Equifax’s rapid growth probably added to its hacking risk, experts say

Until a dozen years ago, Equifax Corp. quietly made most of its money helping banks and other lenders figure out which U.S. customers were a safe bet for a mortgage, auto loan or credit card.

Then Richard Smith was hired on as the Atlanta company’s new chief executive in 2005.

The former General Electric executive quickly embarked on a plan to rev up Equifax’s growth.

These days, thanks partly to a string of acquisitions in the U.S. and around the globe, Equifax is now a much bigger and more complicated company. It reaches into all kinds of places that people might not suspect, with a much deeper hold on the personal and financial data of hundreds of millions of folks.

Equifax not only knows when someone is missing payments on his or her auto loan or mortgage. The company most likely also knows that person’s immigration status, income, amount of wealth, assets, bank balances, current and past addresses, employer, rental history, utility bills and spending habits.

Equifax also aids various government agencies when people want to sign up for Social Security benefits, health insurance under so-called Obamacare, or to get a security clearance for a sensitive federal job.

The company even helps businesses to cash in on job tax credits tied to their hiring, such as under the federal welfare-to-work program or state economic incentive programs.

“It’s a disturbing amount of information Equifax has on you,” said Keith Snyder, an industry analyst at CFRA Research, an investment information firm. “They actually have a pretty good picture of your spending habits, where you spend, what you spend on. They’ve really branched out beyond providing credit scores.”

That massive collection of financial and personal data — plus a string of acquisitions around the globe — have propelled Equifax to become among the largest private credit-tracking firms in the world, with $3.1 billion in revenues last year — 2.5 times bigger than it was in 2004, the year before Smith was named CEO.

The company’s size has doubled by other measures as well, with operations in 24 countries and 9,500 employees, including 2,385 in metro Atlanta.

Growing risk

Recently, that growth also may have helped land Equifax in hot water.

Some industry experts say the company’s constant push to add on new acquisitions and more products based on an ever bigger and wider assortment of peoples’ private data may be partly to blame for a massive data breach.

The company recently disclosed that hackers stole the personal data of 143 million people in the United States, including Social Security numbers, names, addresses, dates of birth and driver’s license numbers. In the breach, which Equifax discovered in late July and disclosed on Sept. 7, the thieves also got credit card numbers for a smaller number of people. Similar information was exposed for international consumers.

An earlier hacking incident in March involving U.S. consumers came to light Monday as well. Both incidents were investigated by security firm Mandiant, Equifax said in a statement. Equifax said the March data breach “is not related to the criminal hacking that was discovered on July 29. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related.”

Equifax said it informed the affected people at the time of the March attack, and some publications covering security issues reported it then.

Equifax said in its recent disclosure that hackers didn’t get into its core credit databases. The company has offered free credit freezes and other protections.

Otherwise, Equifax officials did not respond to questions from The Atlanta Journal-Constitution for this story.

Equifax, Experian and TransUnion grew into the three biggest U.S. credit bureaus in the 1970s and ’80s by buying up smaller firms in what was then a highly fragmented industry.

But Equifax’s growth shifted into a higher gear more recently as it bought up new types of data companies and overseas firms. In 2016, it purchased Australian firm Veda Group for $1.7 billion. Before that, it bought TDX Group in the United Kingdom for $323 million.

Another big deal was its 2007 purchase of Talx Corp., which added a treasure chest of employment records. Its Worforce Solutions unit, which provides employee screening and other services, has been its fastest-growing business, with $703 million in revenue last year, up 84 percent in five years.

Equifax has done 14 acquisitions since 2009, according to Crunchbase.com.

Equifax has been seeking new market territories through such deals, said Snyder.

But the acquisitions also add to its trove of data on hundreds of millions of people around the globe. By connecting the dots between its growing number of data sources, that allows the company to come up with more and more products to sell to banks, insurance companies, retailers, government clients and others.

For instance, a bank might combine Equifax’s data on incomes and net worth with its own checking account information to figure out which of its customers might be good prospects for its wealth management services. Equifax also offers to do such analysis itself.

