- Data breaches faced by Equifax revealed not just security lapses in the company, but a wider weakness in the U.S. credit reporting system, experts said
- The over-reliance on Social Security numbers for authentication has made hacking systems such as Equifax's appealing, placing consumers at the losing end
- Suggestions from experts to strengthen the current system include using a public credit registry and tighter laws to protect sensitive consumer data
More than sloppy cybersecurity measures, the massive data breach uncovered at Equifax revealed inherent flaws in the U.S.: the over-reliance on Social Security numbers credit reporting system in need of reform.
The Social Security number is a "chief means" of identifying and gathering information about an individual, according to website of the Social Security Administration. Among others, it is used in the opening of a bank account, application for loans and filing of tax returns.
The wide usage in both government and private sectors, and the ease of using it to access highly-sensitive accounts, has made hacking systems such as credit reporting agencies more appealing, experts told CNBC.
Equifax, one of the three major credit reporting firms in the U.S., suffered one of the largest breaches in the country. The company said on Sept. 7 that it discovered a breach on July 29 that could potentially affect 143 million consumers — nearly half of the U.S. population.
"I think people should focus on not just why the breach happened and Equifax's behavior, but why the consequences of a breach like this are so bad," said Joel Brenner, former inspector general of the National Security Agency.
"Why is it that it's so easy to steal people's identity based on the kind of information that's been stolen? I think we should begin to look at that end of it, we might do more than simply focus on cyber insecurity," he added.
Equifax said the exposed data include names, birth dates, Social Security numbers, addresses and some driver's license numbers. It also said that 209,000 credit card numbers were obtained, in addition to "certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."
Less than two weeks after revealing the compromise it discovered in July, the company said it faced another security issue earlier in March.
While the company's security lapses have made it a low-hanging fruit for hackers, those incidents — and Equifax's subsequent handling of them — showed that consumers are at the losing end given the way the U.S. credit reporting system is structured, noted Chi Chi Wu, a staff attorney at the National Consumer Law Center.
"It's an odd system that has developed in the USA for judging creditworthiness. We have three private companies that trade in, and profit from, vast amounts of highly sensitive information about American consumers. These companies are publicly traded, so their highest goal is to make money for their investors," she told CNBC in an email.
"And American consumers have no choice. Our information is included whether we want it or not. Plus, consumers are not the customers (but) our information is the commodity of the credit bureaus," she added.
The three major credit reporting firms in the U.S., Equifax, Experian and Transunion, collect data from credit card companies, banks and other large lenders about whether or not borrowers pay their debt on time. The companies may also incorporate public information, such as bankruptcy, into credit reports that they sell. That is a system not vastly different from countries such as Canada, the U.K. and Australia.
In fact, each of the three major credit reporting firms in the U.S. has a presence in more than 20 countries globally, according to the company profiles on their respective websites. In particular, Equifax also operates in Canada and the U.K. — the two countries also affected in the data breach.
Regulations in many of those countries do not require private credit reporting companies to get consent from individuals to use and process their personal data. However, laws that govern data protection and how those firms handle breaches differ from country to country.
The European Union, for instance, will enforce from May 2018 a new General Data Protection Regulation that requires companies to notify the government within 72 hours of discovering a breach. In contrast, there is currently no such legislation on the U.S. federal level, although different states enact their own relevant statutes.
In Singapore, a bill was passed in 2016 to allow its central bank and financial regulator greater oversight to license and supervise the Southeast Asian city state's credit bureaus.
At the other end of the spectrum, China and Indonesia still largely rely on public credit registries. Increasingly, countries are looking to allow both public and private models to co-exist. China, for one, has allowed private firms to handle consumer credit information.
The World Bank said in a 2013 report that both models have their merits but that "a well-functioning credit reporting infrastructure performs the role of a public good." That is what is lacking in the U.S. system and the set-up of public registries may help to tilt the balance in favor of better consumer protection, noted Wu from the National Consumer Law Center.
Agreeing, Mark Testoni, president and chief executive of SAP National Security Services, said all stakeholders ought to guard databases that store such critical information as "national assets."
"We need to guard them whether they're in the hands of private sector companies like Equifax or if the government has them," he said. "There is real value for these assets and there is market for this information."