|Traded as||NYSE: EFX
S&P 500 Component
|Industry||Credit risk assessment|
(as Retail Credit Company)
|Headquarters||1550 Peachtree St. & One Atlantic Center, Atlanta, Georgia, U.S.|
|Rego Barros Jr.
(interim chief executive)
|Revenue||US$ 3.144 billion (2016)|
|US$ 817.9 million (2016)|
|US$ 488.8 million (2016)|
|Total assets||US$ 6.664 billion (2016)|
|Total equity||US$ 2.662 billion (2016)|
Number of employees
Equifax Workforce Solutions
Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. Founded in 1899 and based in Atlanta, Georgia, it is the oldest of the three largest credit agencies along with Experian and TransUnion (known as the “Big Three”). Equifax has US$ 3.1 billion in annual revenue and 9,000+ employees in 14 countries. It is listed on the NYSE as EFX.
Aside from offering credit and demographic related data and services to business, Equifax sells credit monitoring and fraud-prevention services directly to consumers. Like all credit reporting agencies, the company is required by US law to provide consumers with one free credit report every year.
Equifax was also the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017 with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company.
In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017, where cybercriminals accessed approximately 145.5 million U.S. Equifax consumers' personal data, including their full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. Equifax also confirmed at least 209,000 consumers' credit card credentials were taken in the attack. The company claims to have discovered evidence of the cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted.
Equifax was founded in Atlanta, GA, as Retail Credit Company in 1899. The company grew quickly and by 1920 had offices throughout the US and Canada. By the 1960s, Retail Credit Company was one of the nation's largest credit bureaus, holding files on millions of American and Canadian citizens. Even though the company continued to do credit reporting, the majority of their business was making reports to insurance companies when people applied for new insurance policies including life, auto, fire and medical insurance. All of the major insurance companies used RCC to get information on health, habits, morals, use of vehicles and finances. They also investigated insurance claims and made employment reports when people were seeking new jobs. Most of the credit work was then being done by a subsidiary, Retailers Commercial Agency.
Retail Credit Company's extensive information holdings, and its willingness to sell them to anyone, attracted criticism of the company in the 1960s and 1970s. These included that it collected "...facts, statistics, inaccuracies and rumors… about virtually every phase of a person's life; his marital troubles, jobs, school history, childhood, sex life, and political activities." The company was also alleged to reward its employees for collecting negative information on consumers.
As a result, when the company moved to computerize its records, which would lead to much wider availability of the personal information it held, the US Congress held hearings in 1970. These led to the enactment of the Fair Credit Reporting Act in the same year which gave consumers rights regarding information stored about them in corporate databanks. It is alleged that the hearings prompted the Retail Credit Company to change its name to Equifax in 1975 to improve its image.
The company later expanded into commercial credit reports on companies in the US, Canada and the UK, where it came into competition with companies such as Dun & Bradstreet and Experian. The insurance reporting was phased out. The company also had a division selling specialist credit information to the insurance industry but spun off this service, including the Comprehensive Loss Underwriting Exchange (CLUE) database as ChoicePoint in 1997. The company formerly offered digital certification services, which it sold to GeoTrust in September 2001. In the same year, Equifax spun off its payment services division, forming the publicly listed company Certegy, which subsequently acquired Fidelity National Information Services in 2006. Certegy effectively became a subsidiary of Fidelity National Financial as a result of this reverse acquisition merger (See Certegy and Fidelity National Information Services for further information).
In October 2010, Equifax acquired Anakam, an identity verification software company.
Equifax purchased eThority, a business intelligence (BI) company headquartered in Charleston, South Carolina in October 2011. eThority is partnering with TALX, a St. Louis-based business unit of Equifax, and will remain in Charleston. 
Equifax Workforce Solutions is one of the 55 contractors hired by the United States Department of Health and Human Services to work on the HealthCare.gov web site.
