The hacking of consumer credit reporting giant Equifax, and the company’s ‘cynical’ handling of it, is a far-reaching disaster that borders on criminal, says financial regulation expert Bill Black
Please help us make real news!
AARON MATE: It’s The Real News. I’m Aaron Mate. The consumer credit reporting giant Equifax is in hot water after one of the largest data breaches in years. Equifax says hackers have gained access to the personal information of more than 143 million people. That’s just under half the entire U.S. population. The compromised info includes credit card and Social Security numbers, addresses and birth dates. In a video statement, Equifax CEO Rick Smith apologized. RICK SMITH: This is clearly a disappointing event, and one that strikes at the heart of who we are and what we do. I deeply regret this incident. I apologize to every affected consumer and all of our partners. We all know that the threats to data security are growing by the day, and while we’ve made significant investments in cybersecurity, we have more to do, and we will. AARON MATE: The controversy continues beyond the breach itself. It took more than a month for Equifax to publicly disclose it, and during that time, just days after it happened, three company executives sold nearly $2 million worth of stock. Equifax claims they were unaware the intrusion had occurred. Now meanwhile, people who sign up for an Equifax help site are being told they forfeit their right to sue or take part in a class action. That means if you want to find out if your data was stolen, you can’t take legal action against the company that lost it. New York Attorney General Eric Schneiderman has opened a probe of Equifax and told the company to remove that language. Bill Black is a white-collar criminologist, Associate Professor of Economics and Law at the University of Missouri Kansas City, and the author of the book “The Best Way to Rob a Bank is to Own One.” Professor Black, welcome. BILL BLACK: Thank you. AARON MATE: As I said, we’re talking about the data of about half the U.S. population. First off, tell us, how bad is this, Professor Black? BILL BLACK: The experts in cybersecurity say on a scale of 1 to 10, where 10 is the worst, that this is a 10, and it’s almost comically bad. It’s another demonstration of our family rule that it’s impossible to compete with unintentional self-parody, and that’s certainly what the executives of Equifax have demonstrated in this scandal. AARON MATE: How so? BILL BLACK: First, this is the third major breach in about two years, so they had plenty of warning that their security, cybersecurity, was incompetent, and they obviously didn’t fix it. Second, they now say that the breach began in May and that they didn’t detect it ’til July, while they were, as you said, stealing at least 142 million people’s worth of data, probably multiple times. Along the way, by the way, they said proudly, “Ah, but there was no breach of our core system.” Before you ever get to the core, 142 million customers are thrown under the bus. God only knows what the core is. Presumably their own personal data is what they consider the core. Once they did discover, finally, the breach, the very first thing that happened, you mentioned part of it, which is three senior executives sold roughly $2 million-ish in shares, including the chief financial officer, who they’re now claiming wasn’t told of the breach. Now, this would be the number-two person, typically, or number-three person in the entire corporation. If they didn’t tell the senior ranks about the breach, when they discovered one of the largest and most destructive breaches in history, you know, well, you can choose to believe that. No one else does. On top of that, there was also an immediate … in the same time period that these senior executives were selling their stock, there was a massive increase in sales of stock options compared to the normal for Equifax, and that almost certainly was again because people had been tipped about what had happened in the breach. You began to describe what happened after the breach, so first, you might think if Equifax screwed up, instead of just apologizing in this generic fashion, it might actually notify us that our information had been breached, and tell us what we ought to do to minimize it, and say that they would conduct all of those things automatically absent our objection at their own cost. None of that occurred. You can access their site and apparently maybe it will tell you that they don’t think you were a victim, but again, the onus shouldn’t be put on us. They are the ones that screwed up. They’re the ones that should be notifying us. They’re the ones who at their own expense should be fixing it. That’s what all of us would do if we ran a mom-and-pop grocery store, much less one of the three largest, as you say, credit rating agencies. On top of that, they immediately saw an opportunity, A, to protect themselves, that you talked about, and B, to make a profit. As you say, they said, “We will provide you with one year of protection.” Now first, the information lost, in addition to the types that you talked about, included Social Security numbers, which of course do not change normally, so that information will be commercially valuable to other frauds for 10 to 30 years, so one year of protection, A, doesn’t do it. B, as you said, they said … “they” being Equifax … “If you … ” and this is in the fine print, mind you, “If you sign up for this protection, you have to give up any right to bring a class action suit.” Now, the Consumer Finance Protection Bureau has been trying to ban these things. Simultaneously the Republicans, virtually all