Outrage, disbelief, confusion just a few of the things many Americans are feeling after learning that their names, social security numbers, birth dates, addresses, and driver's license numbers are potentially in the hands of hackers. Equifax, a credit monitoring company with a database of America's personal information, was hacked in the largest data breach involving social security numbers in history one
forty three million consumers. Equifax has set up a website and here's part of what you'll hear if you call its eight hundred number to freeze your credit information. Welcome to the Equifax Automated Security Freeze System. This automated system would allow you to place, temporarily, lift or permanently remove a security freeze from your Equifax credit file in accordance with your individual states file freeze law. There may be
a charge, but here's part of the problem. To better serve you, the following information will be required in order to comp lead your request. Your state, numeric portion of your current address, and social Security number. But do you really want to give Equifax this information? Again? Here to discuss the repercussions of this hack are two experts in cybersecurity. Eric Gordon, A professor at the University of Michigan Ross
School of Business, and Craig Newman, a partner at Patterson Belknap. Eric. Equifax said criminals gained access to certain files in the company's system by exploiting a weak point in website software, but there's no evidence of unauthorized activity on its main consumer or commercial credit reporting databases. Interpret that for us, what does it mean? Yeah, it means somebody obviously a
bad person. I mean, my mother didn't do this. Has information on a hundred and forty three million of us and so far, as far as Equifax knows, it hasn't been used. That information hasn't been used in a bad way. Now, you can guess that it's only a matter of time until Equifax discovers this or we discover this. But you know, does anybody believe this information was taken for anything other
than bad purposes? Eric? Are they saying that anything about their security system when they're saying exploiting a weak point in website software? Yeah, it gives you some idea of how the entrance happens. Are they different entry points into these databases? Uh? And they've told us what they what they think the entry point was it was on the website.
So so for people who you know, are actually sort of into the technology of this, it does give a clue as to what where it happened, not necessarily how it happened, Eric, I mean, Craig, excuse me, Craig. This is a huge breach obviously, but just if people are worried about what exactly has been exposed here, can you take us through some of the details of what got
you know, what got hacked? Sure, Michael, Yeah, it's very difficult, based on what we know now to really figure out what information has been affected, because if you look at the public disclosures that Equifax has made, they've said that quote, certain files have been accessed and potentially dred and forty three million Americans have been affected. So it's it's almost you don't know what you can't see because we don't
have all that much information. I think that's why, you know, consumers are scrambling and are kind of up in arms over the way this has been handled. But at the same time, all the companies, the data contributors that provide the information that makes Equifax and the other monitoring services go, they're also scrambling at the same time because they've got
their own legal obligations. So you've got coming at both sides. Eric, this is the third time in two years that Equifax has been hacked, not quite as badly the last two times. But did it improve its security following those other hacks? Did it put in more layers? You know, I don't know that for a fact, but I'm going to guess that they did, because the history of hacking is this is this sort of escalation thing where you escalate your defenses,
they hackers escalate their capabilities. So you know, on on Monday, the good guys might be ahead. That is well, I don't know if Equifax is the good guy, but Equifaxes defenses might be stronger on Tuesday, the hackers ability to attack might be stronger. This is just an endless and endless cycle. And um, as far as you know, Craig, are there multiple layers of security at Equifax? We really
don't know. I mean, you would think that a company that has the proverbial keys to the kingdom would have what we call layered security, and that's you know, firewalls, internal intrusion detection, and all sorts of kind of the latest bells and whistles to make sure you're keeping this information safe. But again we don't know exactly what Equifax
or the other credit monitoring companies have. You would think, however, that given the value of these massive warehouses of information that they keep, that they would have pretty sophisticated layer security. The hack of Equifax, a credit monitoring company, was the largest data breach in history involving social security numbers. Cyber Scout founder Adam Levin explains why that makes this hack
so serious. The problem is that the social security number is the scalon key to our identities, and when that's stolen, we're in a position where we're going to have to be lucky over our shoulders for the rest of our lives. We've been discussing this hack with Eric Gordner, professor at the University of Michigan Ross School of Business, and Craig Newman, a partner at Better Patterson Belknap. Craig, there's all kinds of advice out there. Do you have any advice about
what people should do? Now? Look, it's the most important thing at this point is to put a credit freeze in with all the credit reporting agencies, and it's all three of them. Because you want to prevent any sort of criminal from opening an account, taking out a loan, or doing anything in your name, and the way to do that is to put a credit freeze on your account. Eric.