For most of its existence, Equifax has operated primarily in the business-to-business sector, selling consumer credit and insurance reports and related analytics to businesses in a range of industries. Business customers include retailers, insurance firms, healthcare providers, utilities, government agencies, as well as banks, credit unions, personal and specialty finance companies and other financial institutions. Equifax sells businesses credit reports, analytics, demographic data, and software. Credit reports provide detailed information on the personal credit and payment history of individuals, indicating how they have honored financial obligations such as paying bills or repaying a loan. Credit grantors use this information to decide what sort of products or services to offer their customers, and on what terms. Equifax also provides commercial credit reports, similar to Dun & Bradstreet, containing financial and non financial data on businesses of all sizes. Equifax collects and provides data through the NCTUE, an exchange of non credit data including consumer payment history on telco and utility accounts.
In 1999, Equifax began offering services to the credit consumer sector in addition, such as credit fraud and identity theft prevention products. Equifax, and other credit monitoring agencies are required by law to provide US residents with one free credit file disclosure every 12 months; the Annualcreditreport.com website incorporates data from US Equifax credit records.
March 2017 security breach
On 18 September, 2017, Bloomberg News reported that Equifax had been the victim of a "major breach of its computer systems" in March 2017, and that in early March it had begun "notifying a small number of outsiders and banking customers" about this attack.
According to Bloomberg's report, a person familiar with the breach believed this early-March intrusion may have been carried out by the same party who breached Equifax's computer systems again in May. According to Bloomberg, Equifax enlisted Mandiant (owned by FireEye, Inc.) to assist in investigating the March attack. The same cybersecurity firm was hired following the May–July breach.
May–July 2017 security breach
|“||[The Equifax breach] very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be.||”|
|— Dan Goodin, Why the Equifax breach is very possibly the worst leak of personal info ever. (Ars Technica, 2017)|
On 7 September, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 145.5 million U.S. consumers. Information on an estimated range of under 400,000 up to 44 million British residents as well as 8,000 Canadian residents were also compromised.
Though the attack was stated to have begun in mid-May, the breach was not observed until July 29, according to Equifax CEO Rick Smith and a subsequent report by Equifax. Information accessed by the hacker (or hackers) in the breach primarily includes first and last names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were also accessed.
Equifax stated in a September 15 statement that it hired the services of Mandiant on 2 August to internally investigate the intrusion. The statement did not however record in its timeline exactly when government authorities ("all U.S. State Attorneys General" and "other federal regulators") were notified of the breach, although it did assert "the company continues to work closely with the FBI in its investigation."
Equifax shares dropped 13 percent in early trading the day after the breach was made public.
Numerous lawsuits have been filed against Equifax as a result of the breach. In one suit the law firm Geragos & Geragos has indicated they would seek up to $70 billion in damages, which would make it the largest class-action suit in U.S. history.
Equifax said the breach was facilitated using a flaw in Apache Struts (CVE-2017-5638). A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later. However, this was not the only point of failure: contributing factors included the insecure network design which lacked sufficient segmentation, potentially inadequate encryption of personally identifiable information (PII), and ineffective breach detection mechanisms.
On 15 September, Equifax issued a press release with bullet-point details of the intrusion, its potential consequences for consumers, and the company's response. The statement further commented on issues related to criticism regarding its initial response to the incident. The company also announced the immediate departures and replacements of its Chief Information Officer and Chief Security Officer.
Three days after Equifax revealed the May-July 2017 breach, Congressman Barry Loudermilk (R-GA), who had been given thousands of dollars by Equifax, introduced a bill to the US House that would reduce consumer protections in relation to the nation’s credit bureaus, including capping potential damages in a class action suit to $500,000 regardless of class size or amount of loss. The bill would also eliminate all punitive damages. Following criticism by consumer advocates, Loudermilk agreed to delay consideration of the bill "pending a full and complete investigation into the Equifax breach."
On 2 October, 2017, Equifax revealed that the estimated number of affected Americans was 2.5 million more than previously reported. This brought the total number of potentially impacted Americans to 145.5 million.