elected Republicans at the national level, including the Trump administration, are trying to eliminate the CFPB protection against this. In addition, Attorney General Schneiderman wrote and said, “What you’re doing is unlawful and misleading, remove this.” They didn’t. Instead, they, Equifax, said, “Oh, if you want to get out of the arbitration-only clause,” which effectively denies you all legal rights, “then you have to inform us officially that you want that, and you have to provide us with most of your Social Security number,” not just the last four digits either. You have to compound the potential breach, and again, they know that if they put the onus on the 142 million people, maybe 2 million, you know, might opt out of this thing. This is an absolutely cynical approach to not only cheat us, allow other people to steal our information, but to make sure that they have no effective liability. That isn’t it, because they also said, “Hey, this is a chance to make money on the victims.” It turns out, if you sign up for this one-year of free protection, it’s automatically renewed, and they charge you for it after year one. Again, they know that if they do this to some tens of millions of people, that most people will simply not track that it’s a year later and that they have to kill this protection, and so they’ve turned this massive abuse, this greed upon greed upon greed, into yet another opportunity to make money off the customers who they’re treating in the most atrocious fashion possible. This is like a bad novel that someone wrote who hated corporations, except all of it’s coming from the senior leadership of the corporation. AARON MATE: Professor Black, you mentioned a lot there, but let’s just underline the last thing you said. If you sign up for this one year of free credit monitoring to supposedly help consumers who may have been affected, if you don’t cancel after that year, then Equifax starts charging you. You mentioned fine print, so let me read it. If you sign up for the service, it says, “In the event you wish to continue your membership beyond the trial period, do nothing, and your membership will automatically continue without interruption, and we will begin billing you via the payment source you provided when you signed up for the free trial.” Let me also go to more of Equifax CEO Rick Smith from his video to consumers, where he talked about the help that the company is supposedly providing. RICK SMITH: I know you all agree that our first priority must be to support consumers. To that end, we’re taking the unprecedented step of offering every U.S. consumer in the country a comprehensive package of identity theft protection and credit file monitoring at no cost. We also opened a special call center and launched a dedicated website to provide consumers with information they need to manage their personal situation. AARON MATE: It’s interesting, Professor Black. All of these clauses and opportunities, business opportunities that you mentioned before, were not mentioned in Rick Smith’s apology video. You also mentioned before this thing about the mandatory arbitration rule with the Consumer Financial Protection Bureau, which Republicans are now trying to repeal. It’s said now that because of this incident, that effort by Republicans will probably be killed. Can you talk a bit more about what that is, and what the Equifax situation means for it? BILL BLACK: Well, first, there are many arrows and many tactics that they’re going to use to try to destroy it. In particular they’re going to try to use the court, if the rule ever becomes effective law, and they’ve had a very good record with extremely conservative judges in overturning these rules. Something analogous, they’ve also just been overturning the rules in the context of sexual harassment, where you would have to give up your right to sue or even to give notice to other people about the sexual harassment to be able to get a settlement. Pervasively, the senior Republican leadership, the rank-and-file Congressional leadership and the President of the United States, are trying to gut all of these rules that make it possible for victims to get remedies. You are correct that this is such an incredible example of how abusive these rules are, how immediately, the very first thought at Equifax, after of course making money by selling stock, was, “How can we compound this abuse? How can we rip off our customers even more? How can we make more money out of this and simultaneously prevent them from having any effective rule of law?” The Supreme Court has been very bad on this as well, in general upholding arbitration clauses where you have absolutely no ability as a consumer to negotiate. It’s a take-it-or-leave-it type deal, and it is becoming absolutely pervasive in corporate life. AARON MATE: Just to stress one thing, so if Equifax lost the data of half the U.S. population, obviously not anywhere near that amount are actual paid customers, voluntary customers, of Equifax, so they lost the data of a lot more people than signed up for their service. Yet, this forced arbitration that they’re subjecting people to if they want to get help, if they want to find out if their data was compromised, would affect everybody, even people who weren’t even voluntarily signed up with them before, right? BILL BLACK: Yeah. It’s like the old movie, that the lizards invade and they have these masks on, and there’s not a reveal until the third episode when they take the masks off and you see that it’s actually a crocodile-like thing that loves to eat humans. That’s what PR departments are all about. They create this false front. They make it appear, “Oh, look what