Five years ago on September 7, 2017, Equifax announced they had experienced a data breach incident affecting 143 million people.
Unbelievably, the Equifax data breach occurred between May and July 2017, yet Equifax waited six weeks before its public disclosure on September 7, 2017.
But it gets worse, as one month later Equifax announced that its data breach included an additional 2.5 million individuals and then in March 2018, Equifax found an additional 2.4 million people bringing the total number of affected individuals to nearly 148 million or 45% of the US population.
Unfortunately, the final story for most data breaches rarely reflects the initial news report and speaks of what is known at the moment, but never discuss the long-term – which is exactly what happened to Equifax.
The fact is that the threat of a data breach or an identity theft event can be a lifelong problem that may affect you (and me) long into the future and in ways you (and I) likely have not even thought about.
The Equifax data breach exposed Social Security numbers, Dates of Birth, addresses, and even driver’s license numbers. This means that affected consumers are at risk of having their Social Security numbers and birth dates sold and traded on the “dark web” for the rest of their lives.
So, when Equifax offers “free” credit bureau monitoring – it is essentially worthless as ID theft criminals (or nation states as some have suggested) typically sit on stolen information for years before they begin to use it for fraudulent purposes.
As we recognize the five-year anniversary of this historic September 7, 2017 public disclosure of the Equifax data breach event, I have listed below some lessons learned for consumers:
Credit bureau monitoring provides a false sense of security and cannot prevent individual consumers from becoming a victim of identity theft.
Credit bureau monitoring cannot alert consumers to non-financial ID theft such as taxpayer identity theft/refund fraud, medical ID theft and credential (e.g., driver’s license or passport) identity theft.
Consumers underestimate the possibility of becoming an ID theft victim and do not realize how labor and time intensive recovering from identity theft is.
At the same time, here are some lessons learned for Equifax:
The Equifax CEO, CIO, and CSO were not forced to resign (or “retire”) because Equifax experienced a data breach event, they resigned because of their failed management response to its data breach event.
If Equifax, a business centered on securing our most sensitive personal information – with more financial and IT resources than most business sectors cannot prevent a data breach from happening – what leads other businesses to believe they can?
But it is not just Equifax, as the two other major credit bureaus (Experian and TransUnion) and leading banks, health insurance companies, and social media companies have all experienced data breaches.
To conclude, no one company can prevent itself from ever experiencing a data breach incident from happening.
Even Equifax, with more financial and IT resources than most companies, was unable to prevent a data breach from occurring.