Following the announcement of the May-July 2017 breach, Equifax's actions received widespread criticism. Equifax did not immediately disclose whether PINs and other sensitive information were compromised, nor did it explain the delay between its discovery of the breach in July and its public announcement in early September. Equifax stated that the delay was due to the time needed to determine the scope of the intrusion and the large amount of personal data involved.
It was also revealed that three Equifax executives sold $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public. The company said the executives, including the chief financial officer John Gamble, "had no knowledge that an intrusion had occurred at the time they sold their shares". On 18 September, Bloomberg reported that the US Justice Department had opened an investigation to determine whether or not insider trading laws had been violated.
When publicly revealing the intrusion to its systems, Equifax offered a website (https://www.equifaxsecurity2017.com) for consumers to learn whether they were victims of the breach. Security experts quickly noted that the website had many traits in common with a phishing website: it was not hosted on a domain registered to Equifax, it had a flawed TLS implementation, and it ran on WordPress which is not generally considered suitable for high-security applications. These issues led Open DNS to classify it as a phishing site and block access. Moreover, members of the public wanting to use the Equifax website to learn if their data had been compromised had to provide a last name and six digits of their social security number.
The website set up to check whether a person's personal data had been breached (trustedidpremier.com) was determined by security experts and others to return apparently random results instead of accurate information.
Equifax has been criticized by security experts for registering a new domain name for the site name instead of using a subdomain of
equifax.com. On 20 September, it was reported that Equifax had been mistakenly linking to an unofficial "fake" web site instead of their own breach notification site in at least eight separate tweets, unwittingly helping to direct a reported 200,000 hits to the imitation site. A software engineer named Nick Sweeting created the unauthorized Equifax web site to demonstrate how the official site could easily be confused with a phishing site. Sweeting's site was upfront to visitors that it was not official, however, telling visitors who had entered sensitive information that "you just got bamboozled! this isnt [sic] a secure site! Tweet to @equifax to get them to change it to equifax.com before thousands of people loose [sic] their info to phishing sites!" Equifax apologized for the "confusion" and deleted the tweets linking to this site.
2017 exposure of Argentinian consumer data
In September 2017, Brian Krebs revealed that an Argentinian arm of Equifax had left private data from approximately 14,000 consumers, and more than 100 staff members, available to anyone who entered "admin" as both the username and password for one of its online systems.
2017 withdrawal of vulnerable mobile apps
On 7 September 2017, the same day as Equifax announced a large security breach, Equifax removed its official mobile apps from the Apple App Store and from Google Play. While these apps themselves were not reportedly connected to that breach, they had security flaws of their own, being vulnerable to man-in-the-middle attacks owing to some parts using HTTP instead of HTTPS.
Lawsuits and fines
The company has been fined by the Federal Trade Commission on two occasions for violating the Fair Credit Reporting Act. In 2000, Equifax, along with Experian and TransUnion, was fined $2.5 million for blocking and delaying phone calls from consumers trying to get information about their credit. In 2003, the FTC took Equifax to court for the same reason and settled its lawsuit with the company for a fine of $250,000.
In July 2013, a federal jury in Oregon awarded $18.6 million to Julie Miller of Marion County against Equifax for violations of the Fair Credit Reporting Act. In her lawsuit, Miller alleged Equifax had merged her credit reports with another person with a different Social Security number, date of birth, and address. Miller contacted Equifax repeatedly in writing and over the telephone, but Equifax refused to delete dozens of false collection accounts from Miller’s credit report. The award included $18.4 million in punitive damages, and $180,000 in compensatory damages. Miller’s lawyer, Justin Baxter, explained that the false reporting damaged Miller's reputation, she was denied credit, and her private information was given to businesses Miller had no relationship with. The jury’s verdict is believed to be the largest award in an individual case under the Fair Credit Reporting Act. An Equifax spokesperson said that Equifax is considering appealing the jury’s verdict. A federal judge reduced the award to $1.62 million in 2014.
