “long overdue” for greater regulatory oversight. Some legislators are proposing to do just that.
Sen. Mark Warner, a member of the Senate Banking Committee and cofounder of the Senate Cybersecurity Caucus, said Congress needs to implement a “uniform data breach notification standard.”
Congress also “needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data,” Warner said in a statement Thursday.
Rep. Maxine Waters pledged to reintroduce legislation that would shift the balance of power in the credit reporting process more to consumers. Her earlier proposal called for “fixing the dispute process” so credit bureaus rather than consumers “bear the burden to prove the accuracy” of information.
For now, though, consumers must rely on a different remedy offered by Equifax, with some strings attached.
Equifax is offering free identity theft protection and credit file monitoring services, but it’s a service that’s actually also owned and operated by Equifax. To get it, you must first provide the last six digits of your social security number to Equifax, which just revealed having social security numbers stolen. And you had to sign away your right to sue Equifax.
If that’s not enough, those who decided to sign up anyway were told the credit monitoring service would not be available until next week. This only adds to the feeling of helplessness. Equifax says the breach occurred months ago, in mid-May and July.
Reps for Equifax did not immediately respond to a request for comment for this story.
The frustrations of consumers were laid bare on Friday morning when an official Equifax customer service account posted a what some called a “chipper” message on Twitter: “Happy Friday! You’ve got Stevie ready and willing to help with your customer service needs today!”
“Why did you wait 2 months to notify us?” one person wrote in response. Another said: “Stevie, can you help repair my life your company just ruined?”
“So why does your victim list require us to put in our SSN?” a third person wrote. “Why would we trust you with that ever again?”
The Equifax customer service tweet was quickly deleted.