Users of Facebook are accustomed to trading personal data for convenience. Until 2031, Facebook Inc. is on privacy probation by the U.S. Federal Trade Commission, because, the FTC said in 2011, the company “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowed it to be shared and made public.”
Still, through a little-known arrangement, Facebook Inc. routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions. Yes, that Equifax.
Every week, Facebook provides an electronic data feed of its employees’ hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook’s employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records.
A typical employee at Facebook (which also owns Instagram and WhatsApp) may require verification of his employment through TALX when he leases an apartment, updates his immigration status, applies for a loan or public aid, or applies for a new job. If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose,” that company can purchase his employment and income information for about $20. (A Facebook spokesperson declined to comment on the company’s relationship with Equifax and the Work Number.)
The “News Feed” Of Salary History
Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle also provide an electronic feed of their employees’ hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden’s former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to Equifax Workplace Solutions.
Started in 1995, the Equifax Work Number database now contains over 296 million employment records and contains employees at all wage levels, from CEOs to interns. On a weekly basis, the database receives current payroll data on “approximately one-third of the working population in the United States” from a wide range of sources: 75% of the Fortune 500 companies, 85% of the federal government workforce, entire state governments and agencies, courts, colleges, and thousands of small businesses nationwide now feed the Work Number database.
Counterintuitively, companies actually pay Equifax to collect, organize, and re-sell their employees’ personal income information and work history. Employers like Facebook hire the service not only to process–and fight–workers’ unemployment claims, but to provide “verification services” of an employee’s income and work history whenever contacted by an approved third-party creditor, such as a credit card company, mortgage lender, landlord, debt collection agency, auto financing company, student lender, or government benefits administrator.
Government agencies also pay Equifax to help manage how social service benefits get distributed to certain households. For example, the TALX data can help determine an applicant’s social services or welfare eligibility, or inform child support collections and enforcement. (In some cases, these fees may be partially subsidized by the data-contributing employer, Equifax says, but most are paid in full by taxpayers).
Gathering all this data is lucrative. Equifax’s workplace solutions division—an outgrowth of its $1.2 billion acquisition of the TALX Corporation in 2007—is now among the company’s fastest-growing businesses, making up more than a fifth of the firm’s $3.1 billion revenue last year. “The return on that $1.2 billion investment turned out pretty good,” Rick Smith, Equifax’s recently-departed CEO, said at an event at the University of Georgia in August. “That acquisition, by the way—I don’t know if I’m proud of this or not—but it’s worth about $9 billion today.”
The service and its giant database helps streamline various processes for employers and other agencies, and it helps employees too, Equifax wrote in an emailed statement. The Work Number provides prospective landlords a way to verify an applicant’s income, for instance, or makes it cheaper for human resources departments to examine an applicant’s background.
“Without the Work Number,” said Equifax, “a lender, property manager or pre-employment screener will call an employer and explain why they need to check on an employee or former employee’s employment or income. That individual has no control over who picks up the phone, whether the right information is actually given out, or if his or her privacy will be respected.”
But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, “with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created.”
The Data Is The Danger
Despite the sensitivity of this employee data, Equifax has had trouble protecting it. The massive data breach that the company announced in early September, which resulted in the theft of more than 143 million Americans’ social security numbers, credit card information, and other data, did not include income and employment information from the Work Number, Equifax said. But salary data is also vulnerable. In fact, Equifax Workforce Solutions suffered a security incident before “The Breach.”
In May 2017, Equifax informed some of its customers that unauthorized access to their employee tax records continued, undetected, for nearly a year, between April 17, 2016, and March 29, 2017. These Equifax security lapses occurred in another of TALX’s databases, the Tax Form Management platform, after “crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees,” according to cybersecurity expert Brian Krebs.
Marisa Salcines, an Equifax spokesperson, wrote in an email that the fraudulent access “was reported to law enforcement and regulators, and we worked with our customers to provide notice to impacted individuals.” Among the employees affected were workers for defense giant Northrop Grumman, staffing firm Allegis Group, and the University of Louisville.
Maddeningly, Krebs noted, Equifax wasn’t able to determine how many people were actually impacted. Because the fraudsters were able to gain access to records seemingly legitimately—resetting PINs by successfully answering personal questions about the affected employees—the company couldn’t determine exactly which accounts were, in fact, accessed without authorization. In a May 15 letter an Equifax attorney told one of the impacted companies, “TALX believes that only a small percentage of these potentially affected accounts were actually affected.”
The company also does not know the exact extent of the damage wrought by the breach. “We do not know of any specific fraud incidents linked with the Work Number,” Salcines, the Equifax spokesperson, said by email. The security firm Mandiant, which Equifax hired to investigate both the TALX database incidents and the larger breach, “found no evidence that these two separate events or the attackers were related,” she said.
Security concerns around TALX’s data didn’t end there. Shortly after the company announced its large breach in September, a team of researchers were able to access 14,000 consumer records after slipping into an online portal designed to allow Equifax employees in Argentina manage credit report disputes from consumers in that country. As Krebs reported, the portal was “wide open, protected by perhaps the most easy-to-guess password combination ever: ‘admin/admin.'”