In 2014, Equifax and Heartland Bank were sued by Kimberly Haman of the St. Louis area for reporting she was dead. A Heartland Bank spokesperson said the bank "immediately investigated and contacted the credit reporting agencies after Haman reported" she was still alive. An Equifax "spokesperson told the Post-Dispatch that Equifax blocked the Heartland account information from appearing on Haman’s credit report after a reporter’s inquiry."
In April 2014, Equifax was sued in New York federal court by God Gazarov, who claimed the company erroneously reports him as having no credit history because of his unusual first name.
- Credit bureau
- Credit score
- Identity theft
- Fair Credit Reporting Act
- The Work Number
References and footnotes
- Surane, Jennifer; Melin, Anders (26 September 2017). "Equifax CEO Richard Smith Resigns After Uproar Over Massive Hack". Bloomberg.com. Retrieved 27 September 2017.
- "Equifax Reports Fourth Quarter and Record Full Year 2013 Results". investor.equifax.com. Equifax. Retrieved 8 December 2014.
- "Company Profile". equifax.co.uk. Equifax. Archived from the original on 25 December 2014. Retrieved 8 December 2014.
- "How to protect yourself against the theft of your identity". The Economist. 14 September 2017. Retrieved 15 September 2017.
- "All Products and Solutions | Business | Equifax". www.equifax.com. Retrieved 2017-09-23.
- Equifax. "All Credit Score, Credit Report & Identity Theft Products | Equifax". www.equifax.com. Retrieved 2017-09-23.
- "Free Credit Reports". Consumer Information. 2013-03-26. Retrieved 2017-09-23.
- "The Dizzying Number Of CFPB Complaints Against Equifax Since 2012 Should Infuriate You". Fast Company. 2017-09-18. Retrieved 2017-09-18.
- Equifax (2017-09-07), Rick Smith, Chairman and CEO of Equifax, on Cybersecurity Incident Involving Consumer Data., retrieved 2017-09-12
- Separating Equifax from fiction, Wired, September 1995, retrieved 13 September 2007
- "Equifax Blog - Equifax Acquires Anakam". Anakam.equifax.com. 17 July 2012. Archived from the original on 17 July 2012. Retrieved 10 September 2017.
- Kearney, Brendan (October 4, 2011). "Equifax buys local eThority: Company to stay, grow in Charleston, founder says". The Post and Courier.
- USAtoday, front page October 24, 2013, “Hot seat for stealth website builders
- "FraudIQ Authenticate Device Product Description ("Anonymous device properties are processed by a pattern matching engine to recognize the device")" (PDF).
- Riley, Michael, Anita Sharpe, and Jordan Robertson, "Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed", Bloomberg News, September 18/19, 2017.
- "Why the Equifax breach is very possibly the worst leak of personal info ever". CNBC. Retrieved 10 September 2017.
- Haselton, Todd (2017-09-07). "Credit reporting firm Equifax says cybersecurity incident could potentially affect 143 million US consumers". cnbc.com. Retrieved 2017-09-08.
- Shepardson, David. "Equifax failed to patch security vulnerability in March: former CEO". reuters.com. Reuters. Retrieved 3 October 2017.
- Hern, Alex (2017-09-08). "Equifax told to inform Britons whether they are at risk after data breach". The Guardian. Retrieved 2017-09-11.
- Isai, Vjosa (September 7, 2017). "Canadians among 143 million people affected in Equifax hack". The Toronto Star.
Hackers targeted names, Social Security numbers, birth dates, addresses and driver’s licence numbers, Equifax said in a statement. “Limited personal information” from residents in Canada and the U.K. was also accessed, it said.
- "Equifax confirms Britons hit by breach". BBC News. 2017-09-15. Retrieved 2017-09-16.
