I’m pretty confident that the only people who haven’t yet heard of the massive breach at Equifax at living under a rock. The breach itself is pretty bad, comprising credit data on 3/4 of the adult population in the US. There’s so many layers of bad security beyond Equifax that creates a huge confidence crisis for the entire industry.
The biggest problem facing the credit industry is a complete fiasco for identity verification and management. Most of the disclosed information like full name, mother’s maiden name, and birthday can be obtained from most Facebook profiles. The Social Security Number, which was never intended to be a unique identifier, is almost comically easy to guess based on that. That information is often enough to assume someone else’s identity. If the purpose of the credit industry is to determine if someone can be safely loaned money, you’d think that a core part of that is strongly verifying if someone is who they say they are.
But this is not the case. Very little is done to actually verify the identity of the person asking to borrow money. The credit reporting companies don’t seem to care that fraudulent loans make their data less trustworthy. Even worse, they actively tell individuals that it’s their job to attempt to correct inaccuracies in their credit report! (Nevermind, of course, that fixing inaccurate credit reports has proven to largely be an exercise in futility.) What kind of company tells its non-customers to do their work for them? Why should it be my job to make sure the data they’re selling about me is accurate?
So when a company wants to determine your credit-worthiness, they have to depend on an organization who can’t accurately tell you if the person standing in front of you is who they say they are or even if the information they’re providing is even correct. Every incidence of fraud is treated as a problem for the victim of identity theft, not as a massive organizational failure to ensure that credit reporting information is accurate. It seems all the more insane when you really talk through what they’re doing. The only reason they’re getting away with it is a massive cornering of the market by just three companies.
If the entire credit industry is going to be taken seriously, they have to tackle this gaping hole in their capabilities. Strong systems of verifying identity, a greater emphasis on preventing identity fraud before it happens, and quick and easy systems of correcting bad records should be mere table stakes.