Tuesday, Equifax admitted the largest data breach in U.S. history affected 2.5 million more people than was previously disclosed. At least 145.5 million Americans' personal information was compromised.
Immediately after Equifax disclosed this massive breach, I directed my Bureau of Consumer Protection to open an investigation and invite other attorneys general to join our probe. That investigation has grown to include 47 state attorneys general from both parties plus the District of Columbia. We've issued subpoenas and are working together to get to the bottom of it, protect consumers and force change in corporate behavior.
Equifax claimed it learned about the breach in July, but delayed notifying the public until September 7 - a six-week, unexplained time lag. Now it has become clear Equifax was alerted to irregularities in its data system in March, but it did nothing to fix them. Those delays and the company's decision to do nothing about this security risk are key subjects of our investigation.
In recent months, my fellow attorneys general and I have settled data breach cases with Target, Nationwide and Lenovo. Those settlements have impacted millions of Americans and required the companies to change how they protect our data.
Between when Equifax claims it learned of the breach and when the company disclosed it, several Equifax executives sold $1.8 million in company stock. That conduct is under federal investigation, as it should be.
As consumers scrambled to protect themselves, they were met by hidden legal catches, long delays and Equifax's own effort to profit off this breach. My fellow attorneys general and I learned of this shameful behavior and demanded the company stop it. They did.
Equifax is no longer charging consumers who want to freeze their credit, but other reporting agencies still are. Another demand we've made on Equifax: Reimburse consumers for any costs they incur in freezing their credit.
In recent months, my fellow attorneys general and I have settled data breach cases with Target, Nationwide and Lenovo. Those settlements have impacted millions of Americans and required the companies to change how they protect our data. Some of the changes following recent data breach cases include:
- Transparency with consumers about what they are doing with their data.
- Maintaining appropriate security practices, like limiting internal access to customer data and encryption policies.
- Keeping security software up to date.
- Regularly consulting with independent, third-party security experts to get objective advice about their technology and data-management practices.
- Designating an executive responsible for security of customers' data.
What's disturbing about the Equifax case is it happened at a large credit reporting agency, with unique access to our most sensitive data, including Social Security numbers, credit cards, and work and personal histories. Yet the company's lax security allowed this massive breach to happen. Understanding how that occurred is a central focus of our investigation.
But Equifax is not just a data breach -- it is a breach of trust. We have placed enormous trust in Equifax to handle our information carefully, yet this is how they've repaid us.
Unfortunately, our corporate culture has swung so far in the direction of valuing profits above people that Equifax's behavior, while appalling, is not surprising. Every data breach violates the public's trust, and I'm working with my colleagues to force corporations to change their behavior and prevent them from happening in the first place.