- Ligaya, Armina (2017-09-19). "Equifax says 100,000 Canadians affected by cyberattack". CTVNews. Retrieved 2017-09-21.
- "Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes". investor.equifax.com. Retrieved 2017-09-16.
- "Cybersecurity Incident & Important Consumer Information | Equifax". Cybersecurity Incident & Important Consumer Information. Retrieved 2017-09-07.
- Melin, Anders (2017-09-07). "Three Equifax Managers Sold Stock Before Cyber Hack Revealed". Bloomberg.com. Retrieved 2017-09-08.
- Mills, Chris (2017-09-08). "Equifax is already facing the largest class-action in history". bgr.com. Retrieved 2017-09-08.
- Thadani, Trisha (September 13, 2017). "Lawsuit against Equifax filed in federal court in San Jose". SFGate.com. Retrieved 13 September 2017.
- "A Guide to Surviving the Equifax Data Breach". CNET. Retrieved 2017-09-12.
- Lieber, Ron (10 September 2017). "After Equifax Breach, Here’s Your Next Worry: Weak PINs". The New York Times. Retrieved 12 September 2017.
- "How to freeze your credit after a data breach". The Verge. Retrieved 12 September 2017.
- Fung, Brian (9 September 2017). "After the Equifax breach, here’s how to freeze your credit to protect your identity". Washington Post.
- nixawk (March 7, 2017). "CVE-2017-5638 - Apache Struts2 S2-045 #8064". GitHub. Retrieved September 16, 2017.
- Whittaker, Zack. "Equifax confirms Apache Struts flaw it failed to patch was to blame for data breach". ZDNet. Retrieved 14 September 2017.
- "Failure to patch two-month-old bug led to massive Equifax breach". Ars Technica. Retrieved 14 September 2017.
- Newman, Lily Hay. "How to Stop the Next Unstoppable Mega-Breach—Or Slow It Down". WIRED. Retrieved 29 September 2017.
- Gallagher, Sean. "Equifax hackers stole data for 200k credit cards from transaction history". Ars Technica. Retrieved 29 September 2017.
- Lomas, Natasha. "Equifax breach disclosure would have failed Europe's tough new rules". TechCrunch. Retrieved 29 September 2017.
- Shaban, Hamza (2017-09-15). "Two Equifax executives will retire following massive data breach". Washington Post. ISSN 0190-8286. Retrieved 2017-09-17.
- Levin, Bess. "Equifax Lobbied to Gut Regulations Right Before Getting Hacked".
- "Equifax Inc Contributions to Federal Candidates, 2016 cycle - OpenSecrets". www.opensecrets.org.
- Weisbaum, Herb, “Republicans in Congress Want to Roll Back Regulations on Credit Bureaus”, NBC News, September 11, 2017, Retrieved September 18, 2017
- Lazarus, David (19 September 2017). "Despite Equifax hack, GOP lawmakers want to deregulate credit agencies". Los Angeles Times. Retrieved 20 September 2017.
- Weise, Elizabeth; Bomey, Nathan (2 October 2017). "Equifax breach hit 2.5 million more Americans than first believed". USA Today. Retrieved 4 October 2017.
- "6 Unanswered Questions For Equifax After A Massive Data Breach Of 143-Million Americans' Personal Information". Retrieved 2017-09-08.
- "Cybersecurity Incident & Important Consumer Information". equifaxsecurity2017.com. Equifax. 2017. Retrieved 13 September 2017.
- Solon, Olivia (2017-09-07). "Credit firm Equifax says 143m Americans' social security numbers exposed in hack". The Guardian. Retrieved 2017-09-11..
- Morley, Katie (8 September 2017). "Equifax hack: 44 million Britons' personal details feared stolen in major US data breach". The Daily Telegraph. Retrieved 9 September 2017.
- "Equifax Stock Sales Are the Focus of U.S. Criminal Probe". Bloomberg.com. 2017-09-18. Retrieved 2017-09-18.
