The Better Business Bureau’s reason for being is to protect unsuspecting consumers from harm by businesses, and yet it maintains its “A” rating for Equifax, a business that may have done more harm to consumers than any other in recent history.
The world learned on September 7 that Equifax had been the victim of a hack that exposed data on 143 million people to theft. Many, many people had no idea that Equifax even held their data, because the company vacuums up data from banks, credit card companies, and retailers. And the exposed data was notable for being unusually rich.
In fact, the BBB’s own Howard Schwartz described the event to the Danbury (Conn.) Daily Voice as “startling” in scope. “This information includes the basic building blocks of identity theft, such as consumers’ names, addresses and Social Security numbers,” he said.
While Equifax has made a business of greedily hording the information that punishes consumers who have imperfect credit, it has so far gone relatively unpunished for a security posture that left mountains of data exposed to hackers.
So what gives? According to the BBB, until it is proven that Equifax was at fault in the hack, its “A” rating will stand.
“At this point it hasn’t been shown that there’s been any malfeasance by the company,” says spokeswoman Katherine Hutt. “So at this point they are a victim in the same way the consumers are a victim until the investigation is complete or until there’s a government action.”
Actually, many security experts have already weighed in to say that such a massive breach was preventable. Equifax blamed a flaw in the Apache Struts Web Framework–a bug that was revealed in March. This suggests Equifax had time to fix the problem before the main part of the breach occurred in May.
Hutt says the BBB’s ratings are based largely on the way businesses respond to customer complaints, and adds that Equifax has been very prompt in responding to complaints. I asked Hutt if a business that practices misconduct and yet answers complaints quickly would still maintain a high rating with the BBB.
“It depends,” she said. “But generally yes.” However, Hutt said if the BBB sees a pattern of complaints about a company it will address the issue with the company. She says the BBB has so far not seen such a pattern of complaints from consumers about the data breach. But, she adds, it can take up to a month for such complaints to be processed.
Meanwhile, it’s been reported by many that Equifax customer service reps often don’t know how to respond to a request to freeze one’s credit file (one of the only avenues of defense against Equifax for consumers). Consumer Affairs gives Equifax just one out of five stars for consumer satisfaction. Consumers have filed more than 57,000 complaints about Equifax with the Consumer Financial Protection Bureau dating back to 2012–an average of about 31 a day.
And Standard & Poor’s downgraded its outlook on Equifax from “stable” to “negative” after the data breach was reported. “The negative outlook reflects substantial uncertainty surrounding the eventual impact of this incident,” Standard and Poor’s said in a statement.
Hutt said a government action against Equifax could immediately and seriously lower Equifax’s rating. This could come in the form of an action by a state attorney general or a government agency like the Securities & Exchange commission, she said.
But the government is already very interested in Equifax. The Senate Banking Committee has called CEO Richard Smith to testify about the data breach on October 4. Smith was one of several Equifax top executives who unloaded significant amounts of personal stock in the company after the breach was discovered. The Justice Department has already begun a criminal investigation into that part of the affair, Bloomberg reports.
The BBB’s ratings practices have been called into question before. A 20/20 segment back in 2010 indicated that companies could buy good ratings by paying dues, although the organization revamped its system since then.
Asked whether protecting customer data in a responsible way is part of the official criteria for the BBB’s ratings, Hutt said that falls under “privacy,” which falls under “transparent business practices.” But neither the words “data,” “security,” nor “privacy” appear under that heading. The section addresses companies withholding vital information from customers, which, between the end of July and September 7, Equifax did.
The massive data breach was discovered July 29, but Equifax waited more than a month to report it. And a Bloomberg report cites three sources saying the original breach actually happened back in March.