Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. Founded in 1899 and based in Atlanta, Georgia, it is the oldest of the three largest credit agencies along with Experian and TransUnion (known as the "Big Three"). Equifax has US$ 3.1 billion in annual revenue and 9,000+ employees in 14 countries. It is listed on the NYSE as EFX.
Aside from offering credit and demographic related data and services to business, Equifax sells credit monitoring and fraud-prevention services directly to consumers. Like all credit reporting agencies, the company is required by US law to provide consumers with one free credit report every year.
Equifax was also the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company.
In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017, where cybercriminals accessed approximately 143 million U.S. Equifax consumers' personal data, including their full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. Equifax also confirmed at least 209,000 consumers' credit card credentials were taken in the attack. The company claims to have discovered the evidence of cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted.
Maps, Directions, and Place Reviews
History
Equifax was founded in Atlanta, GA, as Retail Credit Company in 1899. The company grew quickly and by 1920 had offices throughout the US and Canada. By the 1960s, Retail Credit Company was one of the nation's largest credit bureaus, holding files on millions of American and Canadian citizens. Even though the company continued to do credit reporting, the majority of their business was making reports to insurance companies when people applied for new insurance policies including life, auto, fire and medical insurance. All of the major insurance companies used RCC to get information on health, habits, morals, use of vehicles and finances. They also investigated insurance claims and made employment reports when people were seeking new jobs. Most of the credit work was then being done by a subsidiary, Retailers Commercial Agency.
Retail Credit Company's extensive information holdings, and its willingness to sell them to anyone, attracted criticism of the company in the 1960s and 1970s. These included that it collected "...facts, statistics, inaccuracies and rumors... about virtually every phase of a person's life; his marital troubles, jobs, school history, childhood, sex life, and political activities." The company was also alleged to reward its employees for collecting negative information on consumers.
As a result, when the company moved to computerize its records, which would lead to much wider availability of the personal information it held, the US Congress held hearings in 1970. These led to the enactment of the Fair Credit Reporting Act in the same year which gave consumers rights regarding information stored about them in corporate databanks. It is alleged that the hearings prompted the Retail Credit Company to change its name to Equifax in 1975 to improve its image.
The company later expanded into commercial credit reports on companies in the US, Canada and the UK, where it came into competition with companies such as Dun & Bradstreet and Experian. The insurance reporting was phased out. The company also had a division selling specialist credit information to the insurance industry but spun off this service, including the Comprehensive Loss Underwriting Exchange (CLUE) database as ChoicePoint in 1997. The company formerly offered digital certification services, which it sold to GeoTrust in September 2001. In the same year, Equifax spun off its payment services division, forming the publicly listed company Certegy, which subsequently acquired Fidelity National Information Services in 2006. Certegy effectively became a subsidiary of Fidelity National Financial as a result of this reverse acquisition merger (See Certegy and Fidelity National Information Services for further information).
In October 2010, Equifax acquired Anakam, an identity verification software company.
Equifax purchased eThority, a business intelligence (BI) company headquartered in Charleston, South Carolina in October 2011. eThority is partnering with TALX, a St. Louis-based business unit of Equifax, and will remain in Charleston.
Equifax Workforce Solutions is one of the 55 contractors hired by the United States Department of Health and Human Services to work on the HealthCare.gov web site.
Equifax Business Credit Video
Products
For most of its existence, Equifax has operated primarily in the business-to-business sector, selling consumer credit and insurance reports and related analytics to businesses in a range of industries. Business customers include retailers, insurance firms, healthcare providers, utilities, government agencies, as well as banks, credit unions, personal and specialty finance companies and other financial institutions. Equifax sells businesses credit reports, analytics, demographic data, and software. Credit reports provide detailed information on the personal credit and payment history of individuals, indicating how they have honored financial obligations such as paying bills or repaying a loan. Credit grantors use this information to decide what sort of products or services to offer their customers, and on what terms. Equifax also provides commercial credit reports, similar to Dun & Bradstreet, containing financial and non financial data on businesses of all sizes. Equifax collects and provides data through the NCTUE, an exchange of non credit data including consumer payment history on telco and utility accounts.
