Last year between May 13th and July 30th, Equifax fell victim to a cyber-security breach where hackers were able to access roughly 145.5 million U.S. Equifax consumers’ personal data, in addition to at least 209,000 consumers’ credit card credentials being stolen.
Equifax, one of the three major credit agencies, announced the attack on September 7, 2017. Not only were American consumers impacted, but residents of Canada and the United Kingdom were as well.
The fallout of the major cyber hack made national headlines; Equifax shares plummeted 13 percent the day after the announcement and then-CEO Richard Smith stepped down soon after. Legal proceedings are still taking place, including a 50-state and Washington D.C. class-action lawsuit.
Shortly after the breach was announced by Equifax, LendEDU conducted a survey of American consumers to gauge their opinions on the matter. Just about a year removed, we have once again asked the public to weigh in on the credit agency.
Our newest Equifax study revealed the following key findings:
- Amongst respondents that were aware of the Equifax cyber-security breach, 37.04% had yet to check if they were affected by the attack
- Amongst those that had checked if they fell victim to the cyber attack,35.49% indicated that they had. Of that percentage, 30.41% said they have actively sought to join a class-action lawsuit, while 53.38% would like to.
- 80.8% of poll participants noted some level of concern regarding potential data breaches of a company they have used
- Exactly one year removed from July 12, 2017, there have been 36,045complaints filed on the CFPB’s Consumer Complaint Database against Equifax. 98.04% of those complaints pertained to “credit reporting” issues.
Full Survey Results
(The following survey was administered online to 1,000 adult Americans. Results for similar questions from 2017 survey listed in blue.)
1. On September 7th, 2017, Equifax announced a cyber-security incident (breach) involving consumer information. Are you aware of that incident?
a. 72.9 percent of respondents answered “Yes” (84.2%)
b. 27.1 percent of respondents answered “No” (15.8%)
2. (Asked only to those who answered “A” to Q1) In your opinion, do you believe that Equifax should have lost/still lose its ability to act as a credit bureau (mainly offering consumer credit history to financial institutions) in the United States following this incident in September of 2017?
a. 46.23 percent of respondents answered “Yes” (54.16%)
b. 20.44 percent of respondents answered “No” (17.81%)
c. 33.33 percent of respondents answered “Not sure” (28.03%)
3. (Asked only to those who answered “A” to Q1) Have you checked to see if you were affected by the Equifax cyber-security incident (breach) from September 2017?
a. 57.2 percent of respondents answered “Yes” (55.11%)
b. 37.04 percent of respondents answered “No” (44.89%)
c. 5.76 percent of respondents answered “I’d rather not say” (N/A)
4. (Asked only to those who answered “A” to Q1 and “A” to Q3) Were you affected by the Equifax cyber-security incident from September 2017?
a. 35.49 percent of respondents answered “Yes”
b. 61.39 percent of respondents answered “No”
c. 3.12 percent of respondents answered “I’d rather not say”
5. (Asked only to those who answered “A” to Q1, “A” to Q3, and “A” to Q4) Have you actively sought to join any class-action lawsuit filed against Equifax as a result of the cyber-security incident (breach)?
a. 30.41 percent of respondents answered “Yes, I have already done this”
b. 53.38 percent of respondents answered “Not yet, but I would like to”
c. 14.86 percent of respondents answered “No, I am not taking any action”
d. 1.35 percent of respondents answered “I’d rather not say”
6. (Asked only to those who answered “A” to Q1) Following the Equifax cyber-security incident, the company offered free credit monitoring for a year and agreed to waive the requirement that anyone using the service must settle disputes through arbitration. Knowing this and any other moves made by Equifax to remedy the incident, has your perception of Equifax changed for the better?
a. 30.59 percent of respondents answered “Yes, they are trying their best to help consumers”
b. 6.3 percent of respondents answered “Yes, other”
c. 28.4 percent of respondents answered “No, I have not yet forgiven them”
d. 6.04 percent of respondents answered “No, other”
e. 20.3 percent of respondents answered “I do not have an opinion after the incident”
f. 9.05 percent of respondents answered “Not sure”
7. In an effort to regulate credit reporting agencies, New York state recently announced that all credit reporting agencies operating within the state will be required to register with the state and comply with its cyber-security regulations. If regulations are violated, the state can block the credit reporting agency from serving New York residents. Do you agree with this government oversight of companies like Equifax, and do you think more states should follow suit?
a. 66.5 percent of respondents answered “Yes, I agree and believe more states should follow suit”
b. 6.3 percent of respondents answered “Yes, I agree but do not believe more states should follow suit”
c. 10.4 percent of respondents answered “Indifferent”
d. 3.3 percent of respondents answered “No, I disagree and believe other states should not follow suit”
e. 13.5 percent of respondents answered “Not sure”
8. In your opinion, would you feel more secure if the credit bureaus (Equifax, Experian, & TransUnion) were government-run agencies instead of for-profit corporations?
