Guest editorial: Equifax profits by selling your data
The House Financial Services Committee will hold hearings into the massive data security breach at Equifax, but some lawmakers are not waiting to demand answers.
The credit-reporting company disclosed last week that “criminals exploited a U.S. website application vulnerability” to gain access to the personal details of 143 million Americans. The information accessed included names, Social Security numbers, birth dates and addresses.
That’s enough information to commit identity fraud on half the population of the country, but the criminal activity could turn out to be less troubling than what’s legal.
To begin with, the law did not require Equifax to disclose the data breach immediately so consumers could guard against fraud. The company waited until Sept. 7 to reveal the unauthorized access that occurred in mid-May and was discovered on July 29.
And just days after the company learned of the hack, three top Equifax executives, including the chief financial officer, sold shares of the company’s stock worth almost $2 million. In a statement last week, Equifax said the executives did not know about the cyber intrusion at the time of the transactions.
That didn’t satisfy Senate Finance Committee Chairman Orrin Hatch and ranking Democrat Ron Wyden, who sent a letter to Equifax CEO Richard F. Smith on Monday demanding more information about the timeline, and particularly asking when those three executives were first told of the data breach.
The company didn’t help itself with a sketchy effort to trick hacking victims into giving up their legal rights by enrolling in a free credit-monitoring service — the small print included a waiver of the right to sue Equifax or participate in a class-action settlement.
Under pressure from New York attorney general Eric Schneiderman, Equifax dropped that language from the terms of the credit-monitoring agreement.
Perhaps most disturbing is the company’s opaque statement that its investigation into the data breach “found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”
Then, what was hacked? Equifax won’t say.
But the company’s own website offers plenty of clues. In addition to the credit reporting business for which it is best known, Equifax runs a profitable side business selling consumers’ personal data to marketers.
“Gain instant access to comprehensive credit data,” the company’s website offers business customers, promising “the data reliability and currency that Equifax is known for.”
Equifax sells marketing lists that offer “access to current personally identifiable information for over 210 million consumers.”
A taste of the research for sale can be found in a company blog post titled, “Baby Boomer Wallets are Exploding.” Apparently aimed at selling data to financial services companies, Equifax reveals that over 43 percent of Boomers have more than $125,000 in invested assets, their auto loan balances are down 9 percent in the last five years, their average mortgage balance is over $89,000, and “Boomers are more likely to seek advice from brokers than other generations.”
In 2012, Equifax settled Federal Trade Commission charges that it improperly sold more than 17,000 prescreened lists of consumers who were late on their mortgage payments. The lists were used by third-party companies for the “impermissible purpose” of marketing loan modification and debt relief services.
But it’s legal for Equifax to sell “consumer reports” to support “business-specific needs,” including “targeted cross-sell and up-sell campaigns.”
This is no mere mailing list. Equifax collects sensitive personal information on every consumer’s financial transactions. Is that data really their property?
That’s a question for Congress, or the courts.
Orange County Register, Sept. 12