It's been one year since Equifax announced it was the victim of a giant hack — four months after criminals stole the sensitive, personal information of more than 147 million people. In that year, not a whole lot has changed. No federal data breach notification laws, no big changes to how credit agencies collect information or tell you what they're collecting. Equifax’s stock is almost back up to where it was before it told the public about the breach. One thing that has happened though: Equifax has spent $200 million beefing up its security. That was part of a deal with eight states that let it avoid fines in exchange for better protecting our data. We dig into this in Quality Assurance, our Friday segment where we take a deeper look at a big tech story. Host Molly Wood talks with Lily Hay Newman, a security reporter for Wired, who says senior executives at Equifax told her they've improved their security infrastructure. The following is an edited transcript of their conversation.
Lily Hay Newman: [The security improvements are] their side of the story. And for 147 million people [whose data was stolen], there's probably outstanding questions about what that's really going to look like and whether they can trust those remediations.
Molly Wood: And we still don't know what, if any, long-term consequences there might be for Equifax. Is there any update on that side of the house?
Newman: There are some efforts to confirm that Equifax has made the changes to their security posture that they claim. Eight states signed an agreement with them, including California, to do sort of monthly progress updates and then a third-party audit at the end of this year to see how they're doing and check their progress. But, yeah, in terms of the larger superstructure of the credit monitoring and reporting industry and of the identity protection industry, a lot is really still deeply enmeshed and intertwined.
Wood: And how about the ramifications for consumers? Has any of that started to play out in any traceable way?
Newman: I don't believe so. I don't think we know what happened to the data. I don't think it's been released on the dark web or being sold anywhere. So, so far, it's not clear who took it or why. But I think the big ramification is kind of the larger issue of combining Equifax with all the other breaches that have happened. Now we really are at a point where people need to kind of assume that their Social Security number or their driver's license number or their home address has been compromised in a breach. Because even if it wasn't Equifax, combining that just massive amount of data with everything else that's been exposed over the years, the odds are starting to get pretty bad.
“I think the best compliment I can give is not to say how much your programs have taught me (a ton), but how much Marketplace has motivated me to go out and teach myself.” – Michael in Arlington, VABEFORE YOU GO