Five years ago, a massive data breach occurred. On Sept. 7, 2017, the Equifax credit bureau publicly revealed its computer networks had suffered a data leak that exposed the personal information of 143 million consumers, a number later raised to 147 million. That data included consumers’ names, addresses, dates of birth, Social Security numbers and credit card numbers — all of which could lead to identity fraud and other financial crimes.
The data breach, announced six weeks after it was discovered, rattled the financial services industry, the cybersecurity sector and, most notably, the millions of consumers who were affected. The Equifax data breach had a powerful impact:
- Victims of the breach will benefit from a $425 million settlement that’s nearing its end.
- Federal lawmakers have made minor changes related to data privacy.
- Equifax has spent $1.6 billion to shore up its cybersecurity defenses.
Five years after Equifax disclosed the breach, we posed the question to financial experts: Is personal data collected by the three major credit bureaus any safer than it was in 2017?
How safe is your personal data now?
There’s no such thing as “bulletproof cybersecurity,” says James Lee, chief operating officer of the nonprofit Identity Theft Resource Center. Even the most secure, most advanced cybersecurity measures can and do fail.
“That said, there is nothing inherently insecure or risky about the data protection practices of the three major credit bureaus,” says Lee. “Sometimes they have learned the hard way, but they have all made significant investments in cybersecurity and data protection, and are well positioned to safeguard the information they collect and maintain.”
If you want to protect your data, can you simply not allow any of the credit bureaus to obtain and store your personal information?
Technically, you can. But Lee notes that if you participate in the “modern digital economy,” your data almost certainly has been gathered by at least one of the three major credit bureaus (Equifax, Experian and TransUnion). Without this data, which the credit bureaus include in consumers’ credit reports, it can be difficult to get a credit card, open a bank account, obtain a loan, get a job that requires a background check or take advantage of any other credit-related parts of the economy.
Lee says Equifax, in particular, now runs one of the best cybersecurity operations, not just among the credit bureaus but among all businesses. “But they had to get there by going through that very painful period,” he says.
That breach cost Equifax a bundle. Consumers who filed a claim within the first claims period (before Jan. 22, 2020) were eligible for four years of credit monitoring services provided by Equifax, Experian and TransUnion, with up to $1 million in identity theft insurance. After the four-year period, consumers who successfully filed a claim could enroll in six more years of credit monitoring services from Equifax.
- July 2019: FTC announces Equifax had agreed to pay at least $575 million, potentially up to $700 million (FTC)
- January 2020: Settlement receives final approval from the court (FTC)
- Amount of actual settlement: $425 million (Equifax Breach Settlement)
- January 2022: Settlement finalized (FTC)
- February 2022: Settlement administrator sends activation codes to eligible consumers who opted for free credit monitoring services. (Equifax Breach Settlement)
- Fall 2022: Settlement administrator starts issuing benefits to consumers for eligible out-of-pocket costs related to the breach or identity theft arising from the breach, as well as time spent (up to 20 hours) recovering from the data breach. Anyone who lost money due to identity theft may receive as much as $20,000. (Equifax Breach Settlement)
An Equifax spokesperson says the post-breach overhaul of the company’s data security program included investing $1.6 billion to improve security and technology and hiring more than 600 cybersecurity professionals. Equifax has built “one of the most advanced, effective and transparent cybersecurity programs in business today,” according to the spokesperson.
Lee stresses, though, that it’s difficult for companies like Equifax to constantly outfox cybercriminals. “Whenever the security pros are more successful locking things down, the bad guys find another way around it,” he says.
Data security in 2022
Although five years have passed since the Equifax breach, more than 1,800 U.S. data breaches were reported in 2021, compared with a little over 1,500 in 2017, according to the Identity Theft Resource Center. Those numbers demonstrate a cold reality: Data breaches haven’t evaporated since the Equifax breach.
|Year||Number of breaches||Number of people affected*|
|*Number may include people outside the U.S.
|2022 (first half)||817||53.35 million|
|Rank||Affected entity||Date reported||Number of victims|
|Source: Identity Theft Resource Center|
|1||River City Media||March 2017||1.37 billion|
|2||Yahoo||December 2016||1 billion|
|3||Yahoo||December 2016||1 billion|
|4||Yahoo||September 2016||500 million|
|5||Veeam||September 2018||445 million|
|6||Marriott||November 2018||383 million|
|7||Exactis||June 2018||340 million|
|8||Zynga||September 2019||218 million|
|9||Deep Root Analytics||June 2017||200 million|
|10||Dubsmash||February 2019||161.55 million|
|11||Equifax||September 2017||146.6 million|
|12||MyFitnessPal||March 2018||143.61 million|
|13||Heartland Payment Systems||January 2009||130 million|
|14||Apollo||October 2018||125.93 million|
|15||Tetrad Computer Applications||February 2020||120 million|
Adam Aviv, an associate professor of computer science at George Washington University, believes little has changed since the Equifax breach when it comes to protecting personal data. “More institutions are vulnerable to data breaches than we may have imagined, including firms who make their business in handling financial information, and the impact can be far-reaching,” says Aviv.
