Equifax


Equifax Inc. is an American multinational consumer credit reporting agency and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.
Headquartered in Atlanta, Georgia, Equifax operates or has investments in 24 countries in the Americas, Europe, and Asia Pacific. With over 10,000 employees worldwide, Equifax has US$3.1 billion in annual revenue and is traded on the New York Stock Exchange under the symbol EFX.
Like all credit reporting agencies, the company is required by U.S. law to provide consumers with one free credit report every year.
Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017, with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company.
In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017, where cybercriminals accessed approximately 145.5 million U.S. Equifax consumers' personal data, including their full names, Social Security numbers, birth dates, addresses, and driver license numbers. Equifax also confirmed at least 209,000 consumers' credit card credentials were taken in the attack. On March 1, 2018, Equifax announced that 2.4 million additional U.S. customers were affected by the breach, increasing the number of affected to 147.9 million Americans. The company claims to have discovered evidence of the cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted. The vulnerability in which Chinese hackers leveraged was, the hackers managed to stay in Equifax systems undetected for approximately 134 days.
In March 2018, the Security and Exchange Commission accused Jun Ying, Equifax's former CIO, of illicit insider trading, by selling company stock before the breach was publicly disclosed. After an investigation by the FBI, Ying pleaded guilty, was sentenced to four months of prison plus a year of supervised release, and was fined $55,000.00 and ordered to pay restitution of $117,117.61 on June 2019. An Equifax manager, Sudhakar Reddy Bonthu, also pleaded guilty to insider trading and received a sentence of 8 months of home confinement.
In July 2019, The New York Times, the New York Post and other media reported Equifax had agreed to pay approximately $650 million to settle with the Federal Trade Commission to resolve investigations by several state attorneys general, the Consumer Financial Protection Bureau, the FTC, and a consumer class-action lawsuit related to the data breach.
By September 2019, however, Equifax had added qualifications and "hurdles" to its claims process which put in doubt whether the previously announced cash settlement of $125 per affected consumer would actually be awarded.
On 19 December 2019, a federal judge in Atlanta awarded class-action attorneys representing consumers approximately $77.5 million, suggesting that individual consumers might expect to receive around six or seven dollars.

History

Equifax was founded by Cator and Guy Woolford in Atlanta, Georgia, as Retail Credit Company in 1899. By 1920, the company had offices throughout the United States and Canada. By the 1960s, Retail Credit Company was one of the nation's largest credit bureaus, holding files on millions of American and Canadian citizens. Even though the company continued to do credit reporting, the majority of its business was making reports to insurance companies when people applied for new insurance policies, such as life, auto, fire and medical insurance. RCC also investigated insurance claims and made employment reports when people were seeking new jobs. Most of the credit work was then being done by a subsidiary, Retailers Commercial Agency.
Retail Credit Company's information holdings and willingness to sell its information attracted criticism in the 1960s and 1970s. These included that it collected "...facts, statistics, inaccuracies and rumors... about virtually every phase of a person's life; his marital troubles, jobs, school history, childhood, sex life, and political activities." The company was also alleged to reward its employees for collecting derogatory information on consumers.
In 1970, after the company had computerized its records, which led to wider availability of the personal information it held, the U.S. Congress held hearings that led to the enactment of the Fair Credit Reporting Act. This legislation gave consumers rights regarding information stored about them in corporate databanks. It is alleged that the hearings prompted the Retail Credit Company to change its name to Equifax in 1975 to improve its image.
Equifax expanded into commercial credit reports on companies in the United States, Canada and the UK, where it came into competition with companies such as Dun & Bradstreet and Experian. The insurance reporting was phased out. The company also had a division selling specialist credit information to the insurance industry but spun off this service, including the Comprehensive Loss Underwriting Exchange database as ChoicePoint in 1997. Equifax formerly offered digital certification services, which it sold to GeoTrust in September 2001. Also in 2001, Equifax spun off its payment services division, forming the publicly listed company Certegy, which subsequently acquired Fidelity National Information Services in 2006. Certegy effectively became a subsidiary of Fidelity National Financial as a result of this reverse acquisition merger .
In October 2010, Equifax announced it was acquiring Anakam, Inc, an identity verification software company headquartered in San Diego, California, which invented and pioneered SMS two-factor authentication. Terms of the deal were not disclosed.
Equifax purchased eThority, a business intelligence company headquartered in Charleston, South Carolina, in October 2011. eThority is partnering with TALX, a St. Louis-based business unit of Equifax, and will remain in Charleston.
Equifax Workforce Solutions is one of the 55 contractors hired by the United States Department of Health and Human Services to work on the HealthCare.gov web site.
In July 2020, Equifax reported that, after purchasing Ansonia Credit Data, a major source of consumer credit, payments, and invoice receivables data used by financial companies and other borrowers and businesses in the shipping and logistics sectors, the firm has expanded its position in commercial payment technology solutions.

