“Fraud is a huge opportunity for us, it is a massive, growing business for us,” Richard Smith, former CEO of Equifax, said in August. While Smith’s statement may have stirred little attention at the time, when Senator Elizabeth Warren read the quote back to him, it must have been a regrettable choice of words.
More than 145 million Americans have been affected by the breach of the credit bureau Equifax. While massive hacks make headlines, they usually only pertain to credit card fraud, which is incomparably easier to remedy than stolen social security numbers (SSNs), tax returns addresses, and driver’s licenses that have been compromised. Most of the stolen information cannot be re-issued or replaced. Those affected have typically had permanent information stolen, and may be vulnerable for the rest of their lives.
On Oct. 13 the IRS suspended its $7.25 million taxpayer identity verification contract to Equifax, technically called a sole source offer. The decision followed on the heels of a false Adobe Flash update on Equifax and TransUnion websites that installed malware on users’ computers as they tried to check their credit reports. On Oct. 16, the Government Accountability Office denied the arguments from Equifax for the bid to be re-opened.
However, it is key that this contract was suspended and not terminated. “Once the fury calms down, the IRS will most likely re-open the offer to Equifax,” said associate professor John Blackwood of UCC’s Computer Information Services.
The IRS contract is now in the hands of Experian, and has been shrunk by almost ten times. The initial decision to grant the multi-million dollar sole-source contract to Equifax while its CLO John Kelley and former CEO Smith were under Congressional investigation is still mysterious. Why the contract was solely offered to Equifax in such circumstances also seems morally dubious to lawmakers on both sides of the aisle.
Allowing Equifax to continue its work with the IRS seems to defy all logic, but it would be on par with the lack of immediate consequences for three chief Equifax officers that sold an estimated $1.8 million in the days following unauthorized access to their website on July 29.
Products like LifeLock and similar products should be researched before being purchased. Blackwood and “Last Week Tonight” with John Oliver said Lifelock’s CEO Richard Maynard drove his company truck with his SSN posted on the side like a phone number. He was personally hacked thirteen times after that point in time, making consumer rights advocates more than skeptical of Lifelock’s leadership.
But Maynard’s poor judgment is not the only reason consumers should avoid using LifeLock as protection from the Equifax hack. Senator Warren confirmed during her congressional questioning of Smith that “LifeLock purchases credit monitoring services from Equifax.” This is most significant, because anyone who went to LifeLock because of issues with the Equifax breach did anything but help their own situation by doing so. In other words, LifeLock purchasers are no more protected than anyone else due to Equifax being the security provider for LifeLock and the target of a massive security breach. Senator Warren also told Smith during his questioning that enrollment of the product LifeLock increased tenfold after the public knew of the Equifax breach.
Blackwood said that LifeLock should donate a significant portion of their earnings to those most in need, such those affected by the hurricanes in Puerto Rico, if they hope to save face.
The brash advertising of the LifeLock CEO tactics points to an incalculable issue of false confidence within the financial services industry on which the Equifax breach has pointed a spotlight. The Federal Trade Commission fined LifeLock $12 million in 2010 for false advertising, as the company’s advertisement gave consumers a 100% guarantee to protect against identity theft, an impossible offer. In 2015, the FTC penalized LifeLock $100 million for continuing to offer substandard service, particularly in regard to its security.
Chief officers from Lifelock and Equifax have displayed disregard for their consumers personal information in some of the most obvious ways.  “Equifax has been hacked several times in the past few years. It is consistently rated as having some of the worst data security practices in the financial services industry, and this latest hack happened through a hole in your system that had been identified months before, and should have been fixed pretty easily,” Warren said during the congressional questioning of Smith. Warren was referring to a weakness in security that had been first realized in March, but was still not fixed by the time of the July 29 hack.
Blackwood said that scientists at the CERN supercollider in Switzerland estimate that 90 percent of breaches could be prevented just through proper patching of network systems. Performing patches in a timely manner is one of the most reliable, and most obvious, methods to how cybersecurity analysts can remain ahead of threats and respond to digital attacks. Yet, such a basic action was not taken by the credit bureau Equifax to protect consumers’ credit and their own reputation.
Blackwood also stressed that consumers should check all three major credit bureaus, Experian, TransUnion and Equifax, in order to get the most complete picture possible of one’s current credit.