On October 8, Krebs uncovered another gaping hole in the Work Number’s online consumer application portal, which allowed anyone to view a person’s salary and employment history “using little more than someone’s Social Security number and date of birth–both data elements that were stolen in the recent breach at Equifax,” Krebs noted.
Equifax denied there was any security lapse, but on October 8, the same day as the Krebs report, the salary lookup portal was taken offline for maintenance. “This work was not in response to any kind of suspicious activity,” said Salcines, the Equifax spokesperson. “In general we have accelerated planned updates across our business unit based on the recent incidents and media coverage.” On November 3, Equifax re-opened the portal with what it said were additional security measures.
Following the giant breach it disclosed in September, Equifax now faces numerous lawsuits and has three times announced the departure of top executives. But it’s not clear what effect, if any, the security concerns have had on its employee-verification business. When asked last month by Bloomberg News reporters, Wal-Mart and the rest of the country’s 40 largest employers, representing some 12.5 million workers, said they had no plans to stop providing data to the Work Number.
Individuals Are The Product
Hacks or breaches aside, the Work Number database presents a continuous threat for both employees and consumers. That’s because, in addition to employee verification, Equifax monetizes the Work Number database in a variety of ways. In other words, the personal salary information that goes into the Equifax “Work Number” database is available for sale to others.
For example, Equifax sells the “Work Number Select” data product to third-party creditors, such as mortgage lenders, which receive a real-time alert from Equifax if an existing mortgagee loses his job. According to Equifax marketing materials, “as the Work Number receives updates with each pay period–and unemployment continues to rise–it’s important that you’re alerted to new information on your portfolio as soon as the employer makes a change.”
Katrina Blodgett, a former lawyer with the Federal Trade Commission, isn’t surprised that Equifax is selling the data given to it by unsuspecting employers. “They are a credit bureau. They sell credit information to lenders,” she said.
Sometimes, employers, landlords, insurance companies, banks, and hospitals must get your permission before obtaining a copy of your report to use in a financial decision. If your report is used against you, you are supposed to receive an “Adverse Action Notice” alerting you to the negative decision.
But financial companies with whom you have a pre-existing relationship, such as credit card companies, student lenders, mortgage servicers, and debt collectors do not have to get your permission to obtain your Equifax Work Number employment report. For instance, because collecting on an existing debt is not considered to be an adverse action, if Visa pulls your Work Number report to find your current employer or source of income, and uses that information to extract payment from you on overdue debt, you may not find out unless you request a copy of your report (federal law requires, and Equifax confirms, that, “employee-consumers” are entitled to receive a free copy of their file once a year.)
“There are special restrictions on how credit reports can be used in hiring decisions, but there are no special restrictions on how employment reports (such as salary information) is used for non-employment purposes,” Blodgett told NBC in 2007.
The database also plays a critical role in administering the Affordable Care Act. The Department of Health and Human Services awarded the Equifax Work Number a five-year, $329 million contract to supply all 50 states with information about people’s income and employer-sponsored insurance coverage. Federal officials are relying on Equifax to provide wage information about individuals that is more current than what is available on federal income tax returns. Equifax even promotes its role as Obamacare’s “primary employment data source” to solicit additional corporate clients.
Where Does All The Data Go?
Has your employment information been collected by Equifax and “verified” to a third-party credit? Maybe. In order to find out, you’ll need to investigate.
To request a free Employment Data Report, which you’re entitled to receive once a year, you can fill out a form at the Work Number website, or make a request by mail, or through a toll-free phone number. Equifax says the report contains information about all lenders, credit agencies, and other verifiers that have attempted to pull your data or that have received it.
The company also provides a way for consumers to, at any time, dispute an item on his or her credit file by phone, by mail or online—assuming that the consumer notices an error to begin with. It’s not clear how widespread such errors are, but a nationwide study by the Federal Trade Commission in 2012 confirmed errors on at least 20 percent of the consumer credit reports it chose at random. In 2015, Equifax and the other two giant credit reporting firms, Experian and Transunion, signed a $6 million settlement with 30 states promising to do a better job investigating and resolving consumer complains.
Consumers should also be aware that the Equifax Work Number specialty report is not the same as Equifax’s free annual credit report, which is available at AnnualCreditReport.com. Others may also have your employment data: The Consumer Financial Protection Bureau estimates there are at least 400 other specialty consumer reporting agencies operating in America, with dozens focused on employment screening.
Despite its privacy-probation status, Facebook, Inc. shouldn’t fear additional punishment from the FTC for sending its employees’ data to Equifax. As it turns out, the FTC itself is an Equifax client and regularly sends wage and work information about its attorneys and staff members to the Work Number database too.
Joel Winston (@joelwinston) is a privacy lawyer. He also provides data protection and regulatory compliance counsel to people and companies.
With additional reporting by Alex Pasternack (@pasternack).