Equifax Inc. said criminals struck its systems in a cyberattack that’s among the most intrusive security breaches in history. The hack may have exposed personal information -- including Social Security numbers and birth dates -- for 143 million U.S. consumers, or almost half the nation’s population. Many of those individuals aren’t even aware their personal data is being collected.
1. How do credit bureaus get all this data?
Large banks and other consumer-facing companies use credit bureaus as repositories of information on current and potential clients. Financial firms typically report items including credit status, payment history and address information to the three major bureaus: Equifax, Experian Plc and TransUnion. Equifax supplements that information with data it collects from public records including bankruptcy records, court judgments and tax liens. The company also maintains a large database of employment and salary information; that information wasn’t exposed during the cyberattack.
2. Who uses this data?
The same companies and banks that provide much of the bureaus’ data also use it to make credit decisions. Equifax and other bureaus use the information to produce a report on each individual and a score that serves as a snapshot of a consumer’s likelihood to repay. That helps determine whether a person should receive a variety of services including loans, or new accounts with electricity or telephone providers.
3. What will the fallout be for Equifax?
It could end up spending $105 million to clean up this breach, according to Brett Huff, an analyst at Stephens Inc. If Equifax’s bill were substantially larger, in line with costs at Yahoo or Target Corp., insurance covering as much as $150 million may be inadequate. And that financial cost could just be the start. Lawmakers are already calling for executives to testify before Congress about the hack. The company’s reputation as a leader in consumer data protection could be what suffers the most serious damage.
4. What are the implications of this breach for consumers?
In the short-term, those consumers whose card information was stolen will have to monitor their statements and report any suspicious activity to their bank. Because so much personally identifiable information was exposed in this attack, identity thieves will find it easier to act. “The biggest problem coming out of this breach is not going to be credit or debit card fraud, it’s going to be identity crimes,” said Shirley Inscoe, an analyst at payments consultancy Aite Group.
5. Are the credit bureaus here to stay?
The bureaus are well-established, multi-billion-dollar enterprises, but there are startups trying to make them obsolete. For example, Petal is a New York-based fintech firm that uses data science -- and not a credit score -- to analyze consumer information and issue credit cards. Credit bureaus “are a system that worked for a long time prior to the technology that is in the market now,” said Amy Walraven, chief analytics officer of Turnkey Risk Solutions, which helps banks combat fraud. The Equifax breach is “a call to action to look at how people do business and what is a better model going forward.”
The Reference Shelf
- A QuickTake explainer on cybersecurity, and why the good guys actually have the upper hand.
- Equifax’s breach is historic in its scale.
- A QuickTake on the risk of hacking for the internet of things.
— With assistance by Laurence Arnold