Products

Equifax primarily operates in the business-to-business sector, selling consumer credit and insurance reports and related analytics to businesses in a range of industries. Business customers include retailers, insurance firms, healthcare providers, utilities, government agencies, as well as banks, credit unions, personal and specialty finance companies and other financial institutions. Equifax sells businesses credit reports, analytics, demographic data, and software. Credit reports provide detailed information on the personal credit and payment history of individuals, indicating how they have honored financial obligations such as paying bills or repaying a loan. Credit grantors use this information to decide what sort of products or services to offer their customers, and on what terms. Equifax also provides commercial credit reports containing financial and non-financial data on businesses of all sizes. Equifax collects and provides data through the National Consumer Telecom and Utilities Exchange, an exchange of non-credit data including consumer payment history on telecommunications and utility accounts.
In 1999, Equifax began offering services to the credit consumer sector in addition, such as credit fraud and identity theft prevention products. Equifax and other credit monitoring agencies are required by law to provide US residents with one free credit file disclosure every 12 months; the Annualcreditreport.com website incorporates data from U.S. Equifax credit records.
Equifax also offers fraud prevention products based on device fingerprinting such as "FraudIQ Authenticate Device."

Security Failings

According to Hon. Michael Crapo, Chairman of the Committee, "The amount of data that the private industry and Government collect and store is very concerning. There is intrinsic vulnerability in collecting and storing personal financial information, and we need to have a meaningful discussion on how to protect and limit access to it."

2016 advance-warnings of insecure systems

According to an October 2017 report from Motherboard, around December 2016, a security researcher examining Equifax's servers found that an online portal, created for Equifax employees only, was accessible to the open Internet.
The same types of sensitive private information of American consumers were exposed as in the May–July breach, according to Motherboard. Additionally, the security researchers said they were able to gain shell access on Equifax's servers and discovered and reported to Equifax additional vulnerabilities. According to the reporting, despite receiving this warning from the security researcher, the affected portal was not closed until six months later in June, well after the March and May–July breaches had begun. Moreover, the employee portal was reportedly not the same server targeted in the later breaches, which Motherboard speculates may suggest multiple breaches by more than one party may have occurred.

March 2017 security breach

On September 18, 2017, Bloomberg News reported that Equifax had been the victim of a "major breach of its computer systems" in March 2017, and that in early March it had begun "notifying a small number of outsiders and banking customers" about this attack.
According to Bloomberg, a person familiar with the breach believed this early-March intrusion may have been carried out by the same party that breached Equifax's computer systems again in May. According to Bloomberg, Equifax enlisted Mandiant to assist in investigating the March attack. The same cybersecurity firm was hired following the May–July breach.

May–July 2017 data breach

Between May and July 2017, yet-identified hackers were able to use a known exploit on one of Equifax' web servers that had yet to be updated to access the credit records of more than 140 million Americans as well as some British and Canadian citizens before the breach was detected and shut down. Equifax disclosed the breach on September 7, 2017 after determining the means and scope of the breach. The event was considered "one of the biggest data breaches in history."
Several consumers filed lawsuits in small-claims court against Equifax due to the breach, while Equifax later came to a $575 million settlement with the Federal Trade Commission to offer either a cash payment or credit monitoring for those affected by the breach. The data from the breach has yet to be seen on black markets or the dark web by security experts, making it difficult to identify the origin of the breach. However, in February 2020, the United States Department of Justice indicted four members of China's People's Liberation Army on nine charges related to the breach, which China has denied.

