It’s a bit ironic when you think about it: One of the biggest — if not the biggest — risks of having your social security number and credit card information stolen by hackers is the potential damage to your credit rating, and it was a credit rating agency that was hacked, allowing just that very thing to happen.
All told, Equifax Inc. (NYSE:EFX) spilled the personal financial beans of 143 million people by allowing cybercriminals to breach what should have been some of the world’s most secure data.
The reaction was swift, of course, and the fallout was tremendous. EFX shares tumbled on the order of 13% on Friday after the company announced the data breach, though all things considered it could have been worse.
Myriad questions surfaced, of course, quickly followed by the announcement of lawsuits. There are only two overarching questions circulating though. The first one is, how did this happen? The second question is, now what?
Equifax Data Breach
The news came out in the form of a press release posted after Thursday’s close, though the data breaches started happening months ago.
Oh yeah … Equifax knew about the hacks on July 29 (yep, over a month ago). The company just decided to not tell anyone until it cleaned up the mess as best it could.
On the one hand, there’s a certain degree of savvy in not letting the hackers know you know. And, inciting a panic from the public may induce actions that make any repair work just that much more difficult. On the other hand, consumers have a right to know when their personal data that could cause them harm has been made available to a potential (and likely) criminal, even if that makes life a little more difficult for Equifax. Individuals have choices Equifax doesn’t, such as becoming a subscriber to personal-data security service provider Lifelock.
As for how it happened, the intuitive answer is also the right one — hackers outsmarted the cybersecurity defenses Equifax thought were adequate.
In its defense, while 143 million peoples’ data was technically jeopardized, only about 200,000 credit card numbers were exposed. And to its credit, Equifax is offering a year’s worth of free credit-monitoring services to anyone impacted by the hack. It’s a choice those consumers shouldn’t have to make in the first place though.
There’s a not-entirely-uncompelling argument that once the dust settles, the gaffe won’t have a long-lasting impact on EFX shares. Sadly, computer hacking is commonplace now, and people’s lives are lived so digitally many of them essentially expect their data to be stolen sooner or later. Consumers have largely grown numb to it.
Those same consumers are losing their will to forgive and forget though, and unlike in the past, they won’t “get over it.”
As evidence of this idea, just look at the stumble Chipotle Mexican Grill, Inc. (NYSE:CMG) suffered in late 2015, when it was pegged as the source of an E. coli outbreak that infected 52 people. That wasn’t the first, second or even the third time Chipotle had been implicated in widespread food poisoning cases. It was the first time, however, consumers didn’t forgive and forget.
While last quarter’s results were slightly better than expected and better than year-ago levels, they’re still not “good” in terms of its historical growth. Surveys taken in the meantime suggest consumers still think very poorly of the company due to a gaffe that played out almost two years ago.
That said, Equifax may be committing the same public relations sin Chipotle did after its E. coli debacle, even if only inadvertently.
Rather than apologize and send a message of humility in early 2016, Chipotle essentially deflected the blame on anyone other than itself — including the Center for Disease Control — via a strange and uncomfortably inaccurate letter of complaint to the CDC’s chiefs.
Equifax’s response hasn’t been quite on par with Chipotle’s, though it’s not been empathetic or adequate either. The website set up to help people figure out if they’ve been affected or not didn’t offer much in the way of actual help to potentially-impacted individuals, while phone agents reportedly didn’t have access to information consumers were seeking on the matter. The shortcoming would have been forgivable has the hack occurred yesterday. Again though, Equifax has had since July 29th to prepare for this day. They had to know the public would freak out.
Throw in the fact that a handful of Equifax’s higher-ups suspiciously sold $2 million worth EFX stock after the breach was discovered but before it was closed, and what you’ve got is a PR disaster.
Bottom Line for EFX Stock
Equifax will survive, to be sure, but it won’t be pretty or graceful. Gone are the days where consumers let things in the past stay in the past as long as a company made a sincere effort to right its wrong. Ditto for companies that rely on credit score companies.
Lenders and the like can tap Experian and TransUnion to get the same data EquiFax offered, and they likely will … not because just checking a credit score puts a borrower’s information at risk, but because Equifax may not have the tight cyberthreat controls it needs to have when it comes to its customers.
In other words, Equifax just inflicted some damage on itself that could hold EFX stock back for a long, long time. You may not want to go bargain-shopping here.
As of this writing, James Brumley did not hold a position in any of the aforementioned securities. You can follow him on Twitter.