Since Equifax announced that a data breach had left the personal information of tens of millions of people exposed last September, the Consumer Financial Protection Bureau — the US government’s top consumer watchdog — has received more than 20,000 complaints about the company, which is about double the number it received in the six months before.
Equifax has said the CFPB is investigating, but thus far the agency hasn’t taken any action. Acting Director Mick Mulvaney is instead trying to make the bureau’s complaint portal private so the public won’t even be able to see what’s happening. Sen. Elizabeth Warren (D-MA), however, would like to know what’s up.
Along with Sens. Brian Schatz (D-HI) and Bob Menendez (D-NJ), Warren released a new report on the Equifax data breach on Monday. The findings: In the six months after Equifax announced the breach on September 7, 2017, consumers have filed upward of 20,000 complaints regarding the company on the CFPB’s website related to the improper use of a credit report, incorrect information on a report, Equifax’s inadequate resolution to problems after the breach, and the identity theft solutions Equifax put out post-breach.
Despite the number and frequency of the complaints, the CFPB has yet to take any punitive action. In fact, it has taken just one enforcement action total since Mulvaney took over.
“The bottom-line is simple: Consumers are reaching out to the CFPB to help them deal with Equifax-related problems at nearly twice the rate they did before the recent data breach,” the report reads. “As part of its duty to consumers, the CFPB must continue a full-throated investigation into the Equifax breach, including the company’s response and its effort to work with consumers to mitigate the harm and repair any damage.”
The report includes some details of complaints filed by consumers, including one who claimed to have a job opportunity denied because of an Equifax credit report with false accounts and another who said they were directed to call six different phone numbers after the breach. “I have been a victim of identity theft and I have suffered from the credit breach,” another consumer wrote.
It’s been hard to get a read on exactly what the CFPB is up to, and whether Mulvaney, who took over for the Obama-appointed Richard Cordray in November, is taking the matter seriously. Reuters reported in February that the CFPB was scaling back its probe of Equifax, but the agency has denied the report. “The bureau is looking into Equifax’s data breach and response,” an agency spokesperson said in an email to Vox at the time. “Reports to the contrary are incorrect.”
The CFPB typically does not publicly confirm or deny confidential enforcement activities, but Equifax itself revealed the probe in its regulatory filings with the Securities and Exchange Commission.
While speaking with bankers and lending industry professionals at the American Bankers Association conference last week, Mulvaney said he wants to make the complaints portal — where consumers can file complaints about financial products and services — private, meaning nobody would know what harm Equifax and other companies might be causing customers and how the CFPB is responding. “I don’t see anything in here that says I have to run a Yelp for financial services sponsored by the federal government,” he said, holding up a copy of the Dodd-Frank financial reform law, according to the Wall Street Journal.
(That’s the same conference where Mulvaney said that as a member of Congress, he only met with lobbyists who donated to his campaign.)
On Monday, Warren, Schatz, and Menendez sent a letter to Mulvaney raising concerns about the 20,000 Equifax complaints and his proposal to make the bureau’s entire complaint portal private. “Without this information, researchers and advocates would lose the ability to track in real time the difficulties consumers are facing,” they wrote.
Interestingly, the letter is also addressed to Leandra English, the CFPB’s deputy director who is currently fighting Mulvaney for the acting director title in court. When former director Richard Cordray resigned in November, he designated English as his successor, and for a while there was a confusion as to who was in charge. A judge upheld Trump’s naming of Mulvaney as acting director, but the legal battle over it continues. The letter from Warren, Schatz, and Menendez actually names English as acting director of the CFPB and Mulvaney as director of the Office of Management and Budget.
The Equifax breach was really bad, and the government has yet to offer a real response to it.
In the US, 143 million Equifax users — about half of the country’s population — had their personal information compromised in a data breach that spanned several weeks in the spring and summer. (Equifax has subsequently revised up that number twice; it now says the breach affected 148 million people.)
The company waited about six weeks between discovering the data breach in late July and publicly announcing it in early September. In the meantime, three of its executives sold around $2 million worth of their shares in the company.
After it announced the data breach, Equifax offered customers affected free credit monitoring and identity protection services — as long as they agreed to a forced arbitration clause that barred them from joining forces with other wronged customers to sue the company. After a backlash, the company dropped the clause.
Equifax CEO Richard Smith stepped down in late September. In October, he testified before the Senate Banking Committee and faced questions about Equifax’s handling of consumer data and the breach, executive stock sales, and broader issues pertaining to credit bureaus such as Equifax, TransUnion, and Experian, which handle the personal information of millions of consumers. (Credit bureaus are partly regulated by multiple agencies.)
Equifax is potentially facing a number of potential legal consequences, although thus far, the outcomes remain largely unclear — it has confirmed that more than 240 class-action suits have already been filed against it and that it is cooperating with multiple investigations and probes, including by all 50 state attorneys general, the Federal Trade Commission, the Securities and Exchange Commission, the Financial Industry Regulatory Authority (FINRA), and various congressional committees, among others.
So far, just one person tied to the breach has been punished. In March, the SEC charged Equifax’s former chief information officer, Jun Ying, with insider trading.
Smith, the former CEO, stepped down with a payday of an estimated $90 million and is still getting a pension worth millions. Equifax’s new CEO’s target compensation is $20 million. Equifax in 2017 made $3.4 billion in revenue, up 7 percent from what it made the year before.
The company has been awarded hundreds of federal contracts worth millions of dollars over the past decade, including one especially eyebrow-raising one after the breach was revealed. The IRS awarded Equifax a $7.2 million no-bid contract to verify taxpayer identities, Politico first reported, but suspended the contract after public backlash.
Mulvaney just took action against Wells Fargo. Shouldn’t it be Equifax’s turn?
Mulvaney, who once described the CFPB as a “sick, sad” joke, has had a slow start taking over as the agency’s acting director. But that changed this month when the CFPB and another bank regulator hit the megabank Wells Fargo with a $1 billion fine for improperly charging thousands of customers for auto insurance they didn’t need and to lock in low mortgage rates — one of the most severe fines the CPFB has levied in its history.
Now, onlookers say, it’s time to do something about Equifax. “Equifax makes it clear that if they get the chance, they’re going to wiggle off the hook for having put more than half of all adult Americans at risk for fraud for years to come because of the data that were stolen,” Warren told me in February when she released a separate report about Equifax.
A handful of bills have been drafted in Congress to address the Equifax situation, though they haven’t gotten very far. In September, Warren and Schatz put forth a bill that would force Equifax and its competitors to provide free credit freezing and unfreezing services and offer overall better fraud alert protections; Warren and Sen. Mark Warner (D-VA) have also introduced legislation that would give the FTC more supervisory authority over credit reporting agencies.
At the moment, and given Congress’s broad inaction on a range of issues, the impetus is likely on federal agencies, state attorneys general, class-action suits, and, yes, the CFPB to act. It’s unclear how Mulvaney will choose to approach the situation, but the fact that he’s focused on making consumer complaints private instead of acting on them is not a good sign.
Read the full report from Warren, Schatz, and Menendez here or below.