Equifax Compromises Millions of Consumer’s Information, How Is This Possible?

Tierney Mason

Associate Editor

Loyola University Chicago School of Law, JD 2019


On September 7, 2017, the credit bureau Equifax announced a giant security breach affecting the personal information of approximately 143 million US consumers, as well as thousands of consumers overseas. With numerous lawsuits piling up against the company and almost half of our nation’s population at a significant increased risk of identity theft, Americans are left wondering why this happened, how it could have been prevented, and what will become of Equifax and our credit reporting systems.

A Brief History of Credit Reporting

The first credit reporting agencies were created in the 1950’s and 1960’s and were primarily local community-based bureaus that collected and shared basic consumer information with only each other. The subsequent decades led to two major milestones; the rapid expansion of computers in collecting and storing information, and the passage of the Fair Credit Reporting Act (“FCRA”) in 1970. By the 1980s, the information stored with these credit bureaus had changed dramatically and included more detailed information for each consumer, as well as both positive and negative information related to their borrowing and spending habits. Bureaus began to collect data from a wider geographic area, companies began to merge, and combined with the increasing unsecured lending market, our three major credit bureaus (Equifax, Experian, and TransUnion) emerged.

Regulating the Bureaus

Consumer rights law in the United States is primarily based on the FCRA and the Fair Debt Collection Practices Act (“FDCPA”), which was passed in 1977. The FCRA promotes the “accuracy, fairness, and privacy” of the data the consumer reporting agencies collect, and the FDCPA prohibits debt collectors from using “abusive, unfair, or deceptive” practices in the collection of debt from consumers. The FCRA establishes the following consumer rights:

  • Consumers must be told if the information in their record is used against them.
  • Consumers must be able to find out what is in their record.
  • Consumers are entitled to dispute inaccurate information and have it corrected or deleted.
  • Reports are not to include outdated information (this is generally seven years, ten years for bankruptcies).
  • Employers need consumer consent to access employee records.
  • Consumers are entitled to request their names be excluded from lists for unsolicited credit and insurance offers.
  • Consumers identified on a list of prospects requested by a creditor must be extended an offer of credit.

The FCRA also details the specific parties that can access your data and the permissible reasons. The 1996 amendments to this law further protect consumers by making these companies liable for knowingly reporting misinformation and allowing consumers to take legal action against individuals obtaining their information without a permissible purpose. Given that Equifax manages about 1,200 times more data than the Library of Congress, there is an incredible burden on these credit bureaus to maintain accurate information and keep their consumer’s information secure.

According to Equifax at the time of the announcement, the breach of secured data was discovered on July 29, 2017 when the company noticed hackers exploited a vulnerability in their system to gain access. Immediately following the discovery of the incident, three Equifax executives sold approximately $2 million in Equifax shares. While the Securities Exchange Commission (“SEC”) did not immediately comment on these trades at the time, they did announce a data breach of their own.

Next Steps

Despite its pervasiveness in our society, there is still a large uncertainty when it comes to the risks inherent in putting our personal information on the internet, and how we can mitigate these risks. Cybercrime is “exploding for lots of reasons,” and some might argue that we may need to assume the culprits are state actors. Not only do we not know who is behind these attacks, but the punishment for these crimes is lacking.

Individual consumers are steadily filing new lawsuits for this breach, but consumers are truly searching for governmental response. However, as one reporter points out, Equifax is the victim in this scenario, not the perpetrator. Especially frustrating to individual consumers, it is unlikely that the company or any of its executives will be found liable outside of a few congressional hearings. Most of us with information stored at these credit bureaus (essentially, every single one of us) never had a choice over who could collect our personal information and who could profit off of it. The FCRA and other legislation were enacted to protect us, but it’s likely that supporters of this system in the 1970s could have foreseen it being abused in the way that it has.

The consumer’s best case is one of gross negligence since Equifax clearly failed to maintain consumer’s privacy, arguably its most important job. Hopefully, a predicted heightened level of scrutiny will emerge in our credit reporting system as these companies begin to fix their systems and reform. If it doesn’t, either a complete overhaul or dissolution might be worth discussing.