2017 exposure of Argentine consumer data

In September 2017, Brian Krebs revealed that the Argentine arm of Equifax had left private data from approximately 14,000 consumers, and more than 100 staff members, available to anyone who entered "admin" as both the username and password for one of its online systems.

2017 withdrawal of vulnerable mobile apps

On September 7, 2017, the same day as Equifax announced a large security breach, Equifax removed its official mobile apps from the Apple App Store and from Google Play. While these apps themselves were not reportedly connected to that breach, they had security flaws of their own, being vulnerable to man-in-the-middle attacks owing to some parts using HTTP instead of HTTPS.

2017 exposure of American salary data

On October 8, 2017, Krebs reported that The Work Number, a website operated by Equifax's TALX division, exposed the salary histories for employees of tens of thousands of US companies to anyone in possession of the employee's Social Security Number and date of birth. For roughly half the US population, both of the latter pieces of data are known to be in possession of criminals, following Equifax's May–July 2017 security breach. In July 2019, Equifax settled with the Federal Trade Commission for $700 million. This number contains a $380,500,000 consumer restitution fund, part of the class action lawsuit.

Website malware

On October 12, 2017, Equifax's website was reported to have been offering visitors malware via drive-by download. The malware was disguised as an update for Adobe Flash. At that time, only 3 out of 65 top anti-malware products provided protection against the particular malware, meaning that many visitors were at risk of having their computers infected if visiting the Equifax website.
On October 13, 2017, the attack was revealed to have been performed by hijacking third-party analytics JavaScript from Digital River brand FireClick.
Also on October 13, 2017, the U.S. Internal Revenue Service was reported to have suspended a $7.2 million contract with Equifax, as a result of the attack.

Lawsuits and fines

The company has been fined by the Federal Trade Commission on two occasions for violating the Fair Credit Reporting Act. In 2000, Equifax, along with Experian and TransUnion, was fined $2.5 million for blocking and delaying phone calls from consumers trying to get information about their credit. In 2003, the FTC took Equifax to court for the same reason and settled its lawsuit with the company for a fine of $250,000.
In July 2013, a federal jury in Oregon awarded $18.6 million to Julie Miller of Marion County against Equifax for violations of the Fair Credit Reporting Act. In her lawsuit, Miller alleged Equifax had merged her credit reports with another person with a different Social Security number, date of birth, and address. Miller contacted Equifax repeatedly in writing and over the telephone, but Equifax refused to delete dozens of false collection accounts from Miller's credit report. The award included $18.4 million in punitive damages, and $180,000 in compensatory damages. Miller's lawyer, Justin Baxter, explained that the false reporting damaged Miller's reputation, she was denied credit, and her private information was given to businesses Miller had no relationship with. The jury's verdict is believed to be the largest award in an individual case under the Fair Credit Reporting Act. An Equifax spokesperson said that Equifax is considering appealing the jury's verdict. A federal judge reduced the award to $1.62 million in 2014.
In 2014, Equifax and Heartland Bank were sued by Kimberly Haman of the St. Louis area for reporting she was dead. A Heartland Bank spokesperson said the bank "immediately investigated and contacted the credit reporting agencies after Haman reported" she was still alive. An Equifax "spokesperson told the Post-Dispatch that Equifax blocked the Heartland account information from appearing on Haman's credit report after a reporter's inquiry."
In April 2014, Equifax was sued in New York federal court by God Gazarov, who claimed the company erroneously reports him as having no credit history because of his unusual first name.
On November 4, 2017, it was reported that a group of five Oklahomans had sued the company, claiming that Equifax "violated laws which require financial institutions to protect the security of their customers' personal information." Equifax selected the law firm DLA Piper to work on the case in D.C. It had turned to Edelman for earlier crisis control after the October 2017 privacy breach.
Consumer lawsuits claiming damages under the FCRA have been successful in small claims court.
Equifax software engineer Sudhakar Reddy was charged with insider trading for purchasing options prior to the disclosure of the 2017 data breach.
In January 2020, Equifax agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. For those that were affected by the data breach, there were open suggestions to file claims against it. The settlement includes up to $425 million to help people affected by the data breach. Equifax ultimately reached a settlement with regulators for up to $700 million.

Competition

Competitors to Equifax include: