Equifax's business model under growing scrutiny
As Equifax sheds its top execs, more experts are casting attention on the business practice of charging consumers for monitoring their personal data at bureaus that otherwise give them little control over their financial identities.
Equifax isn't the only company that offers such a service. Other than the major credit bureaus, which also include Experian and TransUnion, companies like LifeLock and Credit Karma offer some form of credit monitoring or scoring service to give consumers a glimpse into how the major bureaus handle their data — and it's up to consumers to then alert the bureaus when their data is in error.
Equifax is offering consumers free credit monitoring services for a year, but the exposed data will remain valuable to fraudsters for far longer. So to consumers, it may feel like these credit-monitoring services are a ransom they must pay to the very entity that mishandled their data.
But financial services providers that already have recommended fraud-prevention procedures in place are unlikely to double up on more fraud-fighting solutions.
“Is the Equifax breach a game-changer? No, because we’ve already had so many other breaches exposing similar data,” said David Pollino, senior vice president and deputy security officer at San Francisco-based Bank of the West, which operates 600 branches in 23 U.S states. Pollino spoke on a panel about payments fraud at last week’s PayThink conference in Phoenix sponsored by SourceMedia.
“Before Equifax, I could buy data for some of the same names on any number of [dark] e-commerce sites, so nothing has changed in that regard," Pollino said. "Maybe now it’s cheaper, and maybe now there’s a greater automation threat from those who get ahold of stolen data."
Equifax is bad news for the lending industry, which may see a widespread pullback on new accounts with millions of consumers temporarily freezing their credit to be safe. But for many financial institutions that have made appropriate preparations, the response will be routine, according to Pollino.
"It always comes back to the recommended layered approach to protect consumer data, and maybe now you turn on two-factor authentication too,” Pollino said.
Equifax itself is unlikely to reap any benefits from its breach. Several class actions are in motion and some state attorneys general and lawmakers are investigating the incident. Massachusetts has filed suit against Equifax, seeking civil penalties for harm to more than half of the state’s residents.
At an unrelated Senate hearing on Tuesday, Sen. Mark Warner, D-Va., wondered aloud whether Equifax had any right to offer the services it does. "I question whether Equifax even has the right to continue providing these services with the level of sloppiness" in cybersecurity, he said.
This isn't even Equifax's first time facing this kind of scrutiny this year; in January, the Consumer Financial Protection Bureau levied more than $23 million in fines and restitution against Equifax and TransUnion, saying that the companies deceived consumers into paying for data that had little beneficial value.
Data breaches have become common — the number of total breaches reached 1,000 in 2016, up 40% from 2015, according to the Identity Theft Resource Center. But the scope of the Equifax breach dwarfed other recent breaches and it introduced a fresh twist, according to Tim Sloane, vice president of payments innovation at Mercator Advisory Group.
Fraudsters invaded Equifax’s files undetected for about four months, enabling them to study data presented in an orderly way, making it easier to transfer and sell, unlike other breaches where data is intercepted opportunistically, Sloane said.
“By making all the data available in a formatted way, the criminals who hit Equifax can more easily automate the creation of fraudulent ‘synthetic’ identities, which is already a major problem banks face,” Sloane said.
And where do financial institutions often turn to for help in blocking synthetic fraud? One resource is credit bureaus, according to Sloane.
“The fact that credit reporting agencies claim to have the resources required to identify a synthetic identity makes this data loss even more bizarre and apparently poised to deliver another benefit beyond protection offered to consumers,” Sloane said.
And what of consumers? They may not be willing to pay Equifax to clean up its own mess, but credit monitoring is getting cheaper, and the revenue model around these services changing.
Credit Karma, for example, charges nothing for its services; instead it earns fees from credit card issuers and other lenders when customers qualify for products Credit Karma’s site recommends. Credit Karma has long offered consumers free credit reports on demand, and it reacted to the Equifax breach by boosting its service to include rolling, daily Equifax and TransUnion credit reports for all of its customers with a notification service to alert consumers of anything suspicious that might require immediate action.
But credit monitoring only helps consumers by alerting them to possible exposure of their personal credentials after they have a problem. When fraudsters leverage stolen data and ruin a consumer's credit, it can get costly.
“Damaged credit can hurt a consumer’s ability to buy a car or a new home, open up any simple credit account or even a bank account, and it can interfere with job applications at employers that do background checks,” said Madeline Aufseeser, CEO of the card security technology Tender Armor and an expert on payments fraud.
LifeLock charges $9.99 to $29.99 a month for services that include working to help consumers repair their credit after identity theft occurs.
Ian McKendry contributed reporting to this article.