Why does one company have personal and financial of 143 million people in the first place? That's the question many consumers are asking after Equifax, one of the three major credit reporting agencies, announced a major hack of personal and financial information.
The company said that "approximately 143 million U.S. consumers" may have been affected thanks to a "U.S. website application vulnerability." That includes "names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers" as well as 209,000 consumers' credit card numbers and other personally identifying information for another 182,000 people.
Equifax, along with its rivals Experian and TransUnion, operate massive databases of personal and financial information for basically anyone in the US who is involved in the consumer credit system. When you apply for a credit card, for example, the card issuer looks up your financial information from the bureaus.
The credit reports generated by these companies include a vast cache of personal information, from which credit cards you carry (or used to carry) to how frequently you pay on time. The companies know how long you've had your accounts, and how many times you've applied for loans.
This makes the three institutions both incredibly powerful in individuals' lives and huge repositories of personal, identifiable information. Equifax said in a statement that it had "found no evidence of unauthorized access to Equifax’s core consumer or commercial credit reporting databases."
Credit reporting agencies have been a major target for hacks in the past — about 15 million T-Mobile customers had personal information stolen from Experian between 2013 and 2015. T-Mobile had given the company customer information for credit checks for prospective customers.
In 2013, hackers got their hands on financial information of several celebrities, including Michelle Obama, through Equifax.
Equifax offers other services besides credit reporting, including credit monitoring for consumers, identity theft protection, and business and government services like eligibility verification for government services, marketing services for lenders, and, ironically, internet security.
These identify protection services have been criticized by some experts for offering only the illusion of security and asking consumers to just give up more personal information. "We have no further information to contribute at this point other than what is in the news release," an Equifax spokesperson said in response to a request for comment on what Equifax services were hacked.
Identity protection services "do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name," cybersecurity journalist Brian Krebs wrote in 2015. "Many of these third party services also induce people to provide even more information than was leaked in the original breach."
"It is critical for business entities to take the proper measures to safeguard the PII (Personally Identifiable Information) they obtain," a recent Equifax corporate publication said. "PII can include a wide range of components such as an individual’s name, home address, telephone number, mother’s maiden name, date of birth, social security number, driver’s license number, passport number, or government-issued unique ID number."