On Sept. 8, the credit-rating agency Equifax announced
that they had discovered a security breach that compromised the data of over
140 million U. S. consumers. The
company admitted they had found out about the hack on July 29, almost six weeks
before their public announcement.
Hackers were able to obtain names, Social Security numbers, addresses,
birthdates, and even some driver license numbers. The hackers gained access to Equifax's data through a flaw
in a piece of open-source web software called Apache Struts. The cybersecurity arm of the U. S.
Homeland Security Administration had released a fix for the Apache Struts flaw
back in March, but Equifax didn't apply it well enough to prevent the hack that
began three months later, in May.
Equifax is currently being sued and is overwhelmed with consumers
requesting freezes of their credit reports so as to prevent hackers from
applying for credit under false names.
Most of the time, the three quasi-monopoly credit rating
agencies Equifax, TransUnion, and Experian are largely invisible to the public
eye. They don't sell their
products directly to consumers—their customers are banks, loan companies, and
other extenders of consumer credit.
The only time you as a consumer have any dealings with one of the Big
Three may be when you apply for a home loan or car loan. The rating you receive from a credit
agency can mean the difference between buying a home and renting for the rest
of your life, or being able to borrow more money on a credit card without
paying ruinous interest. So
although there's not much you can do to affect what the agencies say about you,
they hold considerable financial power over you. The least you can expect from them is to act as responsible
guardians of the highly personal data they accumulate under your name. And Equifax's data breach betrayed that
trust.
This is an odd situation, but has come about through the
nature of our consumer-credit-intensive economy. Back in the nineteenth century, when consumer credit was
most often an informal arrangement between a general-store customer and the
owner who knew the customer personally, there was no widespread need for
consumer credit information.
However, commercial firms were interested enough in the creditworthiness
of other firms that the "Mercantile Agency" of Dun, Barlow & Co.
arose. By 1876, this firm had a
network of informants all across America, typically small-town lawyers, who periodically
sent reports on local merchants to headquarters in New York City. The reports were compiled and printed
in a quarterly Reference Book to which interested credit-extenders subscribed.
Dun, Barlow & Co. eventually became Dun &
Bradstreet, a firm which still provides financial data on commercial firms
today. But then as now,
credit-rating agencies sell information about consumers to companies, and it is
in their self-interest to protect that information from compromise. In this, Equifax has signally failed.
I have previously discussed in this space
the qualities that any company caught in a crisis should have. Among these are prompt action and
transparency. So far, Equifax has
stumbled on both counts. While it
has to take a certain amount of time to apply patches to large software systems
such as Equifax runs, data security is the essence of their business, and the
three-month delay between learning about the Apache Struts flaw in March and
the time when the data breach began in May was too long. It took Equifax another two months to
discover the breach, and then six more weeks went by before they announced to
the public that it had happened.
Such delays might be excusable in a mom-and-pop grocery store, but not
for one of the three largest credit-reporting firms in the U. S.
What can you as a consumer do if you think
your data may have been compromised?
Equifax has announced the waiver of the usual ten-dollar fee for a
credit freeze, and if you can manage to push your way through their clogged
website and phone tree to request one, that is one thing you can do. And at least one law firm has announced
its intention to launch a class-action lawsuit on behalf of all 140 million
Americans affected by the breach.
But neither of these things will address the fundamental structural
problem: too much of our personal
information is stored in places that are too vulnerable to unscrupulous
hackers.
If (as is possible) it turns out that the
hackers were not based in the U. S., there is an international twist to this
tale. In that regard, the Homeland
Security Agency deserves kudos for doing what it ought to be doing: finding ways that hackers can attack U.
S. interests and helping private firms prevent such attacks. But if the private firms drop the
security ball, the government has wasted its time telling them about the
problem.
In general, I regard government regulation
as a last resort when other measures fail. But as firms get larger and affect more and more people in a
country, it's probably appropriate for them to come under the regulation of
that country's government. There
is always going to be some kind of relationship between large firms and
government, but that relationship can be either benign or malign for the
consumer. The pre-breakup Bell
System was allowed to monopolize telecommunications in the U. S. until the
1980s, and in turn it accepted close government supervision and regulation of
its tariffs and profits. It may
not have been the most innovative telecomm service in the world, but it was
stable, predictable, and reliable.
It may be time to require the Big Three
credit agencies to submit to some kind of data-integrity requirement, or face
penalties for data breaches that are so severe they will clean up their
act. But our track record of
penalizing these types of agencies for past messups is poor. One need only think back to the
housing-bubble collapse of 2008 in which commercial rating agencies were gold-plating
financial instruments that looked as solid as a rock until the bubble burst and
knocked them over, revealing a nest of roaches and scorpions underneath.
Equifax is at best guilty of
incompetence. Perhaps the
marketplace will punish it enough to make it mend its ways. But it may be time to re-examine some
of our basic assumptions about the responsibilities of private credit-rating
firms in our consumer economy. And
in the meantime, keep an eye on your credit rating.
No comments:
Post a Comment