Equifax's feet are being held to the fire — and that fire keeps getting higher.
The beleaguered company announced Friday evening that its chief information officer, David Webb, and chief security officer, Susan Mauldin, had retired. A statement said Mark Rohrwasser would serve as interim CIO and Russ Ayres would be interim CSO.
Since the breach, the now retired Mauldin's internet presence has begun to disappear. A podcast interview with her was taken down and her LinkedIn profile, which archival copies of showed the former chief security officer studied music composition in college and had no security degree, had the last name changed to "M." and was set to private.
Equifax's internal probe into the massive security breach, which affected the personal financial histories of half of America, is still ongoing. The company is continuing to work closely with the FBI in its investigation.
But are these moves will be enough to tamp down the growing conflagration surrounding the company?
"Not at all," Ed Mierzwinski, Senior Fellow for U.S. PIRG, a Washington-based advocacy group, told NBC News in an email. "These are calculated sacrifices at a company with a troubled record."
"All the credit bureaus have a troubled culture because consumers do not regulate their markets," he added. "You cannot vote with your feet. They've only just begun to be reined in under the CFPB after 40 years of sneering at consumers and the FTC."
Adding to the scrutiny, Sen. Elizabeth Warren also announced Friday that her office is opening up an investigation into Equifax and introducing a bill that would give consumers the power to freeze their credit report for free.
How Did This Even Happen?
"I am troubled by this attack," the Massachusetts senator wrote in a letter to the CEO of Equifax. "We must understand exactly what failures allowed hackers to gain access to nearly 150 million Americans' sensitive data. Equifax has failed to provide the necessary information describing exactly how this happened, and exactly how your security systems failed."
The longtime consumer advocate joins a bonfire party of government bodies, including the FBI, FTC, several states' attorneys general, over 30 class action lawsuits, a bevy of individual small claims cases, and rampant customer outrage since the July breach was announced last week. In addition to that revelation, a reported nearly 200,000 credit cards were also compromised.
Watchdogs are referring to the debacle as "corporate malfeasance," noting that it is "the worst breach in history."
The hot glare stands in marked contrast to the cool breeze the credit bureaus have felt for decades with little to no oversight or regulation, consumer advocates say, despite holding and making money off the deep and personal data on nearly every American citizen.
This is no accident. The three top credit reporting agencies, Equifax, Experian, and TransUnion have spent millions lobbying for lighter regulation and in campaign donations to congressmen who will keep their mandatory protections low and profits high.
From 1998 to 2017, Equifax alone has spent over $9 million in lobbying, primarily on debt, credit report, credit score and personal information issues.
Perhaps tellingly, Warren also sent letters to the Consumer Financial Protection Bureau and the FTC asking whether they had authority to investigate the breach and the adequate power to regulate the agencies and protect consumers.
It's not too hard to guess what direction the answers will go.
"The credit bureaus have never been forced to have a 21st century database. The reason is because they don't have to," said Mierzwinski.
Decades of Weak Consumer Protections
Since the rise of consumer credit in the 1970s, credit bureaus have fought back against efforts to ensure accuracy and maintain stricter consumer protections.
Historically, the bureaus have been under the wing of the FTC, but the agency was neutered in the 1980s after it took on too many opponents in Washington. Under the "FTC Improvement Act of 1980" its supervisory and rule-making powers were taking away, leaving it defanged of much of its enforcement powers.
In the wake of the housing and financial market meltdown of 2008, the Dodd-Frank act was introduced to beef up consumer protections across the financial services industry. But, although the new law granted the CFPB powers to regulate the kinds of privacy notifications that consumers receive, it also included a carve-out that preserved a previous ruling. That legislation, known as the Gramm–Leach–Bliley Act, places the burden on consumers to opt out from data collection and marketing practices and, more importantly, does not have a minimum standard of protection for their private data.
Whatever level of protections these measures provided, clearly they weren't enough to stop the Equifax breach — and apparently did nothing to mandate adequate response and redress.
Related: Equifax Melts Down as Angry Consumers Flood Hotlines
"We know [the credit bureaus] didn't make an investment in accuracy until recently," said Chi Chi Wu, a lawyer for the National Consumer Law Center. "In the last couple of years they have moved better with respect to dispute processing. That's because the CFPB has been supervising them and the state attorneys general have been taking enforcement action."
The day the breach was announced, Wu was testifying in Congress against a bill that would have rolled back financial penalties for violations of Fair Credit Reporting Act, a 40-year-old rule that requires credit reports to not have mistakes or contain false information.
The new bill, the FCRA "Harmonization" Act, was sponsored by and endorsed by 14 congressional representatives, 10 of whom have received campaign donations linked to the big three credit bureaus.
"We don't regulate them enough, given the public good that they provide," Kim Schoenholtz, the Henry Kaufman Professor of the History of Financial Institutions and Markets at NYU's Stern School of Business, told NBC News of the credit bureaus.
"Modern economies depend on the provision of credit and the ability to quickly obtain household credit risk," key efficiencies that the agencies provide. "When there are public goods involved, the public sector should be involved to make sure there are protections for this data," he said.
And if the invisible hand of the marketplace is supposed to course correct, it's asleep at the wheel.
"The three credit reporting agencies are a natural oligarchy," said Wu. Unlike with, say, wireless providers, where a handful of companies control the overall market — and if you don’t like one you can just switch — when it comes to credit bureaus, "the consumer has no choice."
Speaking of the private sector, there are controls there that would have stopped the breach or limited its impact.
"The U.S. breach was an Apache vulnerability that had a patch available back in March. According to Payment Card Industry Data Security Standard, all critical patches must be applied within 30 days," Greg Sparrow, general manager for CompliancePoint, which does PCI certification for Equifax vendors, told NBC News in an email.
The widely accepted PCI DSS also includes such provisions as requiring basic "file integrity monitoring" that could have detected changes in files being added, changed or modified, such as the data being copied to a separate part of the server to prepare it for transferring to the hacker's computer, a common aspect of data breaches.
But those rules only apply to the parts of a database that store actual credit cards and numbers.
"The Payment Card Industry Data Security Standard is specific to payment cardholder data," PCI Security Standards Council CTO Troy Leach told NBC News. "It outlines essential data security controls and practices to safeguard payment data that is stored, processed and/or transmitted by merchants and other organizations."
The key phrase is "payment data." So Equifax might get into trouble for PCI compliance for those 200,000 credit cards reportedly stolen in the breach — but not for the 143 million people whose private information is now at risk.
While TransUnion and Experian did not immediately respond to an NBC News request for comment, Equifax spokesperson Meredith Griffanti told NBC News, “Equifax works closely and in a bipartisan way with lawmakers and federal agencies to ensure new legislation captures the benefits of credit reporting to the U.S. economy, as well as the effects of certain regulation on the financial system."
"We believe in fair industry regulation and advocating for policies that protect consumers’ rights, as well as the integrity of the consumer data industry,” she said.
