Data breach? What data breach?
One year after Equifax Inc. disclosed a hack of its computers that shook the financial world, sparking an FBI review and slashing a third off the company’s share price in one week, investors and the public seem to have largely moved on.
The company, whose shares have recovered almost 90 percent of the losses suffered in the plunge, will probably post a record annual profit next year. Equifax said there was no mass defection of clients after the breach put half the U.S. population’s sensitive personal information at risk, and congressional hearings have so far yielded no major changes to federal laws protecting data. The credit-reporting company’s revenue last quarter reached a record $877 million.
“It was certainly a bump in the road, but it doesn’t look like anything else is going to dramatically change the future,” Brett Horn, an analyst at Morningstar, said in an interview.
Between May and July last year, criminals exploited a vulnerability in the software Equifax used to build its website and absconded with data on credit cards, Social Security numbers and drivers’ licenses. The company faced withering criticism after disclosing the hack in September 2017, and more than 90 percent of consumers have taken some action to protect themselves from identity theft in the aftermath.
A Government Accountability Office report released Friday details steps that have been taken since the incident, noting that Equifax’s primary regulators are still investigating.
“One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information,” Sen. Elizabeth Warren, a Massachusetts Democrat who requested the report, said in a statement.
An Equifax spokeswoman declined to make company executives available for an interview, but the company said in an emailed statement that it’s made a number of improvements since the breach, including a more than $200 million boost to this year’s budget for security and technology.
“We have enhanced our leadership team to include some of the most experienced cybersecurity and technology professionals in the industry, notably new Chief Information Security Officer Jamil Farshchi and Chief Technology Officer Bryson Koehler,” the spokeswoman said.
Following the breach, legislators held hearings and proposed policies to guard consumers’ data. The Consumer Financial Protection Bureau and the FBI looked into the hack, and the Federal Trade Commission started an investigation.
Vermont passed a law regulating data brokers, and California enacted sweeping data-privacy rules. Eight state banking commissioners including New York’s signed a consent order with Equifax requiring the company to bolster oversight.
“There’s now momentum building among state governments in the U.S., regulators, and regulators abroad to adopt stricter cybersecurity regimes to give consumers more control of their data,” said Joseph Facciponti, an attorney with expertise in cybersecurity. “It’s a tipping point in the public’s consciousnesses.”
Free credit freezes will now be required as part of legislation rolling back the Dodd-Frank financial regulations, but some argue more action is needed.
“One year later, Equifax still hasn’t paid a price for putting 150 million U.S. consumers in harm’s way,” said Mike Litt, consumer campaign director at U.S. PIRG, which works for tougher consumer-protection laws. “There hasn’t really been consequences, at least not financial consequences, and that’s ultimately what’s needed.”
A class-action lawsuit pending in an Atlanta federal court might eventually bring some of that financial pain to Equifax. The suit is a consolidation of various cases representing a nationwide class.