- Bahney, Anna. "6 Equifax hack rumors fact-checked". CNNMoney. Retrieved 2017-09-12.
- "Equifax's hack checker is a hot mess -- here's what to do". Cnet.com. Retrieved 10 September 2017.
- Chacos, Brad (2017-09-08). "Equifax hack: How to know if you're affected". PCWorld. Retrieved 13 September 2017.
- Robertson, Adi (September 8, 2017). "Can you join a class action suit if you use Equifax’s free identity theft protection?". The Verge.
- Mosendz, Polly; Nasiripour, Shahien (8 September 2017). "Equifax’s Hacking Nightmare Gets Even Worse For Victims". Bloomberg.com. Retrieved 13 September 2017.
- Fung, Brian (2017-09-08). "By signing up on Equifax's help site, you risk giving up your legal rights". chicagotribune.com. Retrieved 13 September 2017.
- "Equifax finally responds to swirling concerns over consumers’ legal rights". The Washington Post. Retrieved 2017-09-08.
- "What Equifax owes us all: A free credit freeze at all agencies, for starters, and loads of answers". New York Daily News. 12 September 2017. Retrieved 13 September 2017.
- Kirsch, Melissa (12 September 2017). "Equifax Is Waiving Their Credit-Freeze Fees for 30 Days". lifehacker. Retrieved 13 September 2017.
- Astor, Maggie (2017-09-20). "Someone Made a Fake Equifax Site. Then Equifax Linked to It.". The New York Times. ISSN 0362-4331. Retrieved 2017-09-21.
- "Equifax sends breach victims to fake notification site". Ars Technica. Retrieved 21 September 2017.
- Morse, Jack. "Equifax has been directing victims to a fake phishing site for weeks". Mashable. Retrieved 2017-09-21.
- "Equifax reportedly used 'admin' as password in Argentina". Cnet.com. Retrieved 16 September 2017.
- "Equifax suffers fresh data breach". BBC News. 13 September 2017. Retrieved 16 September 2017.
- "Equifax's app has disappeared from Apple's App Store and Google Play". Fastcompany.com. 11 September 2017. Retrieved 16 September 2017.
- "Here's Why Equifax Yanked Its Apps From Apple And Google Last Week". Fast Company. 15 September 2017. Retrieved 16 September 2017.
- Equifax Fined $250,000 Fine By FTC Archived October 7, 2008 at the Wayback Machine, NBC 10, 3 August 2003, retrieved 13 September 2007
- "Equifax to Pay $250,000 to Settle Charges". ConsumerAffairs.com. 2003-07-30. Archived from the original on 2007-08-17. Retrieved 2007-07-23.
- Patrick, Robert (8 February 2014). "'Excuse me, I'm not dead' St. Louis County woman pleads to her bank". St. Louis Post-Dispatch. Retrieved 18 February 2014.
- "An $18 Million Lesson in Handling Credit Report Errors". The New York Times. 2 August 2013. Retrieved 2 August 2013.
- "Equifax must pay $18.6 million after failing to fix Oregon woman's credit report". The Oregonian. Archived from the original on 29 July 2013. Retrieved 26 July 2013.
- "Jury Awards $18.6M For Equifax Credit Report Mix-up". Archived from the original on 15 December 2013. Retrieved 29 July 2013.
- "Equifax weighs appealing $18.6M award to consumer". Retrieved 31 July 2013.
- "Judge cuts Oregon woman's award in Equifax case". Retrieved 3 February 2015.
- Weiss, Debra Cassens (11 February 2014). "Woman sues in effort to prove she is alive". ABA Journal. Retrieved 18 February 2014.
- Gershman, Jacob (10 February 2014). "Woman Listed as Deceased Files Lawsuit Claiming She’s Alive". Wall Street Journal Law Blog. Retrieved 18 February 2014.
- White, Martha C. (11 April 2014). "God Just Wants Some Credit, So He's Suing Equifax". NBC News. Retrieved 22 April 2014.