A year after Equifax breach, no enforcement actions

A new report by congressional investigators details how hackers broke into Equifax last year in a breach that exposed the financial information of more than 145 million Americans.

The lawmakers who requested the report say they will press the Trump administration on the lack of enforcement actions against the giant credit-reporting agency.

Shares of Equifax plunged by about one-third last year after news broke about the massive breach. Since then, the stock has recovered to about $10 below its peak before all the bad news and closed Friday at $135.91 a share. The company has reported a profit of $236 million this year, and second-quarter profit was down just 12 percent from the same period last year despite the breach.

Here is what you need to know about the breach and events since then:

HOW DID HACKERS BREAK IN?

The Government Accountability Office, the investigative arm of Congress, confirmed that a server hosting Equifax's online dispute portal was running software with a known weak spot. The hackers, who have not been identified, jumped through the opening. Hiding behind encryption tools, they sent 9,000 queries to dozens of databases containing consumers' personal information, then methodically extracted the information.

The attack went unnoticed by Equifax for more than six weeks.

Equifax officials told GAO the company made many mistakes. Some were as simple an outdated list of computer systems administrators — when the company circulated a notice to install a patch for the software vulnerability, the employees responsible for installing the patch never got it.

WHAT HAS EQUIFAX DONE?

The company has said in regulatory filings that it has taken steps to fix the issues that allowed the breach to occur. Equifax said it has added tools to better monitor network traffic, restrict traffic between internal servers, and tighten controls on who can access certain systems and networks.

The congressional investigators said they did not judge those efforts.

Equifax spokeswoman Ines Gutzmer said the company will increase investment in security and technology by more than $200 million this year. She said the company has given consumers more control over their Equifax data and introduced a free credit-alert service in January.

There was also a management shakeup. The chief information officer and top security executive both retired, and Equifax hired a new chief technology officer from IBM.

WHAT INFORMATION WAS STOLEN?

The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and other information. Criminals can use those bits of personal information to commit identity theft.

Equifax stores a trove of data that provides a financial profile of millions of consumers, including how much they owe on their homes and whether there are court judgments against them.

WHAT SHOULD CONSUMERS DO?

Get your credit reports at AnnualCreditReport.com. By federal law, consumers can get a free copy of their credit report every 12 months from each of the three big agencies — Equifax, Experian and TransUnion —

Examine all your listed accounts and loans to make sure that the personal information is correct and that you authorized the transaction. If you find something suspicious, contact the company that issued the account and the credit-rating agency.

Consider freezing your credit, which stops thieves from opening new credit cards or loans in your name. It can be done online. Starting Sept. 21, consumers can freeze their credit for free because of a law that President Donald Trump signed in May, avoiding fees that were typically $5 to $10 per rating agency.

You'll need to remember to temporarily unfreeze your credit — that will also soon be free — if you apply for a new credit card or loan. And a freeze won't protect you from thieves who file a fraudulent tax return in your name or make charges against an existing account.

A new survey commissioned by LendingTree Inc. subsidiary CompareCards.com found that 91 percent of respondents had done something to protect themselves since the Equifax breach, with at least half looking up their credit score and examining account statements more closely. Only about 8 percent had frozen their credit.

Equifax has a page, https://www.equifaxsecurity2017.com , with a link to looking up whether your information was exposed.

WHO IS INVESTIGATING?

The Federal Bureau of Investigation, the Consumer Financial Protection Bureau and the Federal Trade Commission, among others. It is not clear whether the FBI investigation is limited to the theft of information, or extends to the actions of the company and its executives.

Regulators in eight states including California, Texas and New York, reached a consent order with the company requiring it to improve its cybersecurity risk. As part of the agreement, the company did not admit wrongdoing.

WILL EQUIFAX BE PUNISHED?

One year after the public learned of the breach, no federal agencies have announced any enforcement actions.

"Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information," said Sen. Elizabeth Warren, D-Mass., one of the lawmakers who requested the GAO report. She blamed the Trump administration and Republicans in Congress, and has proposed legislation aimed at preventing similar breaches.

Warren and Rep. Elijah Cummings, D-Md., said they have asked the Consumer Financial Protection Bureau and the FTC what they are doing about the matter.