“The more information you hold on people, the more valuable you are,” said Snyder.

But the flip side of all this growth and expansive data reach, say experts, is higher risk that hackers will break through the company’s defenses and get away with a virtual supermarket of damaging information on hundreds of millions of people.

Protections may be lacking

Heading off such risks is daunting.

Companies need to get the technical details of security right, said Christopher Hart, a Boston lawyer with FoleyHoag, who works on cyber security cases for companies and other clients.

But equally important, management needs to be focused on “risk management from top to bottom,” he said. Employees need to be well-trained to build and maintain secure systems and to avoid rookie mistakes like opening “phishing” emails from hackers or using weak passwords that thieves can easily guess.

“I think when a company grows fast, any one of those components can get lost in the shuffle,” said Hart.

According to some news reports, after Equifax’s hacking disclosure, a security consultant tapped into personal employee information and consumer complaint records on the company’s website in Argentina by typing in a generic username and password, “admin,” short for “administrator.”

Equifax shut the site down.

Keeping a company secure from hackers also gets more complex as the firm gets bigger, with more units and products.

Even vetting and installing so-called “patches” to fix security holes or other glitches in software gets more difficult as the enterprise grows.

“The failure to install patches is one of the greatest reasons for security breaches,” said Hart, but not only with fast-growing companies. “A lot of times, breaches happen because people fail to install the patch,” he said. “It’s not uncommon.”

Earlier this month, Equifax and a software developer, Apache Software Foundation, blamed each other for a software fault that allowed the recent massive data theft.

Equifax said hackers breached a vulnerable spot in a website application called Apache Struts from mid-May to late July, when the invasion was discovered.

But Apache said it released a patch in March to fix the problem.

Credit bureaus have long been one of hackers’ favorite targets because they have so much key data on everyone. But Equifax’s ever bigger array of data and analytical products combining different bits of data makes it even more attractive, and harder to defend.

“Any time you have more data in more hands and you are using it in more ways, there’s more risk,” said Hart.


AJC Business reporter Russell Grantham keeps you updated on the latest news about major companies, CEOs and public utilities in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.

Reader Comments ...

Next Up in Business

Delta ending discount for NRA members
Delta ending discount for NRA members

Delta Air Lines announced Saturday it is ending a discount for National Rifle Association members. Atlanta-based Delta said it is ending its contract for discounted rates through the airline’s group travel program. “We will be requesting that the NRA remove our information from its website,” Delta said in a written statement...
Should you talk about your pay? Career experts weigh in
Should you talk about your pay? Career experts weigh in

Even with nearly every cultural taboo thrown to the wind− from discussing sexual orientation to politics; one last conversational taboo still exist among Americans − how much we get paid. "These days, it's okay to talk about the troubles we're having with our children or even our marriages," noted one blogger from PayScale...
BB&T recovering after 'technical issue' left customers without access to accounts, cash
BB&T recovering after 'technical issue' left customers without access to accounts, cash

Millions of BB&T customers were locked out of their accounts Thursday night and Friday morning due to an outage that bank officials said was caused by a "technical issue." The interruption of services was first reported Thursday night and appeared to last until just before noon Friday. “At this time, many of our services...
Krog Street Market developer plans redo of aging Atlanta hotel
Krog Street Market developer plans redo of aging Atlanta hotel

The developer of Atlanta’s Krog Street Market plans to convert an aging extended stay hotel in the Piedmont Heights neighborhood of the city into an eclectic boutique hotel. Atlanta-based Paces Properties said it has signed a deal with Texas hotelier Liz Lambert and her Austin-based hospitality company Bunkhouse to retrofit the...
UPS to add new electric delivery trucks to fleet
UPS to add new electric delivery trucks to fleet

UPS plans to deploy 50 electric delivery trucks as part of its fleet of brown vehicles, a move it expects could give a boost to adoption of electric vehicles across the industry. Sandy Springs-based UPS in its Thursday announcement said the trucks – which it is partnering with electric vehicle manufacturer Workhorse Group Inc....
More Stories