With her frequent scowl and no-nonsense tweets, California Rep. Maxine Waters is usually outraged about something. But she was right to zero in – “Auntie Maxine”-style – on Equifax, the credit rating company that exposed the personal information of 143 million Americans, and then waited a month and a half to say anything.
“This hack into sensitive information compiled and maintained by Equifax is one of the largest data breaches in our nation’s history and someone has to be held accountable,” she said last Thursday, making the Los Angeles Democrat among the first in Congress to call out the company.
Since it happened, multiple federal investigations have been launched, and a class-action lawsuit has been filed. Monday, the top Republican and the Democrat on the Senate Finance Committee sent Equifax angry letter demanding an explanation. So did Democrats on the House Energy and Commerce Committee. Hearings are planned. Some have mentioned jail time.
We all should be outraged.
Equifax is among a handful of loosely regulated companies that manage Americans’ credit histories, which banks use to determine creditworthiness. By exposing people to identity theft, it’s likely many will become victims of fraud. Millions could run into trouble buying a car or renting an apartment. In the Central Valley, where the a combination of high property values and low income compared to coastal communities creates a significant “poverty” rate, that could be devastating.
Yet, since reporting the data breach last week, Equifax has been infuriatingly and inexcusably close-lipped. The Atlanta-based company has refused to release even the most basic details about what happened, offering only a vague explanation about an investigation being under way and that there was “no evidence of unauthorized activity on our core consumer or commercial credit reporting databases.”
But the BBC reported Wednesday that one employee in South America used the word “admin” as both a login and password – and this a company that is supposed to protect our digital privacy.
Equifax’s initial “remedy” included an attempt to trick victims into agreeing not to sue. Only after an uproar did the company agree to temporarily waive fees for those who want to put a freeze on their credit, keeping would-be identity thieves at bay. Before that, consumers were expected to pay for the privilege.
Worse, three Equifax executives made a profit by selling company shares after the breach was discovered in July, but weeks before it was announced.
This week, CEO Richard F. Smith was feeling the heat and finally issued a puny mea culpa for the way Equifax carelessly exposed the Social Security numbers, birth dates and driver’s license numbers of millions of Americans.
This is the same man who just last month – after he presumably knew about the data breach – told the Atlanta Business Chronicle that trustworthy and admired CEOs like himself practice “transparency, candor, consistency and humility.”
We deserve more from a company that holds the identities of so many Americans in its databanks. Substantial reforms must follow any investigation. Congressional Democrats are wisely pushing for tougher federal protections on digital privacy, giving companies a timeline to notify customers when breaches occur.
In the past, such efforts have devolved into partisan bickering. And with the Trump administration having vowed to slash, not add, financial regulations, it is likely to happen again. But after this incredible breach, if nothing changes that would be the real outrage.