A company that supplies stock market indexes reportedly warned investors in August 2016 that Equifax, one of the nation’s three major credit bureaus, appeared to be ill-equipped to fight off a sophisticated cyber attack. Apparently Equifax didn’t get that warning; otherwise, hackers may have been prevented from accessing the sensitive financial information for more than 140 million Americans.
The Wall Street Journal writes that MSCI, which provides a number of indices for tracking and predicting the behavior of the stock market, concluded last summer that Equifax was no longer a company investors could reasonably rely on to keep its data safe.
MSCI has a group of stock indices that take into account a company’s economic, social, and governance (ESG) factors. Prior to last summer, Equifax had been included in these indices, but then MSCI determined that Equifax had failed to perform regular cybersecurity audits, train its employees to recognize risks associated with an attack, or have an emergency response plan in the case of a breach.
At first, Equifax remained on the MSCI ESG Leaders index, but with a 0/10 score for privacy and data. (Competing credit bureaus TransUnion and Experian scored a 4.9 and 6.9, respectively.) Then, in Nov. 2016, Equifax was removed from this index over concerns about data security.
That was still nearly four months before March 8, 2017, when the Department of Homeland Security’s Computer Emergency Readiness Team sent Equifax a notice of the need to patch a vulnerability in the company’s software public-facing network. However, the company failed to patch all the holes, and by May 2017 the hackers were stealing data from Equifax.
It wasn’t until the end of July — nearly a full year after MSCI downgraded Equifax’s privacy and data score to zero — that anyone at Equifax was aware of suspicious activity on its network. The public wasn’t notified until Sept. 7, 2017.