a. 30 percent of respondents answered “I would feel more secure” (25.3%)
b. 18.8 percent of respondents answered “I would feel less secure” (19.83%)
c. 25.7 percent of respondents answered “I would feel the same” (40.38%)
d. 25.5 percent of respondents answered “Not sure” (14.49%)
9. There have been attempts to pass legislation that would require credit reporting agencies like Equifax to automatically free consumer credit reports when a breach is detected. As a consumer, do you support this idea?
a. 29.1 percent of respondents answered “Yes, strongly support”
b. 33 percent of respondents answered “Yes, support”
c. 15.3 percent of respondents answered “Indifferent”
d. 4.7 percent of respondents answered “No, against”
e. 1.6 percent of respondents answered “No, strongly against”
f. 16.3 percent of respondents answered “Not sure”
10. Broadly speaking, how concerned are you when it comes to data breaches of a company that you have used?
a. 34.2 percent of respondents answered “Extremely concerned”
b. 46.6 percent of respondents answered “Concerned, but not pressing”
c. 6.5 percent of respondents answered “Indifferent”
d. 6.2 percent of respondents answered “Not very concerned”
e. 1.2 percent of respondents answered “Not concerned at all”
f. 5.3 percent of respondents answered “Not sure”
Observations & Analysis
Equifax’s Story Visualized by the CFPB Complaint Database
The Consumer Financial Protection Bureau (CFPB) is a U.S. government agency tasked with consumer protection in the financial sector. One of their most well-known features is the Consumer Complaint Database, a publicly-available database that allows consumers to file grievances against specific financial institutions.
LendEDU dove into this database to determine if we could pick up on any noticeable trends pertaining to Equifax and the cyber-security breach they experienced in 2017. First, we gathered all Equifax complaints filed from July 12, 2017 to July 12, 2018, the day this report was written. July 12, 2017 is significant because that was right in the midst of the Equifax breach, but a few months before the incident became public knowledge.
We then gathered all Equifax complaints that were filed on the CFPB’s database between the dates of July 11, 2016 and July 11, 2017. This range gives a picture of normalcy at Equifax that can then be compared to some of the company’s most stressful days during the breach incident.
The Consumer Complaint Database revealed that Equifax complaints more than doubled from the earlier window to the later one.
As the above graphic depicts, Equifax has had to deal with a whole lot more complaints over this past year than they did the previous. The main culprit behind this massive jump in consumer grievances is the complaint category related to credit reporting, where complaints nearly doubled year-over-year.
The data is none too surprising considering the massive cyber-security incident that the credit reporting agency has had to deal with for more than one year; people were sure to submit more complaints once the news broke. However, putting tangible data behind an overarching narrative helps paint the picture of just how severe the Equifax breach was.
Many Americans Still Have Yet to Check if the Equifax Breach Impacted Them
For an ordeal as serious as the Equifax cyber-security breach and for a service that is a widely utilized as Equifax’s, one would think more Americans were staying on top of the situation to make sure they were not affected; our survey suggested otherwise.
For starters, 27.1 percent of respondents indicated that they were not aware of the Equifax breach that occurred last summer. These poll participants were than not included in the following questions that will be discussed.
Amongst survey takers that were aware of the Equifax breach, more than one-third, 37.04 percent, had not yet checked if they were one of the more than 140 million victims of the cyber-security incident; another 5.76 percent of respondents opted not to say.
On the positive side of things, the percentage of Americans that had checked if the Equifax breach impacted them has increased year-over-year. Our survey last year revealed that 44.89 percent of adult Americans aware of the Equifax incident had not yet checked if they were impacted. However, considering just how many Americans have been estimated to be affected the Equifax breach, one would think more consumers would want to find out their status, especially since sensitive information like Social Security numbers, driver license numbers, and even credit card credentials were involved.
It is not too late to check if you fell victim to the cyber hack, and the Federal Trade Commission (FTC) has outlined steps to do that.
The first tab in the graphic above this text depicts what was just discussed: how many Americans have checked to see if they fell victim to the Equifax breach. The second tab visualizes how many consumers that did check if they were impacted by the incident actually were affected.
Nearly one-third, 35.49 percent, of those poll participants that checked their status after the Equifax cyber-security hack were indeed impacted by the unfortunate events. Another 3.12 percent opted not to reveal if they had been affected or not.
The numbers from this particular question actually fall closely in line with the overarching numbers of the entire situation. It is estimated that 145.5 million Americans were impacted by the Equifax cyber-security breach and the population of the United States is roughly 325.7 million. Those numbers taken together would mean that roughly 44.52 percent of the American public might have been impacted by the hack.
Taking into account that 3.12 percent of respondents did not want to reveal if they were victims of the Equifax incident and that 37.04 percent of survey takers had yet to even check if they were affected, and that 35.49 percent could conceivably be closer to the 44.52 percent just mentioned.
Further, amongst those poll participants that were indeed impacted by the Equifax breach, 30.41 percent indicated that they have actively sought to join a class-action lawsuit, while another 53.38 stated that they wanted to try to join such a legal proceeding.
