Criminal probe into Equifax

The US Justice Department has opened a criminal investigation into Equifax, one of the largest consumer credit reporting agencies in the country.

The company disclosed a data breach that has affected millions of its 143 million consumers.

Background

Equifax Inc. is a consumer credit reporting agency in the United States. It was founded in 1899 and it is one of the largest credit agencies in America. A global service provider, it has employees in over 14 countries. It’s annual revenue as reported in 2014 was approximately US $2.7 billion.

The company collates and maintains information of 88 million businesses worldwide as well as 800 million consumers. Twice in the company’s history, it has been fined for violating the Fair Credit Reporting Act by the Federal Trade Commission.

On September 2017, Equifax announced that a large-scale data breach had taken place in the company. It stated that an unauthorized third party was able to gain access to Equifax data on as many as 143 million Americans. This is nearly half the population of America. The Census Bureau estimates that there are 324 million people in America in 2017. According to Equifax, the breach occurred sometime around July 29th, 2017. In total, the data that was breached included names of people as well as their birth dates, Social Security numbers and addressed.

Analysis

In addition to the data breach that was reported in September 2017, Equifax has admitted that it had faced another security breach in March– five months before the disclosure was made. The company has revealed that the two incidents are unrelated.

At the time, the company brought in brought in FireEye-owned Mandiant to help investigate the first event. In a statement to CNBC the company has stated, “The retention of Mandiant in March was unrelated to the July 29 cybersecurity incident. Equifax complied fully with all consumer notification requirements related to the March incident.”

The company has apologized to its customers. However, its legal woes are far from over. The US Justice Department has opened a criminal investigation into the company. Some of the top officials within the company had sold a portion of their shares before Equifax had disclosed the breach. The US Justice Department is investigating if the two developments are related. The company shares have fallen 35% since the time they had publicly announced details of the breach. The members who are under scrutiny are - Equifax’s chief financial officer, John Gamble; its president of U.S. information solutions, Joseph Loughran; and its president of workforce solutions, Rodolfo Ploder.

There will be additional scrutiny by US lawmakers and regulators to decipher if the breach had compromised on the privacy of the company’s 143 million consumers.  

New York governor Andrew Cuomo has ordered the state’s Department of Financial Services to draft new regulations requiring credit-reporting agencies to register with the state and to meet its cyber security standards. This will allow the financial services 

The new rules will allow New York’s financial services superintendent to deny or revoke a credit reporting agency’s authorization to do business in the state.

Assessment

Our assessment is that Equifax is looking at long road of multiple litigations from both the state and its consumers. The data breach in the company proves that the sensitive data stored by governments and organizations across the world is vulnerable. We feel that the breach was a wake-up call and with this action New York is raising the bar for consumer protection. Can a similar incident take place in India with the Aadhaar card?