Data Breach. Yesterday, Equifax revealed that it incurred a massive data breach – impacting at least 143 million consumers. Equifax is reaching out to all of its clients – including many online lenders – to let them know what it is doing to mitigate the effects of this massive breach. Equifax’s official statement is that they are ensuring a breach like this never happens again, none of their core credit databases were penetrated, and they plan to offer every U.S. consumer free credit monitoring for a specified period of time.
What’s Next? There are already news reports that Equifax may not be handling the influx of concerned consumers well – requiring consumers to enter their last name and last six digits of their Social Security number (which has irked more than a few consumers). Interestingly, this request for “last six digits” seems to indicate that the typical requirement for last four is not enough to verify consumers’ identities after this breach.
Equifax, however, is doing the right thing by actively reaching out to their clients and consumers. They have assured their clients that the breach related only to their consumer facing site and not to their core credit database, so consumers’ credit reports (detailing tradelines, etc.) were not exposed.
Lender Implications. Today, online lenders will review their third-party risk management protocols to better understand the nature of the breach and to develop a response to their impacted clients. Tomorrow, online lenders will have to get some comfort that Equifax has sufficiently handled this problem and, as they are handling this problem, online lenders need to ensure that Equifax is still able to handle other aspects of its relationship with these clients. Namely, Equifax has a large suite of fraud prevention products that the online lending industry relies on, among other related services.
Also of note, the long term effects of this breach may impact the integrity of the data that online lenders use for a variety of reasons (target marketing and prescreened offers, underwriting and pricing for instance). If that impact is negative, it could hurt the operations of the online lenders and could also result in more fraud due to the speed of the process – online lenders will need to show how their security accounts for these highlighted risks.
OLPI will continue to monitor this story as it develops. OLPI will also ensure that this issue – cyber security risks—is fully briefed at its 2nd Annual OLPI Policy Summit this month on September 25 in Washington, DC. For more information, please visit http://www.onlinelendingpolicysummit.com/