In 1999, Equifax began offering services to the credit consumer sector in addition, such as credit fraud and identity theft prevention products. Equifax, and other credit monitoring agencies are required by law to provide US residents with one free credit file disclosure every 12 months; the Annualcreditreport.com website incorporates data from US Equifax credit records.
Equifax offers also fraud prevention products based on device fingerprinting such as "FraudIQ Authenticate Device".
Security failings
March 2017 security breach
On 18 September, 2017, Bloomberg News reported that Equifax had been the victim of a "major breach of its computer systems" in March 2017, and that in early March it had begun "notifying a small number of outsiders and banking customers" about this attack.
According to Bloomberg's report, a person familiar with the breach believed this early-March intrusion may have been carried out by the same party who breached Equifax's computer systems again in May. According to Bloomberg, Equifax enlisted Mandiant (owned by FireEye, Inc.) to assist in investigating the March attack. The same cybersecurity firm was hired following the May-July breach.
May-July 2017 security breach
On 7 September, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 143 million U.S. consumers. Information on an estimated range of under 400,000 up to 44 million British residents as well as 100,000 Canadian residents was also compromised.
Though the attack was stated to have begun in mid-May, the breach was not observed until July 29, according to Equifax CEO Rick Smith and a subsequent report by Equifax. Information accessed by the hacker (or hackers) in the breach primarily includes first and last names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. Credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were also accessed.
Equifax stated in a September 15 statement that it hired the services of Mandiant, a cybersecurity firm purchased by FireEye, Inc, on 2 August to internally investigate the intrusion. The statement did not however record in its timeline exactly when government authorities ("all U.S. State Attorneys General" and "other federal regulators") were notified of the breach, although it did assert "the company continues to work closely with the FBI in its investigation."
Equifax shares dropped 13 percent in early trading the day after the breach was made public.
Numerous lawsuits have been filed against Equifax as a result of the breach. In one suit the law firm Geragos & Geragos has indicated they would seek up to $70 billion in damages, which would make it the largest class-action suit in US history.
Numerous media outlets advised consumers to request a credit freeze to reduce the impact of the breach.
Equifax said the breach was facilitated using a flaw in Apache Struts (CVE-2017-5638). A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later.
On 15 September, Equifax issued a press release with bullet-point details of the intrusion, its potential consequences for consumers, and the company's response. The statement further commented on issues related criticism regarding its initial response to the incident. The company also announced the immediate departures and replacements of its Chief Information Officer and Chief Security Officer.
Three days after Equifax revealed the May-July 2017 breach, Congressman Barry Loudermilk (R-GA), who had been given thousands of dollars by Equifax, introduced a bill to the US House that would reduce consumer protections in relation to the nation's credit bureaus, including capping potential damages in a class action suit to $500,000 regardless of class size or amount of loss. The bill would also eliminate all punitive damages. Following criticism by consumer advocates, Loudermilk agreed to delay consideration of the bill "pending a full and complete investigation into the Equifax breach."
Criticism
Following the announcement of the May-July 2017 breach, Equifax's actions received widespread criticism. Equifax did not immediately disclose whether PINs and other sensitive information were compromised, nor did it explain the delay between its discovery of the breach in July and its public announcement in early September. Equifax stated that the delay was due to the time needed to determine the scope of the intrusion and the large amount of personal data involved.
It was also revealed that three Equifax executives sold $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public. The company said the executives, including the chief financial officer John Gamble, "had no knowledge that an intrusion had occurred at the time they sold their shares". On 18 September, Bloomberg reported that the US Justice Department had opened an investigation to determine whether or not insider trading laws had been violated.
When publicly revealing the intrusion to its systems, Equifax offered a website (https://www.equifaxsecurity2017.com) for consumers to learn whether they were victims of the breach. Security experts quickly noted that the website had many traits in common with a phishing website: it was not hosted on a domain registered to Equifax, it had a flawed TLS implementation, and it ran on WordPress which is not generally considered suitable for high-security applications. These issues led Open DNS to classify it as a phishing site and block access. Moreover, members of the public wanting to use the Equifax website to learn if their data had been compromised had to provide a last name and six digits of their social security number.
The website set up to check whether a person's personal data had been breached (trustedidpremier.com) was determined by security experts and others to return apparently random results instead of accurate information.