we’re doing voluntarily, epic, unprecedented, to help you,” and it’s exactly the opposite. It’s a ripoff. To be a little more nuanced in all of this, we of course know Equifax as a credit rating agency, but Equifax has a number of other business lines, and one of the business lines it has is it sells this recovery service. You lose … you forget your password and such, they have these questions that you’ve prompted yourself to ask and answer. That means that folks they never had data on through their credit rating function, they have enormous information, actually far more detailed, far more commercially-valuable-to-hacker information, in these other corporate capacities. It appears that that may have been the particular entry point of this breach. They have not told us the nature of the breach, even though of course the bad guys know, but the public doesn’t know about the nature, the actual nature of the security screwup, which as I’ve said, is the third one in about 18 months to two years, third huge one, by Equifax AARON MATE: Right. The “Washington Post” has a piece talking about how now Equifax is asking people for even more information than is normally requested. Normally if you’re trying to verify your personal info, you put in sometimes the last four digits of your Social Security number, but now Equifax is asking for the last six digits, suggesting that the four were compromised en masse. The piece raised the question, well, if all that was compromised, it’s going to be harder now. How do we now securely verify our personal information if the digits of so many people are out there, have been breached? BILL BLACK: Right, and again this is the point, is all of these things have massive effects on the entire population, or virtually the entire population, but they’re secret, right? There is no real regulation of these matters. There’s nothing that really forces these companies to be honest with us about the scope of the breach and the risk that they have now inflicted upon us. That is outrageous, but it is again not just the norm. It’s becoming virtually the only situation that exists. AARON MATE: You mentioned earlier that there might have been some people tipped off to the breach on the inside, and that’s why they sold off stock. If that can be proven, what are the criminal implications of that? BILL BLACK: Well, that is a crime, insider trading. Again, it’s not just the sale of stock. There was the sale of stock. Three senior officials, including the chief financial officer, did sell, and they sold a lot of stock collectively, well over a million. On top of that, there was very suspicious trading, massively greater than the norm, in options, that the value of the option is driven by the stock price, and it was right after … it was right at the same time, basically, that these senior officers were doing the stock sales. Those option sales are probably much bigger in terms of the profits that they generated, and also of course suggest that there was a broader network of people who were tipped off. Again, their very first instinct was, “Okay, we’ve already shafted our customers, what can we do to our shareholders?” AARON MATE: Finally, Professor Black, I’m wondering if you can offer us some guidance here on two levels. On a personal level, what you think someone out there should do if they’re concerned about their data being breached, what steps they should take, what they should be concerned about, and also on a broader level, what policy implications that you think this massive data breach has. BILL BLACK: All right, let me start with the second one, because the danger … you read a publication like “Wired” about this, and it gives you the steps it suggests to take. Maybe 2 percent of the population would do that. We can’t fix this if we put the onus on 142 million Americans to become computer-literate and credit-literate and such. It will never work, so don’t let’s be pushed towards, “Well, you know, you should have taken care of it because, hey, I took care of it, and so screw the other 140 million people that were left unprotected.” Again, to do that, you’re going to have to actually have regulatory disclosure requirements. You’re going to have to have an office at the federal level that is in charge of investigating these kinds of breaches, like when a plane crashes. Find out what the hell happened, publish it, so that people know and draw generalities in terms of here are the kinds of exposures to look at. Even if you breach a company, they should never be able to come away with the crown jewels as they did at Equifax, much less the crown jewels on 142 million Americans. Now, beyond that, if you are savvy and such, you can put a hold on your credit rating system if you want. You can do that in these circumstances. You can put a fraud warning on it. You can post those things. Those protections are absolutely minimal, and if you freeze it and your credit would have been improving, then it may hurt you if you have to turn around and buy a home. The practical thing you can do is the usual stuff about identity fraud. Look at your statements. If you see things that you haven’t actually purchased, if you see withdrawals from your accounts that you didn’t make, immediately get in touch with the company. The best single thing you can do as a person is to really peruse your statements on a monthly basis. AARON MATE: Bill Black, white collar criminologist, Associate Professor of Economics and Law at University of Missouri Kansas City, author of the book “The Best Way to Rob a Bank is to Own One.” Professor Black, thanks very much. BILL BLACK: Thank you. AARON MATE: Thank you for joining us on The Real News.