One of the things that was most remarkable in the news after all this happened was the news that to seen two executives at Equifax sold a lot of stock shortly after learning about the breach. What's the story worry on this and and how could something like that end up happening? Well, it could end up happening innocently. It could have been a sale they planned in advance. But
it looks terrible. Looks terrible because of this. It turns out this hack apparently went on from mid May to July, and somehow Equifax didn't discover it, But they discovered it on July twenty nine and waited until last Thursday. They waited almost six weeks to make that news public. But Insider sold something like one point eight million dollars of their stock right away, So they got to do something that may have helped themselves that the rest of us
didn't get to do. So, even though it could be perfectly innocent, it could have been a preplanned sale. It sure looks terrible to the other hundred and forty three million of US something I'm sure the SEC will be looking into as well as the SEC Craig. There are so many agencies involved in this, the FTC doing investigation, state attorneys general, they are going to be multiple congressional inquiries.
Will this help security in the future, Well, this breach, June, it's it's bigger than than Equifax, because you're talking about big data and how these stockpiles of information are safeguarded really in the face of a really sophisticated threat environment. And at the same time, the growth of big data and these these warehouses of information just keeps leaping and growing. So you have really a collision of these two interests and that's really going to be the story um with Equifax.
But you know, you're also going to have You've got two class actions already, You've got the New York Attorney General, You're going to have the usual course of cries for congre sational hearings. But the real question is is this going to become a teachable moment where people sit up
and take notice and say, this is a really significant hack. Eric, you know in addition to all the investigations that obviously have to go on, and we'll go on here, there are a couple of class action lawsuits that have already been filed. Um, what kind of liability does that does Equifax face here? Uh, you know, under the law for having you know, given the sheer amount of data we've got out having been breached. Yeah, I think they face
serious liability that's going to be measured in billions. That's with the b and they're gonna be three groups that come after them. The obvious group is the people whose data was stolen, but they're not the only ones. You're gonna see class actions from shareholders and Equifax who are going to sue the officers and directors, which is the same as suing Equifax in the end um for um
for you know, some kind of breach of duty. You're also going to see credit card issuers, the banks, the stores that actually issue credit cards come after Equifax because they're going to have to issue you know, millions and millions and millions of new credit cards, so they're going Equifax is going to be facing lawsuits in a lot
of courts from a lot of people. And uh, you know, we we know from the prior the prior ones, the home depots, the targets that they're they're going to end up settling, and it's going to be big amounts Greig have there there are three major credit reporting companies. Have the two others ever been hacked? Well, one of the
other's experience had to hack two years ago. And but in terms of just sheer numbers, I think it was about fifteen or eighteen million consumers that were affected, So those were relatively minor compared to Equifax, where you have the potential you know, is Eric noted, you have the potential of will belye the largest class action lawsuit ever withd percent of the American population as class members, and Eric is there. Is it just impossible to stop these hacks?
It just it seems, I mean, the government has been hacked, has been so many hacks, is it impossible to stop them? I mean, ironically, the other big Social Security hack was a government site office of Personnel Management. I don't think it's possible to stop them. But you know, the law doesn't require won't probably won't require you to be perfect. But I think what the law is going to evolve to require at least for people like credit agencies that
have Social Security numbers, birth dates. Things that can haunt you forever is that you show that you did everything that was the state of the art at the time. Uh. And if you did anything less, I think you're going to be in trouble. I think what the law needs to do is to make the penalties designed in such a way that every company that has really sensitive data spends whatever money it takes. Not to stop you there, Eric, but we'll be back to this topic. Thank you both.
That's Eric Gordon, a professor at the University of Michigan rass School of Business, and Craig Newman, a partner at Patterson Belknap, coming up on Bloomberg law. Google appealing a record fine from the EU to the highest court in the EU. This is Bloomberg