Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. Founded in 1899 and based in Atlanta, Georgia, it is one of the three largest credit agencies along with Experian and TransUnion (known as the “Big Three”). Equifax has US$ 3.1 billion in annual revenue and 9,000+ employees in 14 countries. It is listed on the NYSE as EFX.
Aside from offering credit and demographic related data and services to business, Equifax sells credit monitoring and fraud-prevention services directly to consumers. Like all credit reporting agencies, the company is required by US law to provide consumers with one free credit report every year.
Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company.
In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017, where cybercriminals accessed approximately 145.5 million U.S. Equifax consumers' personal data, including their full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. Equifax also confirmed at least 209,000 consumers' credit card credentials were taken in the attack. The company claims to have discovered evidence of the cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted.
Equifax was founded in Atlanta, GA, as Retail Credit Company in 1899. The company grew quickly and by 1920 had offices throughout the US and Canada. By the 1960s, Retail Credit Company was one of the nation's largest credit bureaus, holding files on millions of American and Canadian citizens. Even though the company continued to do credit reporting, the majority of their business was making reports to insurance companies when people applied for new insurance policies including life, auto, fire and medical insurance. All of the major insurance companies used RCC to get information on health, habits, morals, use of vehicles and finances. They also investigated insurance claims and made employment reports when people were seeking new jobs. Most of the credit work was then being done by a subsidiary, Retailers Commercial Agency.
Retail Credit Company's extensive information holdings, and its willingness to sell them to anyone, attracted criticism of the company in the 1960s and 1970s. These included that it collected "...facts, statistics, inaccuracies and rumors… about virtually every phase of a person's life; his marital troubles, jobs, school history, childhood, sex life, and political activities." The company was also alleged to reward its employees for collecting negative information on consumers.
As a result, when the company moved to computerize its records, which would lead to much wider availability of the personal information it held, the US Congress held hearings in 1970. These led to the enactment of the Fair Credit Reporting Act in the same year which gave consumers rights regarding information stored about them in corporate databanks. It is alleged that the hearings prompted the Retail Credit Company to change its name to Equifax in 1975 to improve its image.
The company later expanded into commercial credit reports on companies in the US, Canada and the UK, where it came into competition with companies such as Dun & Bradstreet and Experian. The insurance reporting was phased out. The company also had a division selling specialist credit information to the insurance industry but spun off this service, including the Comprehensive Loss Underwriting Exchange (CLUE) database as ChoicePoint in 1997. The company formerly offered digital certification services, which it sold to GeoTrust in September 2001. In the same year, Equifax spun off its payment services division, forming the publicly listed company Certegy, which subsequently acquired Fidelity National Information Services in 2006. Certegy effectively became a subsidiary of Fidelity National Financial as a result of this reverse acquisition merger (See Certegy and Fidelity National Information Services for further information).
In October 2010, Equifax acquired Anakam, an identity verification software company.
Equifax purchased eThority, a business intelligence (BI) company headquartered in Charleston, South Carolina in October 2011. eThority is partnering with TALX, a St. Louis-based business unit of Equifax, and will remain in Charleston.
Equifax Workforce Solutions is one of the 55 contractors hired by the United States Department of Health and Human Services to work on the HealthCare.gov web site.
For most of its existence, Equifax has operated primarily in the business-to-business sector, selling consumer credit and insurance reports and related analytics to businesses in a range of industries. Business customers include retailers, insurance firms, healthcare providers, utilities, government agencies, as well as banks, credit unions, personal and specialty finance companies and other financial institutions. Equifax sells businesses credit reports, analytics, demographic data, and software. Credit reports provide detailed information on the personal credit and payment history of individuals, indicating how they have honored financial obligations such as paying bills or repaying a loan. Credit grantors use this information to decide what sort of products or services to offer their customers, and on what terms. Equifax also provides commercial credit reports, similar to Dun & Bradstreet, containing financial and non financial data on businesses of all sizes. Equifax collects and provides data through the NCTUE, an exchange of non credit data including consumer payment history on telco and utility accounts.
In 1999, Equifax began offering services to the credit consumer sector in addition, such as credit fraud and identity theft prevention products. Equifax, and other credit monitoring agencies are required by law to provide US residents with one free credit file disclosure every 12 months; the Annualcreditreport.com website incorporates data from US Equifax credit records.
Equifax offers also fraud prevention products based on device fingerprinting such as "FraudIQ Authenticate Device".
According to an October 2017 report from Motherboard, around December 2016, a security researcher examining Equifax's servers observed an online portal, apparently created for Equifax employees only, was accessible to the open Internet.
"I didn't have to do anything fancy," the researcher told Motherboard, explaining that the site was vulnerable to a basic "forced browsing" bug. The researcher requested anonymity out of professional concerns. ""All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app," they said. In total, the researcher downloaded the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems. They said they could have downloaded the data of all of Equifax's customers in 10 minutes: "I've seen a lot of bad things, but not this bad."