You’d think stepped-up cybersecurity practices at Equifax and other businesses would translate to fewer data breaches, says Aviv, “but we don’t truly know.”
In fact, according to an August 2022 report by the federal Consumer Financial Protection Bureau, consumers can’t reasonably avoid harm caused by the data security failures of a business.
“They typically have no way of knowing whether appropriate security measures are properly implemented, irrespective of disclosures provided,” the report states. “They do not control the creation or implementation of an entity’s security measures, including an entity’s information security program. And consumers lack the practical means to reasonably avoid harms resulting from data security failures.”
More laws on the horizon?
Since the Equifax breach, federal safeguards of consumers’ data remain largely the same as they did in 2017, experts say.
Responding to the Equifax breach, federal lawmakers passed a measure that took effect in 2018, allowing consumers to freeze their credit reports at no cost. Previously, consumers in some states had to pay for a credit freeze, which restricts access to a consumer’s credit file. This makes it tougher for crooks to open accounts in someone else’s name. The law made several other changes related to credit freezes and fraud alerts.
Beyond the 2018 law, no federal laws clamping down on the security of consumers’ data have been enacted, says Caitriona Fitzgerald, deputy director of the nonprofit Electronic Privacy Information Center. However, Fitzgerald and other consumer advocates do see a glimmer of hope on that front.
American Data Privacy and Protection Act gains traction
In July 2022, a U.S. House committee approved the American Data Privacy and Protection Act, the first time in years that such legislation has advanced so far in Congress. But with the clock ticking on the current session of Congress, supporters doubt the measure will go any farther this year.
An added complication: House Speaker Nancy Pelosi, who controls the flow of bills in her chamber, has raised concerns that the proposal would preempt robust data privacy laws in her home state of California.
On top of that, the U.S. Chamber of Commerce and other business groups object to a provision in the measure called a “privacy right of action.” This provision would enable individuals to file suit over data privacy violations, rather than just federal regulators and state attorneys general. The Chamber of Commerce and other pro-business organizations say a federal-level privacy right of action would encourage a flood of abusive class-action lawsuits.
Despite opposition from some in the business community, more than 80 percent of Americans support the American Data Privacy and Protection Act, according to a June 2022 survey by Morning Consult and Politico. Aside from creating a privacy right of action tied to consumers’ data, the act would:
- Prohibit the sale of individuals’ data to third parties without their explicit consent.
- Enhance privacy protections for children under 17.
- Require companies to dial back the amount of data they collect about individuals.
“Unfortunately, in the last five years, companies have increased the amount of data they’re collecting about us and not deleting it when it’s no longer needed,” Fitzgerald says. “We always like to say that data that is never collected can’t be breached.”
How to protect yourself from a data breach
There are safeguards you can put in place for future data breaches. Be aware, though, that you may have already had your data breached and not even known it. Although the Equifax breach and many other data leaks have made headlines for years, many American consumers appear to be in the dark about breaches that have affected them.
Shown facts from as many as three breaches that involved their personal data, 413 people were aware of only 74 percent of the breaches, according to a study released in 2021 by the University of Michigan, George Washington University and the Karlsruhe Institute of Technology.
While consumer advocates and technology experts put the burden of preventing data breaches on the collectors of data, rather than consumers, you can take the following steps to guard your personal information:
- Know who’s collecting your data and what they’re doing with it. Aside from being aware of that, Morgan & Morgan attorney John Yanchunis, who filed one of the class-action cases against Equifax on behalf of consumers, advises consumers to inform themselves about security measures that companies have in place to protect their data, including how credit card networks protect against fraud.
- Create a unique, hard-to-guess login and password for every online account. Logins and passwords are “the keys to the kingdom today, because most people use the same login and password on every single account they have, both at home and often at work,” Lee says. “So if that is compromised, everything they have can be compromised.”
- Don’t share logins and passwords with anyone you don’t fully trust. Lee says people often slip up in this regard by providing credentials for their social media accounts to a supposed friend who actually turns out to be an identity thief.
- Freeze your credit reports. When someone activates a credit freeze, they severely restrict access to information in the report. This can prevent a scammer who’s stolen your personal data from using that information to apply for a credit card, loan or other financial product in your name. It’s free and easy to request and lift a credit freeze.
- Place a fraud alert on your credit file. Fraud alerts, which are free, notify creditors to take extra steps to verify your identity before approving a credit application.
- Use two-factor authentication. Two-factor authentication requires at least two ways of verifying your identity before you can sign into an online account.
- Take special measures to protect yourself against mobile banking fraud.
The bottom line
Since the September 2017 announcement of the Equifax data breach, the credit bureau has spent $1.6 billion to fortify its cybersecurity defenses. Five years later, consumer data kept by Equifax and the two other major credit bureaus, Experian and TransUnion, remains vulnerable to breaches, though. As Lee puts it, bulletproof cybersecurity does not exist.
While the power to prevent data breaches largely rests with companies that gather and store our data, taking the steps above can help you safeguard your own information — and, hopefully, avoid becoming the victim of a data breach yourself.