The Trusted ID Premier website contained terms of use, dated September 6, 2017 (the day before Equifax announced the security breach) which included an arbitration clause with a class action waiver. Attorneys said that the arbitration clause was ambiguous and that it could require consumers who accepted it to arbitrate claims related to the cybersecurity incident. According to Polly Mosendz and Shahien Nasiripour, "some fear[ed] that simply using an Equifax website to check whether their information was compromised bound them to arbitration". The equifax.com website has separate terms of use with an arbitration clause and class action waiver, but, according to Brian Fung of The Washington Post, "it's unclear if that applies to the credit monitoring program". New York Attorney General Eric Schneiderman demanded that Equifax remove the arbitration clause. Responding to arbitration-related concerns, on September 8, Equifax issued a statement stating that "in response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident." Joel Winston, a data protection lawyer, argued that the announcement disclaiming the arbitration clause "means nothing" because the terms of use state that they are the "entire agreement" between the parties. The arbitration clause was later removed from equifaxsecurity2017.com.
Responding to continuing public outrage, Equifax announced on September 12 that they "are waiving all Security Freeze fees for the next 30 days".
Equifax has been criticized by security experts for registering a new domain name for the site name instead of using a subdomain of equifax.com
. On 20 September, it was reported that Equifax had been mistakenly linking to an unofficial "fake" web site instead of their own breach notification site in at least eight separate tweets, unwittingly helping to direct a reported 200,000 hits to the imitation site. A software engineer named Nick Sweeting created the unauthorized Equifax web site to demonstrate how the official site could easily be confused with a phishing site. Sweeting's site was upfront to visitors that it was not official, however, telling visitors who had entered sensitive information that "you just got bamboozled! this isnt [sic] a secure site! Tweet to @equifax to get them to change it to equifax.com before thousands of people loose [sic] their info to phishing sites!" Equifax apologized for the "confusion" and deleted the tweets linking to this site.
2017 exposure of Argentinian consumer data
In September 2017, Brian Krebs revealed that an Argentinian arm of Equifax had left private data from approximately 14,000 consumers, and more than 100 staff members, available to anyone who entered "admin" as both the username and password for one of its online systems.
2017 withdrawal of vulnerable mobile apps
On 7 September 2017, the same day as Equifax announced a large security breach, Equifax removed its official mobile apps from the Apple App Store and from Google Play. While these apps themselves were not reportedly connected to that breach, they had security flaws of their own, being vulnerable to man-in-the-middle attacks owing to some parts using HTTP instead of HTTPS.
Lawsuits and fines
The company has been fined by the Federal Trade Commission on two occasions for violating the Fair Credit Reporting Act. In 2000, Equifax, along with Experian and TransUnion, was fined $2.5 million for blocking and delaying phone calls from consumers trying to get information about their credit. In 2003, the FTC took Equifax to court for the same reason and settled its lawsuit with the company for a fine of $250,000.
In July 2013, a federal jury in Oregon awarded $18.6 million to Julie Miller of Marion County against Equifax for violations of the Fair Credit Reporting Act. In her lawsuit, Miller alleged Equifax had merged her credit reports with another person with a different Social Security number, date of birth, and address. Miller contacted Equifax repeatedly in writing and over the telephone, but Equifax refused to delete dozens of false collection accounts from Miller's credit report. The award included $18.4 million in punitive damages, and $180,000 in compensatory damages. Miller's lawyer, Justin Baxter, explained that the false reporting damaged Miller's reputation, she was denied credit, and her private information was given to businesses Miller had no relationship with. The jury's verdict is believed to be the largest award in an individual case under the Fair Credit Reporting Act. An Equifax spokesperson said that Equifax is considering appealing the jury's verdict. A federal judge reduced the award to $1.62 million in 2014.
In 2014, Equifax and Heartland Bank were sued by Kimberly Haman of the St. Louis area for reporting she was dead. A Heartland Bank spokesperson said the bank "immediately investigated and contacted the credit reporting agencies after Haman reported" she was still alive. An Equifax "spokesperson told the Post-Dispatch that Equifax blocked the Heartland account information from appearing on Haman's credit report after a reporter's inquiry."
In April 2014, Equifax was sued in New York federal court by God Gazarov, who claimed the company erroneously reports him as having no credit history because of his unusual first name.
Source of the article : Wikipedia
EmoticonEmoticon