This is the third major security breach Equifax has suffered in the past two years, and it is by far the worst. (Photo by GotCredit)

The Equifax Hacking Scandal Is a Reminder That Credit-Reporting Agencies Are Not Our Friends

The hacking of personal information reveals a much deeper problem at the heart of the credit-reporting industry.

BY Mark Dunbar

Email this article to a friend

The scope of information obtained by the Equifax hackers likely won’t be known for many years.

Last week, Equifax—one of the country’s three major credit-reporting agencies alongside Experian and Transunion—revealed that its security apparatus had been breached. “Hackers” obtained private financial information the company held on over 140 million Americans. This is the third major security breach Equifax has suffered in the past two years, and it is by far the worst. Cybersecurity experts call it a 10 out of 10 on the catastrophe scale—with the negative consequences potentially lasting for decades.

Equifax became aware of the hacks on July 29 and the company’s top brass took immediate action. But rather than moving to alert the public that their information could be compromised, on August 1 and 2, three leading executives—including the company’s chief financial officer (CFO) John Gamble—sold nearly $2 million worth of shares in the company. Traders also noticed a sudden—and suspicious—selling of Equifax stock options.

A stock option is the right to sell stocks in the future at a fixed price now. If executives knew the stock was going to quickly drop in value once the breath was made public, and decided to sell stock options that weren’t “exercisable” until after the company planned on making the breach public, that would at the very least amount to dubious legal behavior.

In July, Equifax listed 260 such traded stock options. In August, the month the company learned of the breach, that number jumped tenfold, to 2,600.

An Equifax spokesman said that executives “had no knowledge that an intrusion had occurred at the time they sold their shares.” According to Bloomberg News, however, none of the sales were scheduled in advance with the Securities Exchange Commission, a common practice to avoid accusations of insider trading. And it’s difficult to believe the CFO wouldn’t have immediately been informed about the largest security failure in the corporation’s history. Gamble has been with the company since 2014 and has only once sold shares prior to last month’s sale.

A lackluster response

Compared to the stock-selling extravaganza, Equifax’s customer-service response to the “disappointing event,” as CEO Richard Smith called it in a press statement, has been tepid. The company didn’t publicly disclose the hacks for over a month. In the meantime, Equifax hired a customer-service agency to assist with the volume of calls they’d be receiving once they did. Yet the company didn’t inform the agency of whom was likely affected by the breach, so when people started calling in, the outsourced contact centers were unable to provide useful information.

The company also offered a one-year free trial with TrustedID—an identity protection company acquired by Equifax in 2013. With TrustedID’s credit-monitoring services, those who signed up would be able to definitively tell if their financial data was exposed through the breach.

However, the service appeared to come with a catch. Equifax’s Terms of Use spelled out that by signing up, customers would waive the right to participate in a class-action lawsuit. After a social-media backlash, Equifax clarified that the “arbitration clause and class action waiver included in the Equifax and TrustedID premier terms of use does not apply to this cybersecurity incident.”

Prior to last week, it’s doubtful most Americans knew what Equifax was. But since the breach was revealed, many have questioned why a company they’ve never heard of or signed up for has access to names, addresses, social security numbers, credit card numbers and a slew of other personal details stolen by hackers.

The truth about credit scores

Equifax is a credit-reporting agency. When you apply for credit, the credit score that determines the interest rate lenders will offer you likely comes from Fair, Isaac and Company (FICO)—90 percent of “top” lenders use them for credit scoring. FICO became the standard scoring system in 1995, when Fannie Mae and Freddie Mac began using it to decide on their mortgage sales.

Credit scores, however, don’t determine if a lender will approve your credit application. The credit reports that lenders get from credit-reporting agencies do (along with your debt-to-income ratio, employment and residential history).

The variance between why your credit application is approved and why it’s approved at a particular interest rate is significant. FICO scores—determined by your credit history—exclude relevant positive data such as homeownership, potential future earnings and your savings. Lenders, however, do include these factors when approving your application.

Lenders actively look for lower credit scores—as part of their monthly goals, many lending departments have a designated percentage of “colorful” credit approvals they’re encouraged to hit. Customers with low credit scores caused by errors such as mistakes in student loan deferment, unpaid medical bills, tax liens or lack of credit history are frequently the most profitable.

Credit reports are notoriously difficult to read and even more difficult to dispute. Until the Fair Credit Reporting Act (FCRA) of 1970, citizens didn’t even have a legal right to see their own credit reports. Before then, it was lending industry protocol not to allow customers to see them.

In practice, this process can still be burdensome for consumers. Lenders will often tell an applicant that in order to obtain a copy of their credit report, they need to contact the credit-reporting agency directly. Lenders will blame this bureaucratic obstacle on the credit-reporting agency, but lenders prefer this arrangement just as much as the agencies themselves, because it puts applicants at an informational disadvantage.

Before codified reporting took off in the 1950s, credit reports were essentially lists of biographical facts that credit managers thought encapsulated a customer’s character and mindset. Age, race, gender, nationality, work experience, financial prospects and political loyalties were included. So were personal habits like drinking, gambling and excessive party-going. Even medical history was included. If for example, a woman recently suffered a miscarriage, this could indicate to a lender that she had recent medical bills and may be traumatized by the loss of her baby, thus unable to work or pay off new debts.

Codification was a technocratic solution to a real problem, taking personal life details out of credit score determinations. After the passage of FCRA, this reform offered a brokered peace between the financial sector and consumers. The financial sector’s coding system generally took into account matters strictly financial such as high credit card balances and late payments, but it was also incomprehensible to the average person.

Surveillance in the digital economy

For most of the 20th century, credit-reporting agencies held a near monopoly on private-sector surveillance. When the FBI or IRS needed pernicious details about an individual, they often turned to credit-reporting agencies. But with the advent of social media and search engines that store your browser history, data-collecting has branched out of the financial sector and into the larger digital economy.

While many companies still check credit reports when hiring new employees, managers can now also routinely monitor Facebook and Twitter pages. This has forced credit-reporting agencies to upgrade their services from not only data storage but to—in the words of Equifax’s CEO in 1998—“predicting the future of portfolios and individual consumers.”

The scope of information obtained by the Equifax hackers likely won’t be known for many years. As of last week, the company’s security has changed from asking for the last four digits of customers’ social security number to asking for the last six, so it’s safe to assume that if you were included in the breach, the last four digits of your social security number are likely out there.

Equifax reports that the company “has found no evidence of unauthorized activity on Equifax’s consumer or commercial credit reporting databases,” but what this means exactly is unclear. In 2012, the New York Times uncovered that credit-reporting agencies had a two-tiered system: one for high-end individuals and one for the rest of us.

If there’s anything positive to be taken away from Equifax’s security blunder, it’s that it reminds us that in a shadowy surveillance economy, we aren’t the employee or the consumer, but the product. What’s to be done about this is up for debate—but not one we’re allowed to have any say in.

Mark Dunbar is a freelance writer based in Indianapolis. He can be reached by email at [email protected] or on Twitter at @Mark1Dunbar.

View Comments