There is simply no excuse for this bad actor. Terminate the company.
Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.
Cybersecurity professionals criticized Equifax on Thursday for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company’s crown jewels through a simple website vulnerability.
“Equifax should have multiple layers of controls” so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms. Litan said.
Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.
The company handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.
Equifax has created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.
People can go to the Equifax website to see if their information has been compromised. The site encourages customers to offer their last name and the last six digits of their Social Security number. When they do, however, they do not necessarily get confirmation about whether they were affected. Instead, the site provides an enrollment date for its protection service, and it may not start for several days.
Equifax’s credit protection service, which is free for one year for consumers who enroll by Nov. 21, is available to everyone and not just the victims of the breach.
Equifax is offering consumers the ability to freeze their Equifax credit reports, said John Ulzheimer, a consumer credit expert who often does expert witness work for banks and credit unions and worked at Equifax in the 1990s. Thieves could have information stolen from Equifax and used it to open accounts with creditors that use Experian or TransUnion.
“It’s like locking one of three doors in your house and leaving the other two unlocked,” Mr. Ulzheimer said. “You’re hoping the thief stumbles on the locked door.” He recommended that all those affected immediately place a fraud alert on all three of their credit files, which anyone can do for free.
Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come, Mr. Ulzheimer added.
Beyond compromising the personal data of millions of consumers, the breach also poses a potential national security threat. In recent years, Chinese nation-state hackers have breached insurers like Anthem and federal agencies, siphoning detailed personal and medical information. These hackers go wide in their assaults in an effort to build databases of Americans’ personal information, which can be used for blackmail or future attacks.
Governments regularly buy stolen personal information on the so-called Dark Web, security experts say. The black market sites where this information is sold are far more exclusive than black markets where stolen credit card data is sold. Interested buyers are even asked to submit to background checks before they are admitted.
“Cyberwar is in large part conducted through data mining and cyberintelligence,” Ms. Litan said. “This is also a Homeland Security risk as enemy nation states build databases of Americans that they then use to get to their targets, for example a network operator at a power grid, or a defense contractor at a missile defense company.”
Sen. Mark R. Warner, a Virginia Democrat who co-founded the Senate Cybersecurity Caucus, said he believed the severity of the Equifax breach raised serious questions about whether Congress needed to rethink data protection policies.
“It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans,” he said in a statement.