Brad Stone: Equifax is a Category 5 breach

What a mess, and I don’t mean Hurricane Irma’s destructive impact. Equifax, one of America’s three major credit bureaus, revealed last week that its website had been breached and that the names, Social Security numbers, birthdates, addresses and driver’s license numbers of 143 million Americans may have been comprised. That’s more than half the U.S. population, including me. Maybe? “Based on the information provided, we believe that your personal information may have been impacted by this incident,” the Equifax incident response website informed me when I entered in my name and the last six digits of my Social Security number.

Outrage over the incident, and ensuing confusion, is building quickly. New York Attorney General Eric Schneiderman wants to know when the company learned about the breach and how exactly it happened. The Securities and Exchange Commission will almost certainly look into why three Equifax executives sold stock before the company made its announcement, precipitating a sharp drop in share price. (The company says the guys didn’t know.) The first of an inevitable avalanche of class-action lawsuits has been filed.

But really, we just have to take a moment and let our collective jaws hang open in abject stupefaction. We have seen so many other big breaches over the last few years (Yahoo, Target, etc.) that we have become inured to these kinds of incidents, and the attendant masses of potential victims.

But really – Equifax?! Along with TransUnion and Experian, the company’s primary mission is to compile, store and disseminate personal information on customers to creditors who want to know if they are making good loans or not. And to do it securely! That’s all.

We don’t have many details about what happened, but the options are all bad. The company says, for example, that the hackers exploited a “website application vulnerability to gain access to certain files.” So the culprits walked in through the front door. Was the American public’s sensitive, personal information stored together in a database accessible from the web? That would be inept. If names, addresses and Social Security numbers were siloed and stored separately, how did thieves get it all? The scope of the hack suggests they walked into the house and cleaned out every room.

The implications, for me and 143 million others, are sickening. Hackers or their customers could potentially open credit cards or other forms of credit in someone else’s name but change the home addresses on the accounts so that it’s difficult for us to detect. Equifax is offering victims a year of its identity-monitoring service, but thieves could just sit on the information for 12 months and then start exploiting the data.

Or, the likeliest possibility: Nothing at all happens, but in a year when the free term expires, we’ll feel compelled to start paying $20 a month to renew Equifax’s security blanket or sign up for LifeLock. Right now, that feels almost like a ransom to companies that hoard our personal information but can’t or don’t care enough to protect it.

Partly, I’m bitter. A decade ago, I fell victim to identity theft and a Seattle hacker with a bit of an online shopping addiction. There wasn’t much of a financial cost; my credit card company quickly negated the charges, but it was a massive waste of time. The first thing you learn in these situations is that it’s nearly impossible to get anyone from Equifax, Experian or TransUnion on the phone, and that interpreting and navigating their websites and the various forms of credit protection they offer is a full-time job. These companies play a huge role in our lives, but they simply aren’t accountable, and are often unavailable, to consumers at all.

Sen. Elizabeth Warren, D-Mass., made her name trying to make these companies more accountable and transparent. On Friday, she was directing her Twitter ire at Equifax. “It’s outrageous that @Equifax – a company whose one job is to collect consumer information – failed to safeguard data for 143M Americans,” she wrote. Perhaps now, with the fierce wind of 143 million outraged victims at their backs, lawmakers will step up regulation of an industry that seems to be making our lives more complicated, not less.