In the hours after credit-reporting giant Equifax Inc. disclosed a massive data breach, consumers and businesses were left scrambling Friday to piece together the implications. But a range of consequences could affect Equifax itself as the Atlanta-based company struggles to recover from an epic hack that affected potentially 143 million records.
Thursday’s disclosure has driven the company’s stock down 17% in early trading and is likely to invite regulatory and investor scrutiny. Already, payments implications are emerging. Some 209,000 of the records compromised included credit card information, the company said, opening the possibility of scrutiny by the card industry and penalties under the Payment Card Industry data-security standard.
“PCI fines are certainly among the many things that [Equifax] will have to worry about in the wake of this breach,” says Julie Conroy, research director at Boston-based consultancy Aite Group, in an email message. “They will also likely face increased scrutiny from the [Consumer Financial Protection Bureau] and other regulators,” she adds.
The breach, which Equifax reportedly discovered in late July, also affected other sensitive information, including names, Social Security numbers, birth dates, and addresses, the company said Thursday. In some cases, the hackers also accessed driver’s license numbers, Equifax said.
The company said the breach occurred from the middle of May through July. Since then, it said, it has not detected any unauthorized activity in its “core” consumer and business databases. Hackers broke in by exploiting a vulnerability in a U.S. Web-site application, according to Equifax’s release. The company has set up a Web site where persons can find out if their data have been affected, though at least some users were reportedly receiving unclear information, according to Bloomberg.com.
In addition to possible PCI penalties and regulatory scrutiny, the company is already facing shareholder lawsuits, as well as a class-action case filed on behalf of consumers.
Equifax is offering consumers, free of charge for one year, a service that monitors credit-bureau information and provides identity-theft protection. But that offer will punch a hole in the company’s consumer-based revenue, points out Conroy. The offer “could also have downstream impacts on other providers of identity-theft protection services, since [potentially] 143 million consumers will now be receiving protection for free,” she notes. All in all, this is “not a good day to be sitting in the C-suite at Equifax,” says Conroy.
Equifax says it discovered the hack on July 29 and “promptly” hired an unnamed cybersecurity company to conduct a forensic investigation. That investigation is now “substantially” complete, Equifax says, but is still “ongoing” and will be completed within a few weeks. Equifax also reported the intrusion to law-enforcement authorities.
The Equifax breach comes during a year of enormous data leaks, including a breach of the SynXis Central Reservations system operated by Sabre, a global travel technology provider. Sabre said on its Web site more than 36,000 properties use the service, but did not disclose how many records, such as cardholder names and payment card numbers, might have been exposed.