As one could imagine, Equifax has been dealing with a massive legal headache since the breach was announced in September of 2017. As mentioned in the introduction, there is already a 50-state plus Washington D.C. class-action lawsuit against the credit reporting agency, in addition to numerous individual lawsuits and small-claims court actions.
Dr. Steven J. Hausman, a keynote speaker on emerging technologies, turned out to be one of the many victims of the Equifax breach, but has yet to join any lawsuits. His reasoning as as follows: “I have chosen not to join any of them [lawsuits against Equifax] yet since I would automatically be included as part of the affected group because they have all been consolidated into a single case that will be heard by a court in Atlanta. In addition, some consumers have sued (and won) in small claims court for actual damages but Equifax has strongly defended each of those lawsuits.”
Dr. Hausman continued on the minimal impact any successful lawsuit would have: “With most class action suits the result is simply that the company pays for credit monitoring. That may be less likely in this instance since courts seem to be viewing theft of data nowadays as a tangible harm. As a consequence there may be an actual cash payout to victims of the data breach. However, that amount is likely to be minuscule. If Equifax were to be responsible for, as an example, $1 billion then the payout for each of the approximately 149 million would be about $5.”
Public Perception of Equifax Has Improved
When news broke in September of 2017 that Equifax, one of the three major credit agencies and a $15 billion company, was hacked and sensitive data for over 140 million Americans had been leaked, there was public outcry much to the surprise of no one.
For its part, Equifax has taken steps since the breach to remedy the situation and to help consumers. Two of the major steps the company took were offering consumers free credit monitoring for a year and waiving the previous requirement that any user of the Equifax service had to settle disputes through arbitration. This gave victims the ability to join class-action lawsuits, of which there are many against the credit reporting agency but have since been consolidated into one case.
We asked the poll participants how these two reparative measures taken by Equifax have changed their perceptions of the company…
Albeit by an extremely narrow margin, there were more consumers that said the post-breach moves made by Equifax changed their perception of the company for the better than those that said the moves did nothing to impact their negative opinion. A combined 36.89 percent of respondents said their attitude towards Equifax has improved after moves like offering free credit monitoring and axing the arbitration clause. Contrarily, 34.44 percent of survey takers said the moves have nothing to alter their negative perception of Equifax.
Interestingly, 20.3 percent of respondents said that they have no opinion either way, while 9.05 percent of folks were not sure which way they leaned when it came to the credit agency. This could possibly mean that many Americans do not have enough interest in Equifax to develop feelings one way or the other, which could be interpreted as good news for the company.
Another question from the survey seems to aid this notion that Equifax still has plenty of potential to improve their public standing, especially when the answer results are looked at year-over-year.
In both last year’s survey and this year’s, we asked respondents if they thought Equifax should lose the ability to act as a credit bureau (mainly offering consumer credit history to financial institutions) in the U.S. Granted, this would be an extremely drastic, almost unrealistic, scenario, but it is nevertheless a good measure of Equifax’s public image.
Across the board, the year-over-year results for this particular question improved in favor of Equifax. Compared to 2017’s results, less Americans thought Equifax should be stripped of its ability to act as a credit bureau, more Americans thought Equifax should maintain its current standing, and more Americans became unsure of their position.
Max Aulakh, the Chief Information Security Officer at Ignyte Assurance Platform, indicated that Equifax is making strategic hires to ensure something like the September 2017 breach does not happen again. Aulakh stated, “Equifax hired Jamil Farshchi as their new Chief Information Security Officer (CISO). Jamil comes from Home Depot and if we recall a few years back Home Depot also had a breach. So Jamil comes with some real world industry experience on how to manage the organization during an event such as a cyber breach.”
Aulakh continued, “The other thing we noticed is that since the breach, Equifax is also gathering security talent from all over the industry to come work with them – this is evident on their careers page where more than 15 open positions are available for cyber-security experts of different sorts.”
The results from the two aforementioned questions taken together with recent Equifax hiring trends show that with time and a strategic plan, Equifax can very likely improve its public standing back to a level closer to where it was before the cyber-security incident in September of 2017.
If there is one thing that the American public consistently shows, it is the propensity to forgive and give people a second chance. Equifax is a company made up of people, and by making the right decisions and avoiding any more major mishaps, the credit agency can surely recover from that disastrous cyber-security breach.
All of the data found within this report derives from two sources. The first was the CFPB’s Consumer Complaint Database, a publicly available database that allows consumers to file grievances against financial institutions. For this particular report, we found complaints filed against Equifax during the following two time frames: July 11, 2016 – July 11, 2017 and July 12, 2017 – July 12, 2018.
The second source was an online poll commissioned by LendEDU and conducted online by online polling company OnePoll. In total, 1,000 adult Americans were interviewed based on the questions listed above. Respondents are selected at random from OnePoll’s online user panel. This survey was conducted over a five-day span, starting on June 28, 2018, and ending on July 2, 2018. Respondents were asked to answer all questions truthfully and to the best of their ability.