The same types of sensitive private information of American consumers (names, birth dates, social security numbers, etc.) were exposed as in the May-July breach, according to Motherboard. Additionally, the security researchers said they were able to gain shell access on Equifax's servers and discovered and reported to Equifax additional vulnerabilities. According to the reporting, despite receiving this warning from the security researcher, the affected portal was not closed until six months later in June, well after the March and May-July breaches had begun. Moreover, the employee portal was reportedly not the same server targeted in the later breaches, which Motherboard speculates may suggest multiple breaches by more than one party may have occurred.
On September 18, 2017, Bloomberg News reported that Equifax had been the victim of a "major breach of its computer systems" in March 2017, and that in early March it had begun "notifying a small number of outsiders and banking customers" about this attack.
According to Bloomberg's report, a person familiar with the breach believed this early-March intrusion may have been carried out by the same party who breached Equifax's computer systems again in May. According to Bloomberg, Equifax enlisted Mandiant (owned by FireEye, Inc.) to assist in investigating the March attack. The same cybersecurity firm was hired following the May–July breach.
On September 7, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 145.5 million U.S. consumers. Information on an estimated range of under 400,000 up to 44 million British residents as well as 8,000 Canadian residents were also compromised. VentureBeat called the exposure of data on 140 million customers "one of the biggest data breaches in history."
Though the attack was stated to have begun in mid-May, the breach was not observed until July 29, according to Equifax CEO Rick Smith and a subsequent report by Equifax. Information accessed by the hacker (or hackers) in the breach included first and last names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were also accessed.
Equifax stated in a September 15 statement that it hired the services of Mandiant on August 2 to internally investigate the intrusion. The statement did not however record in its timeline exactly when government authorities ("all U.S. State Attorneys General" and "other federal regulators") were notified of the breach, although it did assert "the company continues to work closely with the FBI in its investigation."
Equifax shares dropped 13 percent in early trading the day after the breach was made public.
Numerous lawsuits have been filed against Equifax as a result of the breach. In one suit the law firm Geragos & Geragos has indicated they would seek up to $70 billion in damages, which would make it the largest class-action suit in U.S. history.
Numerous media outlets advised consumers to request a credit freeze to reduce the impact of the breach.
Equifax said the breach was facilitated using a flaw in Apache Struts (CVE-2017-5638). A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later. However, this was not the only point of failure: contributing factors included the insecure network design which lacked sufficient segmentation, potentially inadequate encryption of personally identifiable information (PII), and ineffective breach detection mechanisms.
On September 15, Equifax issued a press release with bullet-point details of the intrusion, its potential consequences for consumers, and the company's response. The statement further commented on issues related to criticism regarding its initial response to the incident. The company also announced the immediate departures and replacements of its Chief Information Officer and Chief Security Officer.
Three days after Equifax revealed the May-July 2017 breach, Congressman Barry Loudermilk (R-GA), who had been given thousands of dollars by Equifax, introduced a bill to the US House that would reduce consumer protections in relation to the nation’s credit bureaus, including capping potential damages in a class action suit to $500,000 regardless of class size or amount of loss. The bill would also eliminate all punitive damages. Following criticism by consumer advocates, Loudermilk agreed to delay consideration of the bill "pending a full and complete investigation into the Equifax breach."
On September 28, 2017, new Equifax CEO Paulino do Rego Barros Jr. responded to criticism of Equifax by promising that the company would, from early 2018, allow "all consumers the option of controlling access to their personal credit data," and that this service would be "offered free, for life."
On October 2, 2017, Equifax revealed that the estimated number of affected Americans was 2.5 million more than previously reported. This brought the total number of potentially impacted Americans to 145.5 million.
On October 10, 2017, Equifax stated that 15.2m UK customers had their records compromised in the breach, of which 693,665 had sensitive personal data disclosed.
Also around October 10, 2017, the number of drivers' licenses breached in the attack was reported to be 10-11million.
Following the announcement of the May-July 2017 breach, Equifax's actions received widespread criticism. Equifax did not immediately disclose whether PINs and other sensitive information were compromised, nor did it explain the delay between its discovery of the breach in July and its public announcement in early September. Equifax stated that the delay was due to the time needed to determine the scope of the intrusion and the large amount of personal data involved.
It was also revealed that three Equifax executives sold almost $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public. The company said the executives, including the chief financial officer John Gamble, "had no knowledge that an intrusion had occurred at the time they sold their shares". On September 18, Bloomberg reported that the US Justice Department had opened an investigation to determine whether or not insider trading laws had been violated.
