Equifax, a multinational consumer credit reporting agency, is also one of the largest credit bureaus, alongside Experian and TransUnion (together known as the “Big Three”). Equifax collects and administers the data and information of over 800 million individual consumers and more than 88 million businesses worldwide. 

All credit reporting agencies are required by U.S. law to provide consumers with one free credit report every year. In doing so, Equifax was subject to more than 57,000 user complaints to the Consumer Financial Protection Bureau between October 2012 and September 2017, related to incomplete, inaccurate, outdated, or misrepresented information documented by Equifax.

The Data Breach: What Happened

In September of 2017, Equifax presented a cybersecurity data breach claiming to have occurred between May and July of 2017. The data breach had exposed the personal information of at least 145.5 million users, where cybercriminals had access to Equifax consumers’ personal data, including:

• Full names
• Social Security numbers
• Birth dates
• Addresses
• Driver’s license numbers

Equifax had also confirmed at least 209,000 users’ credit card credentials had been acquired during the breach.

An investigation of the security breach identified four major factors that allowed the attackers to successfully gain personal information, including identification, detection, segmenting of access to databases, and data governance which granted the attackers access to its network and extract data from secure databases containing Personally Identifiable Information (PII). 

In March of 2018, Equifax announced that an additional 2.4 million consumers had been affected by the data breach, bringing the number of affected users to 147.9 million. In the same month, the Security and Exchange Commission (SEC) accused Jun Ying, Equifax’s former CIO, of illicit insider trading for selling company stock before the data breach had been publicly disclosed. After an investigation led by the FBI, Ying pleaded guilty and was sentenced to four months in prison with a year of supervised release. 

In June of 2019, Ying had agreed to pay approximately $650 million to settle with the Federal Trade Commission (FTC) to resolve the additional investigations constructed by several state attorney generals, the Consumer Financial Protection Bureau, the FTC, and a consumer class-action lawsuit associated with the data breaches in 2017.

Do you have information to share with Identity Review? Email us at press@identityreview.com.