Seven aftershocks of the Equifax breach: What bankers need to know
For many people, the news late Thursday that Equifax was hit with a data breach that may have compromised personal data of 143 million U.S. consumers brought on a heavy case of data breach fatigue.
It felt like one more in an absurdly long string of massive data breaches that has included Yahoo, Google, Verizon, the IRS, the Department of Homeland Security, Anthem, Target, Neiman Marcus, JPMorgan Chase, Home Depot and too many others. Equifax itself has been breached four times in the last two years.
But this breach looks to be a bit more severe than most of these others and it will have consequences in multiple areas. Here's a rundown.
Identity theft. Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers for 143 million people were exposed in the breach, in which criminals exploited a website application vulnerability to gain access to Equifax files. In addition, credit card numbers for about 209,000 U.S. consumers and certain dispute documents with personal identifying information for roughly 182,000 U.S. consumers were vulnerable. Equifax says the unauthorized access occurred from mid-May through July 2017.
"This isn't just email addresses and credit card numbers," said Nick Clements, who formerly ran a fraud department at Citigroup and today runs the consumer finance site MagnifyMoney.
When credit card account data is compromised, card issuers are notified, card numbers get retired, the cards are reissued and that's more or less that.
"I don't even blink anymore when it happens," Clements said. "No big deal."
But with a consumer's Social Security number, date of birth, name, address, and in some cases driver's license number, a fraudster can open a new credit account relatively easily.
"This is about fraudsters being able to go out and open a brand new account in your name, and potentially selling Social Security numbers," Clements said. "The thing that wakes people up, at least wakes me up, is that it's a lot of numbers and the nature of the information means the type of damage that could be done is a lot more serious than just taking over a credit card."
Equifax said that it hasn't seen any unusual activity among any of the 143 million victims. To Clements, this is cold comfort.
"This stuff takes time," he said. "If names and Social Security numbers and dates of birth are out there, they will be used at some point. No one should take reassurance that a few weeks in, they don't detect a high level of activity." When he worked at Citi, "you'd see, months later, stolen information turning into new accounts or fraudulent activity. There's a long shelf life here."
There's a related emotional impact, Clements said.
"This is a company that sells identity theft protection services, and then 143 million people lose their information, so even people who are charging money to help protect people from identity theft become a target," he said. "It makes you realize your data is just as safe as an individual. I work under the premise my data will be stolen and I need to live with that reality."
Equifax did not respond to several requests for comment Friday.
New account opening. This breach heightens the risk of fraudulent account openings at a time when banks and fintech companiess are increasingly allowing consumers to open new accounts on mobile devices in faster time frames — often in less than 10 minutes.
When banks and fintechs open accounts online, they typically use information provided by credit reporting agencies to help verify identities and meet Bank Secrecy Act obligations, pointed out Scott Sargent, an attorney with Baker Donelson's Financial Services Transactions Group.
"Banks and fintechs will need to closely evaluate their processes in light of the Equifax breach to make sure the information they are getting is still accurately verifying their online customers," Sargent said.
Authentication. This incident may call into question the industry's dependence on consumer data for authentication.
"Financial institutions and other similar businesses that rely on personally identifiable information are being confronted with an environment where all of this data is being bought and sold, fed by these types of events," said Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy & Research.
That means they can no longer rely strictly on PII any longer as a means of verifying identity. In a way, this breach ties in nicely with the New York State Department of Financial Services' cybersecurity rules for banks, which require them to use multifactor authentication — the use of something besides a user name and password to grant people access to applications, be it a one-time passcode, a biometric, knowledge-based authentication or something else — or even stronger controls.
Lawsuits. Within 24 hours of Equifax's announcement, it was slapped with a class-action lawsuit from two Oregon residents, Mary McHill and Brook Reinhard, who filed on behalf of all 143 million victims and said they viewed this as a "teachable moment" to induce Equifax to finally adopt adequate safeguards to protect against this type of cyberattack in the future.
"In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard's information from unauthorized access by hackers," the complaint states. "Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to. Consumers like Ms. McHill and Mr. Reinhard should not have to bear the expense caused by Equifax's negligent failure to safeguard their credit and personal information from cyber-attackers."
Reinhard suffered an injury of loss of $19.95 to pay for third-party credit monitoring services he otherwise would not have had to pay for, the suit claims.
"So the lawsuits have already started," said Craig Newman, partner at Patterson Belknap Webb and Tyler LLP. "The legal implications could be significant, because you not only have a class action lawsuit filed and likely additional litigation, but then you have the specter of regulatory investigations."
New credit cards. Compared to other large-scale credit card data breaches, the 209,000 card numbers exposed in this breach are small potatoes. Still, it can cost $5 or more to issue each new credit card. It's possible banks will sue Equifax to recoup these costs.
Target paid $19 million in reparations to banks affected by its 2013 breach, in which 40 million card records were compromised.
Third-party vendor risk. Under New York's new cybersecurity rules for banks, by March 2019, state-regulated banks will have to have in place a series of safeguards for third-party vendors that have access to their networks or to whom they provide data, Newman pointed out.
"For financial institutions, this sort of breach raises a vexing question, because many of them provide nonpublic information to credit reporting agencies, and it underscores the fact that when you provide network access or sensitive information to a vendor, the diligence process has to be tightened as these sorts of attacks become more frequent," Newman said.
Equifax's future. Thursday was a dark day for Equifax. Reputationally, a breach of this scale for a company that provides identity theft protection is deadly. Its stock price tumbled on Friday.
The prospects for OnlyID, the authentication service Equifax announced with FIS in late August, now look dim.
"One of the most frightening things about this breach is that some victims didn't even provide information to Equifax and may not even know they've been affected by this breach," Newman said. "It's clear they're going to face additional lawsuits and regulatory inquiries. The real question is whether a breach of this magnitude forces a change in behavior and whether organizations view significant breaches as teachable moments and learn from the very tough lessons they are being dealt."
Some observers predict Equifax will live down the breach.
"There's definitely going to be brand issues," Clements said. "At the end of the day, these credit bureaus' biggest customers are still banks that provide data to the bureau and then use that for scoring and credit decisioning. I doubt we're going to see dramatic departure, where all of a sudden a large bank stops providing information to Equifax. With the amount of money that's going to being spent by Equifax on data security over the next year, a year from now it might be the safest place because they have to make sure it never happens again — data security will always win out."
Bryan Yurcan contributed to this story.