News Analysis: Equifax faces tough questions and class actions

David Reed, director of research and editor-in-chief, DataIQ

US-based credit reference agency Equifax endured a gruelling weekend as it attempted to answer questions about a data breach which is believed to have exposed records on 143 million US consumers - nearly half the population - and potentially 44 million UK adults. In addition to data protection regulators demanding answers, financial regulators are looking closely at share sales by three Equifax directors just days before the breach was made public. Consumer class actions have already been launched in the US and may potentially follow in the UK.

Data security experts have been scathing in their responses to reports of the breach. Dr. Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers (IAITAM), said: “It’s two strikes and you’re out for Equifax, which handles some of the most sensitive consumer information in the United States and now has permitted what is perhaps the worst breach of consumer information in our nation’s history. After the breach debacle that Equifax went through in 2013, just four years ago, there is no conceivable excuse in the world for this kind of failure to happen again.”

What we know

1. The breach is big - and as bad as it gets

At 143 million US records and potentially 44 million in the UK, the breach represents a massive haul for the presumed criminal parties involved. Worst of all, the American files contain social security numbers which are used as a persistent identifier. Possession of this variable makes identity fraud and account takeover a much easier matter. The only good news for UK consumers is that no single data item is used in this way.

2. Equifax would not have met GDPR rules on data breach notification

Illegal access to the records is understood to have taken place between mid-May and July, coming to the company’s attention on 29th July. It made the breach public on 7th September. Under the General Data Protection Regulation, “a notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.”

3. Officers deny knowledge of breach when shares were sold

According to Bloomberg, “chief financial officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of US information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.” All three have stated that they were unaware of the data breach at the time they sold their shares, the value of which has fallen by 13% since the company announced the hit.

IAITAM’s Rembiesa is sceptical about the explanation offered. “What is perhaps most disturbing to me is how three top Equifax officials – including the CFO of the company – could cash out stock immediately before this kind of announcement and then claim ignorance as a defence for doing so. If this is what passes as acceptable management at a leading US company handling the most sensitive information about 100 million-plus Americans, then we are going to see many more breaches like this in years to come,” she said.

4. Class actions have been launched (but not by anybody using Equifax to track their data post-breach)

US lawyers were quick off the mark to launch class actions which are likely to be joined by significant numbers as the effects of the breach unfold. It is worth noting, however, that these are time-consuming and not always successful - an action following Experian’s exposure of 200 million records to a Vietnamese identity thief in 2013 ran into the sand two years later. Affected consumers are being told to check their record on Equifax’s site and are offered one-year’s free tracking, but this does involve waiving the right to join a class action.

What we don’t know

1. How the breach happened

Equifax is understood to have employed cyber-security firm Mandiant to investigate how the breach occurred. The cause is unlikely to be revealed by the company itself unless it is required to do so by a regulator or law suit.

2. What the ICO can do for Brits affected

Equifax is a US-based business and it is not clear whether it has a UK establishment which would allow the Information Commissioner’s Office to take action. In a statement on Friday, deputy commissioner James Dipple-Johnstone said: “Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised. We will be advising Equifax to alert affected UK customers at the earliest opportunity. In cyber-attack cases that cross borders, the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”

3. What has happened to the data

With the cause of the breach unknown, so, too, is the identity of the criminals involved. Given the time already elapsed, it is likely that personal information taken from Equifax will already have been sold on and/or used to build “fullz” in order to steal identities, open accounts and start lines of credit.

4. What it will cost Equifax

An initial 17% drop in its share price saw $3 billion taken off the company’s market capitalisation. While the fall is now more like 13%, shareholders will be asking tough questions. The real bill has yet to arrive with regulatory penalites certain to arise and compensation claims yet to be filed. Clients may also choose to switch their CRA, although this is often difficult because of the extent to which a service is embedded into processes.

Fixing the cause of the breach at a technical level will also be expensive. Hervé Dhelin, VP strategy at EfficientIP, said: "Our trust in the security is being questioned because an organisation which prides itself on protecting sensitive data has been brought down. From our research, we know a large organisation on average spends over $2 million per year fixing the damage caused by cyber breaches and it looks like the cost for Equifax will be higher than that,” he said.

Director of research and editor-in-chief, DataIQ
An expert commentator on all things data, David has been editor of DataIQ since its inception in 2011.