The Banality of the Equifax Breach

Consumer data breaches have become so frequent, the anger and worry once associated with them has turned to apathy. So when Equifax revealed late Thursday that a breach exposed personal data, including social-security numbers, for 143 million Americans, public shock was diluted by resignation.

There are reasons for the increased prevalence and severity of these breaches. More data is being collected and stored, for one, as more people use more connected services. Corporate cybersecurity policy is lax, for another, and sensitive data isn’t sufficiently protected. Websites and apps, which are demanded by consumers as much as they serve the interests of corporations, expose paths to data that should be better firewalled. Software development has become easy and popular, making security an afterthought, and software engineering has failed to adopt the attitude of civil service that might treat security as a first-order design problem. And hacking and data theft have risen in popularity and benefit, both as an illicit business affair and as a new kind of cold warfare.

People have started to experience data loss and theft in a new way. Breaches have settled into a kind of modern malaise, akin to traffic or errands. They are so frequent and so massive that the whole process has become a routine.

Online data, like usernames and passwords, have been leaked and hacked with such frequency and in such great quantities (a hacker stole more than a billion Yahoo! email accounts in 2013), that savvy people treat their credentials as violated in advance. Breaches of more sensitive data, like bank, social-security, address, and health or employment records, have also become common. Home Depot, Target, Sony, Anthem, the U.S. Office of Personnel Management, and other recent violations felt shocking and violating at first, but over time that sensation has waned. With over half of the entire U.S. adult population potentially exposed by the Equifax breach, what’s left to do but shrug and sigh? I’ve got so many stacked-up subscriptions to credit-monitoring services from previous consumer breaches, adding another one would be superfluous.

Most organizations affected by hacks and leaks have treated the matter with great seriousness and care, understanding that their reputations were on the line. But whether intentionally or not, Equifax appears to have leaned into the new malaise, treating this massive breach with the bureaucratic apathy one might expect from a big, faceless credit-reporting agency—a company everyone must use, but no one chooses to.

The announcement of the breach, which came after hours on Thursday, offered the first sign of indifference. Media outlets, including The Atlantic, rushed to cover the matter, but details were slim. When my colleague Gillian White contacted them, Equifax offered no further comment beyond the materials they had published on an informational website. Other outlets experienced similar silence.

Those websites confused the matter more than they clarified it. Set up at a new domain, equifaxsecurity2017.com appeared, to some users, like a phishing effort. Given the option to assuage concern, why set up a new domain that would only instill more of it? Once inside, this sensation only amplified. The site offers a tool to “determine if your personal information may have been impacted by this incident,” but accessing it requires submitting a last name and the last six digits of a social-security number. That’s a lot of data to hand over to anyone, especially an organization that has just demonstrated that it cannot be trusted with it.

Once submitted, the website either confirms no impact, or it offers an ambiguous response, inviting the supposedly impacted person to sign up for credit-monitoring services from TrustedID Premier, an Equifax subsidiary. Even that task cannot be performed immediately; the user is presented with a date on which the process can continue. The website also warns that no further notice will be provided to the user. It recommends marking your calendar. Even those who were not affected, according to Equifax’s confusing tool, are invited to sign up for TrustedID, making the whole affair feel like a grotesque marketing campaign.

In press coverage and on social media, some have speculated that submission of the personal information requires the individual to agree to Equifax terms of service that mandate arbitration in the case of dispute. If true, such an agreement would prohibit affected parties from suing Equifax, including via class-action lawsuits. But even this ambiguity seems unclear. TrustedID Premier’s terms of use do require agreeing to arbitration to use the service, but TrustedID’s services are separate from Equifax’s. The terms page itself is identical to the one that appears on TrustedID’s stand-alone website, although it was updated the day before the breach was made public, suggesting that the company buttoned up in anticipation.

Ultimately, not only is it unclear if one must agree to arbitration for access to the free credit-monitoring services—it’s also uncertain if consumers even learn the fact and details of their breached data without signing up for TrustedID, with or without agreeing to arbitration with Equifax. The whole affair is permeated with unknowable rules, some of which feel like traps.

In the end, the truth of the Equifax breach—who was affected, and how, and what the company will do to help, and what the terms of such assistance entail—might not be the most important lesson from this incident. More than anything, it suggests that a corner has been turned in corporate consumer data responsibility. Like severe weather, breaches have become so frequent and severe that they can begin receding from prominence. No matter their grievous effects, Equifax’s response suggests that fatalism might replace responsibility, planning, and foresight. This is just what happens now.