When publicly revealing the intrusion to its systems, Equifax offered a website (https://www.equifaxsecurity2017.com) for consumers to learn whether they were victims of the breach. Security experts quickly noted that the website had many traits in common with a phishing website: it was not hosted on a domain registered to Equifax, it had a flawed TLS implementation, and it ran on WordPress which is not generally considered suitable for high-security applications. These issues led Open DNS to classify it as a phishing site and block access. Moreover, members of the public wanting to use the Equifax website to learn if their data had been compromised had to provide a last name and six digits of their social security number.
The website set up to check whether a person's personal data had been breached (trustedidpremier.com) was determined by security experts and others to return apparently random results instead of accurate information. As with https://www.equifaxsecurity2017.com, this website, too, was registered and constructed like a phishing website, and it was flagged as such by several web browsers.
Responding to continuing public outrage, Equifax announced on September 12 that they "are waiving all Security Freeze fees for the next 30 days".
Equifax has been criticized by security experts for registering a new domain name for the site name instead of using a subdomain of
equifax.com. On September 20, it was reported that Equifax had been mistakenly linking to an unofficial "fake" web site instead of their own breach notification site in at least eight separate tweets, unwittingly helping to direct a reported 200,000 hits to the imitation site. A software engineer named Nick Sweeting created the unauthorized Equifax web site to demonstrate how the official site could easily be confused with a phishing site. Sweeting's site was upfront to visitors that it was not official, however, telling visitors who had entered sensitive information that "you just got bamboozled! this isnt [sic] a secure site! Tweet to @equifax to get them to change it to equifax.com before thousands of people loose [sic] their info to phishing sites!" Equifax apologized for the "confusion" and deleted the tweets linking to this site.
In September 2017, Brian Krebs revealed that an Argentinian arm of Equifax had left private data from approximately 14,000 consumers, and more than 100 staff members, available to anyone who entered "admin" as both the username and password for one of its online systems.
On September 7, 2017, the same day as Equifax announced a large security breach, Equifax removed its official mobile apps from the Apple App Store and from Google Play. While these apps themselves were not reportedly connected to that breach, they had security flaws of their own, being vulnerable to man-in-the-middle attacks owing to some parts using HTTP instead of HTTPS.
On October 8, 2017, Krebs reported that The Work Number, a website operated by Equifax's TALX division, exposed the salary histories for employees of tens of thousands of US companies to anyone in possession of the employee's Social Security Number and date of birth. For roughly half the US population, both of the latter pieces of data are known to be in possession of criminals, following Equifax's May-July 2017 security breach.
On October 12, 2017, Equifax's website was reported to have been offering visitors malware via drive-by download. The malware was disguised as an update for Adobe Flash. At that time, only 3 out of 65 top anti-malware products provided protection against the particular malware, meaning that many visitors were at risk of having their computers infected if visiting the Equifax website.
Also on October 13, 2017, the US Internal Revenue Service was reported to have suspended a $7.2 million contract with Equifax, as a result of the attack.
The company has been fined by the Federal Trade Commission on two occasions for violating the Fair Credit Reporting Act. In 2000, Equifax, along with Experian and TransUnion, was fined $2.5 million for blocking and delaying phone calls from consumers trying to get information about their credit. In 2003, the FTC took Equifax to court for the same reason and settled its lawsuit with the company for a fine of $250,000.
In July 2013, a federal jury in Oregon awarded $18.6 million to Julie Miller of Marion County against Equifax for violations of the Fair Credit Reporting Act. In her lawsuit, Miller alleged Equifax had merged her credit reports with another person with a different Social Security number, date of birth, and address. Miller contacted Equifax repeatedly in writing and over the telephone, but Equifax refused to delete dozens of false collection accounts from Miller’s credit report. The award included $18.4 million in punitive damages, and $180,000 in compensatory damages. Miller’s lawyer, Justin Baxter, explained that the false reporting damaged Miller's reputation, she was denied credit, and her private information was given to businesses Miller had no relationship with. The jury’s verdict is believed to be the largest award in an individual case under the Fair Credit Reporting Act. An Equifax spokesperson said that Equifax is considering appealing the jury’s verdict. A federal judge reduced the award to $1.62 million in 2014.
In 2014, Equifax and Heartland Bank were sued by Kimberly Haman of the St. Louis area for reporting she was dead. A Heartland Bank spokesperson said the bank "immediately investigated and contacted the credit reporting agencies after Haman reported" she was still alive. An Equifax "spokesperson told the Post-Dispatch that Equifax blocked the Heartland account information from appearing on Haman’s credit report after a reporter’s inquiry."
In April 2014, Equifax was sued in New York federal court by God Gazarov, who claimed the company erroneously reports him as having no credit history because of his unusual first name.
On November 4, 2015, it was reported that a group of five Oklahomans had sued the company, claiming that Equifax "violated laws which require financial institutions to protect the security of their customers' personal information." Equifax selected the law firm DLA Piper to work on the case in D.C. It had turned to Edelman for earlier crisis control after the October 2017 privacy breach.