Updated at 8:15 p.m.
On Thursday, Equifax, one of three major credit reporting agencies, revealed that highly sensitive personal and financial information for around 143 million U.S. consumers was compromised in a cybersecurity breach that began in late spring. There are only around 125 million households in the U.S.
According to the company’s statement, the cybersecurity breach started in May of this year and continued until it was discovered on July 29. While criminals did not appear to have accessed what Equifax describes as “core consumer or commercial credit reporting databases,” which help in the generating of credit scores, some pretty important personal information was accessed. According to the company, criminals were able to access the social security numbers, birth dates, and addresses for a massive—but as yet unspecified—number of U.S. consumers. The hack also included credit card numbers for more than 200,000 Americans and documentation related to disputes, which contain personal and identifying information, for some 180,000 Americans. On top of that, financial disclosures show that three top Equifax executives sold $1.8 million worth of company stock in the days after the breach was discovered, according to Bloomberg.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," said the company’s CEO Richard F. Smith in a statement. Equifax declined to comment further.
As Sarah Jeong has written before for The Atlantic, new technologies have resurfaced old problems related to the collection—and protection—of financial data. The circumstances in present times are reminiscent of the ones that precipitated the creation of the Fair Credit Reporting Act of 1970, she explains. But even with rules in place about how to separate and collect financial data from individuals, the transition to digital has brought those problems back, and they haven’t yet been satisfactorily addressed. Add to that the ongoing challenge of securing important information online—one that just about every organization faces—and the ability to harm the public in the course of normal operations for businesses built to collect and create crucial, personal, highly sensitive data becomes enormous.
This breach comes on the heels of a recent finding by the Consumer Financial Protection Bureau, the government agency responsible for monitoring and regulating the financial industry, that Equifax had been deceiving American consumers, signing them up for costly products without their knowledge, misrepresenting credit scores, and violating the Fair Credit Reporting Act. At the start of 2017, Equifax, along with another credit reporting agency, Transunion, were ordered to pay $23 million in fines and restitution by the CFPB. The credit-reporting industry is controlled largely by three companies: Equifax, Experian, and Transunion. Their culling and dissemination of financial data is what allows—or prevents—people from being able to buy or rent houses, get auto loans, have credit cards, and a host of other everyday necessities.
The Equifax breach, in its size, duration, and scope, is more than an unfortunate mishap. Part of the tragedy in all of this is that, those whose information has been compromised never asked to have their information collected in the first place—all major credit reporting agencies receive data directly from a host of financial companies, such as banks and credit card companies, in order to build credit reports. For Americans who want to protect their personal financial information, there is no way, in our current system, to do so.