A year after Equifax breach, no enforcement actions

|     David Koenig     |

A NEW report by congressional investigators details how hackers broke into Equifax last year in a breach that exposed the financial information of more than 145 million Americans.

The lawmakers who requested the report say they will press the Trump administration on the lack of enforcement actions against the giant credit-reporting agency.

Shares of Equifax plunged by about one-third last year after news broke about the massive breach. Since then, the stock has recovered to about USD10 below its peak before all the bad news and closed on Friday at USD135.91 a share. The company has reported a profit of USD236 million this year, and second-quarter profit was down just 12 per cent from the same period last year despite the breach.

Here is what you need to know about the breach and events since then:

HOW DID HACKERS BREAK IN?

The Government Accountability Office, the investigative arm of Congress, confirmed that a server hosting Equifax’s online dispute portal was running software with a known weak spot. The hackers, who have not been identified, jumped through the opening. Hiding behind encryption tools, they sent 9,000 queries to dozens of databases containing consumers’ personal information, then methodically extracted the information.

The attack went unnoticed by Equifax for more than six weeks.

Equifax officials told GAO the company made many mistakes. Some were as simple an outdated list of computer systems administrators — when the company circulated a notice to instal a patch for the software vulnerability, the employees responsible for installing the patch never got it.

WHAT HAS EQUIFAX DONE?

The company has said in regulatory filings that it has taken steps to fix the issues that allowed the breach to occur. Equifax said it has added tools to better monitor network traffic, restrict traffic between internal servers, and tighten controls on who can access certain systems and networks.

The congressional investigators said they did not judge those efforts.

Equifax spokeswoman Ines Gutzmer said the company will increase investment in security and technology by more than USD200 million this year. She said the company has given consumers more control over their Equifax data and introduced a free credit-alert service in January.

There was also a management shakeup. The chief information officer and top security executive both retired, and Equifax hired a new Chief Technology Officer from IBM.

WHAT INFORMATION WAS STOLEN?

The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and other information. Criminals can use those bits of personal information to commit identity theft.

Equifax stores a trove of data that provides a financial profile of millions of consumers, including how much they owe on their homes and whether there are court judgments against them..

WHO IS INVESTIGATING?

The Federal Bureau of Investigation (FBI), the Consumer Financial Protection Bureau and the Federal Trade Commission, among others. It is not clear whether the FBI investigation is limited to the theft of information, or extends to the actions of the company and its executives.

Regulators in eight states including California, Texas and New York, reached a consent order with the company requiring it to improve its cybersecurity risk. As part of the agreement, the company did not admit wrongdoing.

WILL EQUIFAX BE PUNISHED?

One year after the public learned of the breach, no federal agencies have announced any enforcement actions.

“Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information,” said Senator Elizabeth Warren, D-Mass, one of the lawmakers who requested the GAO report. She blamed the Trump administration and Republicans in Congress, and has proposed legislation aimed at preventing similar breaches. – AP